ACLs + NFS = viable?

I

Ibon

New Member
Aug 6, 2018
5
0
1
Hi there,

What I'm trying to get is a working container with Posix ACLs support. Container's rootfs is in a NFS share. The NFS share has already acl "mark" activated in the host machine's fstab file.

When I try to use setfacl I'm getting "Operation not permitted" answers at the container.

Question is: is it possible to use setfacl command to establish advanced permissions setup with a NFS shared storage system for container's rootfs?

Cheers, Ibon.
 
Oh, I forgot to mention that: I have already checked that option in the rootfs hard disk, BUT I checked it on after the creation of the container, is that correct?, or should I do it before the creation?.

Best regards, Ibon.
 
Please post your vmid.conf and are you sure the NFS has ACL working?
 
Hi Alwin,

I'm trying to find vmid.conf (both in the ProxMox nodes and in the NFS server) but I'm unable to get, can you indicate me where is supposed to be this file?

Regarding NFS server and ACLs: yes, I'm pretty sure. The system is a Ubuntu 16.04 Server, and the NFS exported folder is mounted on dedicated disks with the ACL corresponding entry in the fstab file:

Code: 
UUID=dfe79724-b947-4b5c-8721-44da3e02ad52 /mnt/nfs        ext4    defaults,acl    0       2

To test ACL is working on this machine y have used "setfacl" to set some test permissions on different folders: every test command works fine. Do you suggest any other test to ensure that my setup is fine?.

Best regards, Ibon.
 
Ibon said:
I'm trying to find vmid.conf (both in the ProxMox nodes and in the NFS server) but I'm unable to get, can you indicate me where is supposed to be this file?
Click to expand...
'/etc/pve/lxc/<vmid>.conf'

Ibon said:
To test ACL is working on this machine y have used "setfacl" to set some test permissions on different folders: every test command works fine. Do you suggest any other test to ensure that my setup is fine?.
Click to expand...
With this machine, you mean the NFS server? Try to set ACLs on some test file/folder on the NFS share from the PVE node. Then verify also on the NFS server itself if the ACLs are there.

EDIT: you can also use the NFS directly as a storage and add the ACL option there.
https://pve.proxmox.com/pve-docs/chapter-pvesm.html#_nfs_backend
 
Oh, I didn't realized about this (sorry): "<vmid>" = Virtual Machine ID :-o

Here it goes "cat /etc/pve/lxc/111.conf":

Code: 
arch: amd64
cores: 1
hostname: test-container
memory: 512
nameserver: 192.168.1.1
net0: name=eth0,bridge=vmbr0,gw=192.168.1.1,hwaddr=FE:00:12:56:A1:B1,ip=192.168.1.208/24,type=veth
ostype: ubuntu
rootfs: nfs-server:111/vm-111-disk-1.raw,acl=1,size=8G
searchdomain: intranet.lan
swap: 512

Regarding test commands: yes, with "this machine" I meant the NFS server. Following your suggestions:

Code: 
# At the node that storages the test container:
mkdir /mnt/pve/nfs-server/test/
setfacl -m g::rwx /mnt/pve/nfs-server/test/
getfacl /mnt/pve/artxanda
...
# file: mnt/pve/nfs-server/test
# owner: root
# group: root
user::rwx
group::rwx
other::r-x

# At the NFS server the change made before is there:
getfacl /mnt/nfs/test/
...
# file: mnt/nfs/imagenes/test/
# owner: root
# group: root
user::rwx
group::rwx
other::r-x

Your last edited comment is interesting: I have already added that NFS server as storage to the cluster. Where is that ACL option supposed to be checked?, because I can't see no such option at the cluster GUI (I'm looking at "Datacenter" => "Storage" => "Edit" nfs-server properties.

Best regards, Ibon.
 
Ibon said:
rootfs: nfs-server:111/vm-111-disk-1.raw,acl=1,size=8G
Click to expand...
The rootfs is on a raw image, the ACL support of the NFS server is not needed.

Ibon said:
Your last edited comment is interesting: I have already added that NFS server as storage to the cluster. Where is that ACL option supposed to be checked?, because I can't see no such option at the cluster GUI (I'm looking at "Datacenter" => "Storage" => "Edit" nfs-server properties.
Click to expand...
Those options are only in special cases and not exposed in the GUI (less confusing).

Ibon said:
When I try to use setfacl I'm getting "Operation not permitted" answers at the container.
Click to expand...
Are you running the command as root?
 
Oh, with root user is working fine (didn't try this before!): I guess is a simple issue with the folder permissions system :/

Alwin, sorry for all the inconvenience, and thank you for your support! :)

Best regards, Ibon.
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back