Invalid property 'aclmode'

[ZackaryWelch]

Multiple tests fail due to an error:

cannot set property for 'testpool/testfs/prop': invalid property 'aclmode'
ERROR: zfs set aclmode=discard testpool/testfs/prop exited 1

See cli_user/misc/setup, cli_user/misc/zfs_get_001, cli_user/misc/zfs_set_001, history/history_002 and inheritance/inherit_001. History and inheritance both fail, where in cli_user/misc/setup I added an exception to skip setting aclmode on FreeBSD, since failing the setup skips all tests in cli_user/misc.

[ZackaryWelch]

Still unsure if this is a feature that hasn't been adding or something not supported on FreeBSD

[kmoore134]

I don't believe this is supported on ZFS on FreeBSD today, but please check with Mav on these to be 100% sure.

[ZackaryWelch]

It seems aclmode should be supported, and Andrew says it's used in FreeNAS, so this will need to be added then. Aclmode is supported on Solaris and is NOT supported on Linux

[ZackaryWelch]

zfs_get_001 and zfs_set_001 succeed on ZFS, not because of but in spite of aclmode not being valid.

[kmoore134]

Matt,

This is something we'll need to fix up so we can use NFS acls natively.

[mattmacy]

@ZackaryWelch why did you add "fails_both" - it sounds like it works on "legacy" FreeBSD ZFS

[mattmacy]

so what is expected to work - acltype?

[ghost]

I think this issue can be broken down into two problems:

1. ZFS on illumos and FreeBSD uses NFSv4 style ACLs, but ZoL implemented POSIX.1e ACLs instead, because Linux doesn't (or at the time didn't) support NFSv4 ACLs. In ZoL, there is the acltype property that currently only has the values off/noacl and posixacl. This presumably would be the place to add nfsv4acl for FreeBSD. My understanding is that Linux NFS servers and Samba emulate NFSv4 ACLs on top of POSIX.1e ACLs (with some limitations). In ZoF we probably need to implement the NFSv4 ACL type to be compatible with existing software on FreeBSD.

2. ZoL dropped the aclmode property. The documentation for this property explains fairly well how it should operate:

    aclmode=discard | groupmask | passthrough | restricted
        Controls how an ACL is modified during chmod(2).  A file system with
        an aclmode property of discard (the default) deletes all ACL entries
        that do not represent the mode of the file. An aclmode property of
        groupmask reduces permissions granted in all ALLOW entries found in
        the ACL such that they are no greater than the group permissions
        specified by chmod(2).  A file system with an aclmode property of
        passthrough indicates that no changes are made to the ACL other than
        creating or updating the necessary ACL entries to represent the new
        mode of the file or directory.  An aclmode property of restricted
        will cause the chmod(2) operation to return an error when used on any
        file or directory which has a non-trivial ACL whose entries can not
        be represented by a mode.  chmod(2) is required to change the set
        user ID, set group ID, or sticky bits on a file or directory, as they
        do not have equivalent ACL entries.  In order to use chmod(2) on a
        file or directory with a non-trivial ACL when aclmode is set to
        restricted, you must first remove all ACL entries which do not
        represent the current mode.

   For POSIX.1e ACLs, "preservation of permissions is an important feature" so this property was not needed by ZoL. However it is needed in FreeBSD and illumos as a result of supporting NFSv4 ACLs, for which the relationship between the ACL and the Unix mode bits is implementation defined and multiple behaviors are possible. Hopefully the existing implementation for FreeBSD will be useful in implementing the feature in ZoF.

Additional Reference: https://www.bsdcan.org/2017/schedule/attachments/398_Understanding%20NFSv4%20ACL%27s

[ghost]

I will look into re-enabling the tests for aclmode before closing this issue. acltype will be a separate issue if it isn't already.

[mattmacy]

@freqlabs is there anything that I need to do here?

[ghost]

@mattmacy I've re-enabled the tests for aclmode and they are looking good now. I can hold off on pushing that commit until you've finished rebasing.

[ghost]

Tests for this have been re-enabled on projects/pr-rebase.