"cp -p" command fails with Permission denied message over NFSv4

jld · ‎2015-09-03

Context: FAS8040 cDot 8.3, NFSv4.0 enabled, ACL disabled, AUTH_SYS used, CentOS 6 linux NFS4 clients.

cp -p produces an error message when the target in on an NFSv4 mount. Let say that an unpriviledged user (user2) want to copy a file from somebody else (user1), and put the copy in his HOME directory:

[user2@centos66 ~](0)$ ls -l ~user1/file.txt
-rwxr--r-- 1 user1 grp21 993 Jan 10 2006 /home/user1/file.txt

When user2 issues a "cp -p" command, the system preserves date and permission, and gives the owership of the new file to user2. No error is displayed, and this works when the target filesystem is local or on an NFSv3 share.

[user2@centos66 ~](0)$ cp -p ~user1/file.txt .

[user2@centos66 user2](0)$ ls -l file.txt
-rwxr--r-- 1 user2 grp21 993 Jan 10 2006 file.txt

But if the HOME of user is mounted with NFSv4 (= the target of the cp is on an NFSv4 share), I get a permission denied error: the file is copied, but return code is 1 and permissions are not preserved.

[user2@centos66 ~](0)$ cp -p ~user1/file.txt .
cp: failed to preserve ownership for `./file.txt': Permission denied
[user2@centos66 ~](1)$ ls -l file.txt
-rwx------ 1 user2 user2 993 Jan 10 2006 file.txt

This is annoying because "cp -p" is embedded in many scripts and the users have to deal with different error handlings.

Is there a way to make the behaviour the same as with an NFSv3 mount ?

I have put hereafter the strace outputs for convenience.

=== strace output for copy over NFSv3 ===

stat(".", {st_mode=S_IFDIR|0755, st_size=16384, ...}) = 0
stat("/home/user1/file.txt", {st_mode=S_IFREG|0744, st_size=993, ...}) = 0
stat("./file.txt", 0x7fffbd0f09a0) = -1 ENOENT (No such file or directory)
open("/home/user1/file.txt", O_RDONLY) = 3
fstat(3, {st_mode=S_IFREG|0744, st_size=993, ...}) = 0
open("./file.txt", O_WRONLY|O_CREAT|O_EXCL, 0700) = 4
fstat(4, {st_mode=S_IFREG|0700, st_size=0, ...}) = 0
read(3, "SERVER myserv 84a7d3ee\nVENDOR valiosys\nUSE_SERVER\nPACKAGE REQTIFY-PKG valiosys COMPONENTS=\"REQTIFY_ADVANCED \\\n\tREQTIFY_CONTROL"..., 65536) = 993
write(4, "SERVER myserv 84a7d3ee\nVENDOR valiosys\nUSE_SERVER\nPACKAGE REQTIFY-PKG valiosys COMPONENTS=\"REQTIFY_ADVANCED \\\n\tREQTIFY_CONTROL"..., 993) = 993
read(3, "", 65536)                      = 0
utimensat(4, NULL, {{1441268022, 750044000}, {1136913794, 0}}, 0) = 0
fchown(4, 160850, 2100)                 = -1 EPERM (Operation not permitted)
fchown(4, 4294967295, 2100)             = 0
fgetxattr(3, "system.posix_acl_access", 0x7fffbd0f0560, 132) = -1 EOPNOTSUPP (Operation not supported)

=== strace output for copy over NFSv4 ===

stat(".", {st_mode=S_IFDIR|0755, st_size=16384, ...}) = 0
stat("/home/user1/file.txt", {st_mode=S_IFREG|0744, st_size=993, ...}) = 0
stat("./file.txt", 0x7fffcbd5e000) = -1 ENOENT (No such file or directory)
open("/home/user1/file.txt", O_RDONLY) = 3
fstat(3, {st_mode=S_IFREG|0744, st_size=993, ...}) = 0
open("./file.txt", O_WRONLY|O_CREAT|O_EXCL, 0700) = 4
fstat(4, {st_mode=S_IFREG|0700, st_size=0, ...}) = 0
read(3, "SERVER myserv 84a7d3ee\nVENDOR valiosys\nUSE_SERVER\nPACKAGE REQTIFY-PKG valiosys COMPONENTS=\"REQTIFY_ADVANCED \\\n\tREQTIFY_CONTROL"..., 65536) = 993
write(4, "SERVER myserv 84a7d3ee\nVENDOR valiosys\nUSE_SERVER\nPACKAGE REQTIFY-PKG valiosys COMPONENTS=\"REQTIFY_ADVANCED \\\n\tREQTIFY_CONTROL"..., 993) = 993
read(3, "", 65536) = 0
utimensat(4, NULL, {{1441268022, 750044000}, {1136913794, 0}}, 0) = 0
fchown(4, 160850, 2100) = -1 EACCES (Permission denied)

Thanks in advance for any help

JLD

Renifa · ‎2015-09-03

Hi Jld,

Try to set the vserver nfs modify -vserver <vserver> -ntfs-unix-security-ops to ignore. This will suppress any error messages when altering permissions through UNIX in a NTFS qtree.

