Rsync with ACL not working inside a Jail

[dataworm]

Rsync with ACL not working inside a Jail

Hey, I am trying to sync two NAS Servers bidirectional using osync (based on rsync). Since I cannot or shall not install stuff to the truenas OS itself, I am trying to do everything in a jail.

Sadly I didn't get it running yet and after some testing around I figured out that rsync does work as expected when I execute it in shell (not inside jail!). However when I run the same command in jail it fails.
Furthermore I realized that I can get it running in jail IF I do not use -A flag in my rsync command which preserves the ACLs. But preserving ACL's is important since multiple users and devices receive specific permissions on the synced directories which are also available via shares.
Relevant directories are mounted to the jail and jail has full permissions. Inside and outside of the jail I can connect to the other server without issues. The rsync error message is just a typical useless one that doesn't really tell me what is wrong.

Maybe anyone has an idea why it behaves different inside the jail or what I can do to figure out what is wrong and how to fix it?

This is the successful sync from main shell (not inside jail):

Now the same thing inside the jail:

Without -A parameter it suceeds in jail...:

ACLs are also printed above including the groups of the executing users (I created the same groups/users in jail with same gids/uids). Please let me know if any further information are needed here.

Thanks in advance for any help!

 

[anodos]

The upstrema

Rsync with ACL not working inside a Jail

Hey, I am trying to sync two NAS Servers bidirectional using osync (based on rsync). Since I cannot or shall not install stuff to the truenas OS itself, I am trying to do everything in a jail.

Sadly I didn't get it running yet and after some testing around I figured out that rsync does work as expected when I execute it in shell (not inside jail!). However when I run the same command in jail it fails.
Furthermore I realized that I can get it running in jail IF I do not use -A flag in my rsync command which preserves the ACLs. But preserving ACL's is important since multiple users and devices receive specific permissions on the synced directories which are also available via shares.
Relevant directories are mounted to the jail and jail has full permissions. Inside and outside of the jail I can connect to the other server without issues. The rsync error message is just a typical useless one that doesn't really tell me what is wrong.

Maybe anyone has an idea why it behaves different inside the jail or what I can do to figure out what is wrong and how to fix it?

This is the successful sync from main shell (not inside jail):
View attachment 53145

Now the same thing inside the jail:
View attachment 53146
Without -A parameter it suceeds in jail...:
View attachment 53147

ACLs are also printed above including the groups of the executing users (I created the same groups/users in jail with same gids/uids). Please let me know if any further information are needed here.

Thanks in advance for any help!

The upstream rsync maintainer in FreeBSD has broken ACL support and does not show interest in fixing it (or even accepting a patch I submitted to fix it).

249119 – net/rsync: (3.2.3) fails to copy ZFS ACLs

bugs.freebsd.org

You can probably just take my patch from the bugzilla ticket and build the port with the ACL option and it should work.

 

[dataworm]

Thank you very much, sad to hear that he declined to merge the patch yet. But why does it work in TrueNAS but not in Jail. Does TrueNAS host system use a different rsync version/implementation than the one you can install inside a jail? What is the best/easiest way to get a working rsync implementation in jail?

 

[anodos]

Thank you very much, sad to hear that he declined to merge the patch yet. But why does it work in TrueNAS but not in Jail. Does TrueNAS host system use a different rsync version/implementation than the one you can install inside a jail? What is the best/easiest way to get a working rsync implementation in jail?

Our ports tree is different from upstream FreeBSD ports tree. You can probably just build with the patch in the ticket inside the jail and have everything work correctly.

 

[winnielinnie]

This feature was broken during the porting of rsync 3.2 in a terrifically bad manner in that rsync 3.2 now strips NFSv4 ACLs from files.

This means that using upstream FreeBSD's rsync 3.2 will strip already-existing ACLs from the target? Even if the file(s) was not modified? Does this apply to rsync 3.2 under Linux as well, or only FreeBSD?

(As long as we're using Rsync as part of TrueNAS proper, whether through the Rsync Modules or SSH, we needn't worry about this issue, right?)

 

[anodos]

This means that using upstream FreeBSD's rsync 3.2 will strip already-existing ACLs from the target? Even if the file(s) was not modified? Does this apply to rsync 3.2 under Linux as well, or only FreeBSD?

(As long as we're using Rsync as part of TrueNAS proper, whether through the Rsync Modules or SSH, we needn't worry about this issue, right?)

Right, our system rsync works correctly for TrueNAS to TrueNAS. ACL support for FreeBSD to Linux has never really worked (incompatible ACL types implemented).

 

[dataworm]

I checked an latest TrueNAS release uses rsync version 3.1.3 while inside jail version 3.2.3 gets installed. So let's hope that rsync on TrueNAS will not break ACL's when they use a newer rsync version in upcoming releases. ;-)

 

[anodos]

I checked an latest TrueNAS release uses rsync version 3.1.3 while inside jail version 3.2.3 gets installed. So let's hope that rsync on TrueNAS will not break ACL's when they use a newer rsync version in upcoming releases. ;-)

We validate rsync support for this feature before release.

 

[dataworm]

Maybe it would also be a nice option to integrate osync into TrueNAS to support bidirectional syncing?!

 

[anodos]

Maybe it would also be a nice option to integrate osync into TrueNAS to support bidirectional syncing?!

I haven't looked at osync, but my general experience with clever sync (and backup) applications is that they ignore relevant metadata and so aren't really suitable for enterprise environments.

 

[anodos]

But you're welcome to make a feature request in jira of course, which will get things in front decision-makers (rather than me).

 

[winnielinnie]

Maybe it would also be a nice option to integrate osync into TrueNAS to support bidirectional syncing?!

Sounds a lot like unison.

 

[dataworm]

Yeah Unison or SyncThing. I already tried SyncThing but it doesn't support ACLs (or just with additional non-production tools).
It was too messy so I tried to move ahead with osync instead... Not very successfuly so far! I didn't even manage yet to compile rsync myself, one error after another... So I just copied the binary from truenas into the jail... xD
Unison might be the last option I can try out...