terminator14
Cadet
- Joined
- Aug 30, 2012
- Messages
- 3
I have been using FreeNAS for a few months now as a RAIDZ for my 6x2TB drives. It's worked pretty good so far, but on several occasions, I have run into permission problems (mainly using NFS). In the past, whenever this would happen, I would simply SSH into FreeNAS and manually chmod/chown files and folders to fix the permission problems. Recently, I started looking into how to solve these problems for good. My setup is this:
The FreeNAS box, and the clients are all located at my home, so security is not a big concern for me, though I would prefer a real solution that could work in a production environment over a hack job.
My volumes look like this:
So the problem I'm facing is this:
I have a Linux machine and a Macbook Pro, both of which mount the same volume (/mnt/vm/private) through NFS. Both have the user 'tal', but the users' UID/GIDs are NOT the same. This fact, combined with the fact that by default, a file created on /mnt/vm/private over NFS will have the default permissions of 644, means that if I create a file on the volume with my Mac, I cannot write to it from my linux box.
The only solution I can see, and what I've tried to do is this: I created the group 'nfs' on the Linux box, the Mac, and FreeNAS, giving all 3 the same GID. On both the Linux and the Mac, I added the user 'tal' to the 'nfs' group, and on the FreeNAS, I made the /mnt/vm/private volume owned by the group 'nfs', and set the volume's permissions to 775. The idea here is that any file that will be created on the volume may have different UIDs, but it's GID will always be the same, which maps to the 'nfs' group on all 3 systems. As long as the file's permissions allow the group to read and write to the file, both the linux box and the mac should be able to modify all files without issues. Unfortunately, this is where it gets tricky.
In order for this to work, newly created files on the /mnt/vm/private volume all need to have the permissions 664 instead of the default 644. To do this, I've been trying to use the NFSv4 ACLs, which I've never used up until now. Using the ACLs, I'm trying to keep the /mnt/vm/private directory as 775 while forcing any newly created subdirectories to be 777, and newly created files to be 664. The rules I'm trying to apply are these:
Which, as I understand it, should work, since the first 3 rules all have an fi set on them, f meaning apply the rule to newly created files under the /mnt/vm/private directory, and i meaning inherit_only, aka do not change the permissions of the /mnt/vm/private directory itself. The last 3 rules have di set, d meaning apply to all subdirectories, and i meaning do not change the permissions of the /mnt/vm/private directory itself (same as before).
The result however is very different from what I would expect. The last 3 rules override the first 3, and the permissions of the /mnt/vm/private directory do change (as seen with: ls -ld /mnt/vm/private).
Am I misunderstanding the usage of the ACLs?
Is there an easier way to have 2 users with different UIDs/GIDs work on the same files over NFS?
The FreeNAS box, and the clients are all located at my home, so security is not a big concern for me, though I would prefer a real solution that could work in a production environment over a hack job.
My volumes look like this:
Code:
Main Volume: vm It's path: /mnt/vm Note: ZFS, RaidZ, Consists of all 6 HDDs ZFS Dataset of main Volume: private It's path: /mnt/vm/private Permissions/Ownership: Set to root/nfs 775 (see below for explanation) Note: This is the volume I'm doing all the testing with
So the problem I'm facing is this:
I have a Linux machine and a Macbook Pro, both of which mount the same volume (/mnt/vm/private) through NFS. Both have the user 'tal', but the users' UID/GIDs are NOT the same. This fact, combined with the fact that by default, a file created on /mnt/vm/private over NFS will have the default permissions of 644, means that if I create a file on the volume with my Mac, I cannot write to it from my linux box.
The only solution I can see, and what I've tried to do is this: I created the group 'nfs' on the Linux box, the Mac, and FreeNAS, giving all 3 the same GID. On both the Linux and the Mac, I added the user 'tal' to the 'nfs' group, and on the FreeNAS, I made the /mnt/vm/private volume owned by the group 'nfs', and set the volume's permissions to 775. The idea here is that any file that will be created on the volume may have different UIDs, but it's GID will always be the same, which maps to the 'nfs' group on all 3 systems. As long as the file's permissions allow the group to read and write to the file, both the linux box and the mac should be able to modify all files without issues. Unfortunately, this is where it gets tricky.
In order for this to work, newly created files on the /mnt/vm/private volume all need to have the permissions 664 instead of the default 644. To do this, I've been trying to use the NFSv4 ACLs, which I've never used up until now. Using the ACLs, I'm trying to keep the /mnt/vm/private directory as 775 while forcing any newly created subdirectories to be 777, and newly created files to be 664. The rules I'm trying to apply are these:
Code:
setfacl -m owner@:rwpAWCo:fi:allow /mnt/vm/private setfacl -m group@:rwpAWCo:fi:allow /mnt/vm/private setfacl -m everyone@:raRcs:fi:allow /mnt/vm/private setfacl -m owner@:rwxpAWCo:di:allow /mnt/vm/private setfacl -m group@:rwxp:di:allow /mnt/vm/private setfacl -m everyone@:rwxpaRcs:di:allow /mnt/vm/private
Which, as I understand it, should work, since the first 3 rules all have an fi set on them, f meaning apply the rule to newly created files under the /mnt/vm/private directory, and i meaning inherit_only, aka do not change the permissions of the /mnt/vm/private directory itself. The last 3 rules have di set, d meaning apply to all subdirectories, and i meaning do not change the permissions of the /mnt/vm/private directory itself (same as before).
The result however is very different from what I would expect. The last 3 rules override the first 3, and the permissions of the /mnt/vm/private directory do change (as seen with: ls -ld /mnt/vm/private).
Am I misunderstanding the usage of the ACLs?
Is there an easier way to have 2 users with different UIDs/GIDs work on the same files over NFS?