All the best.

If this post resolved your issue, help others by selecting ACCEPT AS SOLUTION or adding a KUDO.

Thanks,

Renifa

If this post resolved your issue, help others by selecting ACCEPT AS SOLUTION or adding a KUDO.

jld · ‎2015-09-04

@Renifa wrote:
Hi Jld,

Try to set the vserver nfs modify -vserver <vserver> -ntfs-unix-security-ops to ignore. This will suppress any error messages when altering permissions through UNIX in a NTFS qtree.

All the best.

If this post resolved your issue, help others by selecting ACCEPT AS SOLUTION or adding a KUDO.

Thanks,
Renifa

Hi Renifa,

Tried this one and the various possible values for -ntfs-unix-security-ops, but it has no effect. Anyway the man page for this option is about NFSv3 and NTFS, my issue is only with NFSv4 clients and all our volumes are in UNIX security style (most our activity is via NFS through Linux clients).

Your suggestion made me look into advanced mode to see all possible options for NFS service, and I saw that a "-chown-mode" exists. I tried all values also, the "-chown-mode unrestricted" makes the error disappear, but then the behaviour of the cp command is non standard and dangerous - normally when you cp a file with a non privileged user, you should be owner of the copy. If the original owner is preserved this could become a mess quickly in the user homedirs, so this parameter is not an acceptable way to go for us.

So at the moment, I am still searching a fix.

Here are our NFS and Volume configuration details

RPDNASC1::*> vserver nfs show -vserver nasc1 -instance

                                           Vserver: nasc1
                                General NFS Access: true
             RPC GSS Context Cache High Water Mark: 0
                              RPC GSS Context Idle: 0
                                            NFS v3: enabled
                                          NFS v4.0: enabled
                                      UDP Protocol: enabled
                                      TCP Protocol: enabled
                              Default Windows User: -
                       Enable NFSv3 EJUKEBOX error: true
 Require All NFSv3 Reads to Return Read Attributes: false
Show Change in FSID as NFSv3 Clients Traverse Filesystems: enabled
Enable the Dropping of a Connection When an NFSv3 Request is Dropped: enabled
                Vserver NTFS Unix Security Options: use_export_policy
                     Vserver Change Ownership Mode: use_export_policy
                        NFS Response Trace Enabled: false
                    NFS Response Trigger (in secs): 60
                         UDP Maximum Transfer Size: 32768
                         TCP Maximum Transfer Size: 65536
                       NFSv3 TCP Maximum Read Size: 65536
                      NFSv3 TCP Maximum Write Size: 65536
                               NFSv4.0 ACL Support: disabled
                   NFSv4.0 Read Delegation Support: disabled
                  NFSv4.0 Write Delegation Support: disabled
Show Change in FSID as NFSv4 Clients Traverse Filesystems: enabled
                          NFSv4.0 Referral Support: disabled
                           NFSv4 ID Mapping Domain: mydomain.com
NFSv4 Validate UTF-8 Encoding of Symbolic Link Data&colon; disabled
               NFSv4 Lease Timeout Value (in secs): 30
               NFSv4 Grace Timeout Value (in secs): 45
Preserves and Modifies NFSv4 ACL (and NTFS File Permissions in Unified Security Style): enabled
                     NFSv4.1 Minor Version Support: disabled
                                     Rquota Enable: enabled
                  NFSv4.1 Implementation ID Domain: netapp.com
                    NFSv4.1 Implementation ID Name: NetApp Release 8.3RC2
                    NFSv4.1 Implementation ID Date: Tue Dec 23 08:55:04 2014
                      NFSv4.1 Parallel NFS Support: enabled
                          NFSv4.1 Referral Support: disabled
                               NFSv4.1 ACL Support: disabled
                              NFS vStorage Support: disabled
               NFSv4 Support for Numeric Owner IDs: enabled
                             Default Windows Group: -
                   NFSv4.1 Read Delegation Support: disabled
                  NFSv4.1 Write Delegation Support: disabled
Number of Slots in the NFSv4.x Session slot tables: 180
Size of the Reply that will be Cached in Each NFSv4.x Session Slot (in bytes): 640
                    Maximum Number of ACEs per ACL: 400
                               NFS Mount Root Only: enabled
                                     NFS Root Only: disabled
                  AUTH_SYS Extended Groups Enabled: disabled
    AUTH_SYS and RPCSEC_GSS Auxillary Groups Limit: 32
 Validation of Qtree IDs for Qtree File Operations: enabled
                             NFS Mount Daemon Port: 635
                         Network Lock Manager Port: 4045
                       Network Status Monitor Port: 4046
                             NFS Quota Daemon Port: 4049
               Permitted Kerberos Encryption Types: des, des3, aes-128, aes-256
                                 Showmount Enabled: disabled
Set the Protocol Used for Name Services Lookups for Exports: udp
           Map Unknown UID to Default Windows User: enable
  DNS Domain Search Enabled During Netgroup Lookup: enabled

  RPDNASC1::*> volume show -vserver nasc1 -volume vol_c1h04 -instance

                                     Vserver Name: nasc1
                                      Volume Name: vol_c1h04
                                   Aggregate Name: aggr1_c1n2
                                      Volume Size: 10TB
                                     Name Ordinal: base
                               Volume Data Set ID: 1031
                        Volume Master Data Set ID: 2147484679
                                     Volume State: online
                                      Volume Type: RW
                                     Volume Style: flex
                           Is Cluster-Mode Volume: true
                            Is Constituent Volume: false
                                    Export Policy: standard
                                          User ID: 0
                                         Group ID: 0
                                   Security Style: unix
                                 UNIX Permissions: ---rwxr-xr-x
                                    Junction Path: /c1h04
                             Junction Path Source: RW_volume
                                  Junction Active: true
                           Junction Parent Volume: nasc1_root
                              Vserver Root Volume: false
                                          Comment: 
                                   Available Size: 7.35TB
                                  Filesystem Size: 10TB
                          Total User-Visible Size: 10TB
                                        Used Size: 2.65TB
                                  Used Percentage: 26%
             Volume Nearly Full Threshold Percent: 95%
                    Volume Full Threshold Percent: 98%
             Maximum Autosize (for flexvols only): 12TB
(DEPRECATED)-Autosize Increment (for flexvols only): 1GB
                                 Minimum Autosize: 10TB
               Autosize Grow Threshold Percentage: 98%
             Autosize Shrink Threshold Percentage: 50%
                                    Autosize Mode: off
             Autosize Enabled (for flexvols only): false
              Total Files (for user-visible data): 31876689
               Files Used (for user-visible data): 10387729
                           Maximum Directory Size: 320MB
                            Space Guarantee Style: none
                        Space Guarantee in Effect: true
                               Minimum Read Ahead: false
                       Access Time Update Enabled: true
                Snapshot Directory Access Enabled: true
               Space Reserved for Snapshot Copies: 0%
                            Snapshot Reserve Used: 0%
                                  Snapshot Policy: over30days
                                    Creation Time: Mon Mar 23 14:30:16 2015
                                         Language: fr.UTF-8
                                     Clone Volume: false
                                        Node name: RPDNASC1N2
                               UUID of the Volume: be5275b5-d160-11e4-9dfd-00a09862ff15
                                    NVFAIL Option: off
                            Volume's NVFAIL State: false
          Force NVFAIL on MetroCluster Switchover: off
                        Is File System Size Fixed: false
                                    Extent Option: off
                    Reserved Space for Overwrites: 0B
                               Fractional Reserve: 0%
                Primary Space Management Strategy: volume_grow
                         Read Reallocation Option: off
                 Inconsistency in the File System: false
                     Is Volume Quiesced (On-Disk): false                       
                   Is Volume Quiesced (In-Memory): false                       
                       Transition Operation State: none                        
                              Transition Behavior: none                        
                            Copied for Transition: false                       
                                     Transitioned: false                       
        Volume Contains Shared or Compressed Data&colon; true                        
                Space Saved by Storage Efficiency: 821.3GB                     
           Percentage Saved by Storage Efficiency: 23%                         
                     Space Saved by Deduplication: 821.3GB                     
                Percentage Saved by Deduplication: 23%                         
                    Space Shared by Deduplication: 346.1GB                     
                       Space Saved by Compression: 0B                          
            Percentage Space Saved by Compression: 0%                          
              Volume Size Used by Snapshot Copies: 222.4GB                     
                                       Block Type: 64-bit                      
  Virtual Machine Alignment 512-Byte Sector Count: -                           
                 Virtual Machine Alignment Suffix: -                           
                                 Is Volume Moving: false                       
                   Flash Pool Caching Eligibility: read-write                  
    Flash Pool Write Caching Ineligibility Reason: -                           
                       Managed By Storage Service: -                           
                             Storage Service Name: -                           
Create Namespace Mirror Constituents For SnapDiff Use: -                       
         Action When Attributes Are Not Reachable: -                           
                          Constituent Volume Role: -                           
            Maximum Size of Namespace Constituent: -                           
            Maximum Size of Each Data Constituent: -                           
                            QoS Policy Group Name: -                           
                              Caching Policy Name: auto                        
                  Is Volume Move in Cutover Phase: false                       
          Number of Snapshot Copies in the Volume: 29                          
  VBN_BAD may be present in the active filesystem: false                       
           Is Eligible for Auto Balance Aggregate: true                        
                  Is Volume on a hybrid aggregate: true                        
                         Total Physical Used Size: 2.65TB                      
                         Physical Used Percentage: 26%

I wonder if this has something to do with the "Preserves and Modifies NFSv4 ACL (and NTFS File Permissions in Unified Security Style)" parameter ...

JLD

MrBenjamin · ‎2016-12-15

JLD diid you ever solve thiis issue?