OpenZFS on OS X

I'm running into a problem that I couldn't find a solution to in the documentation, man pages, here on the boards, or on the interwebs, yet. (Caveat, my $searchEngine foo may be weak today.)

I'm using a folder on a dataset as an SMB SharePoint via OS X Server.app. This works and performance is fine. I do run into permission problems though since new files created by users end up not writeable for the group which is required for users to collaborate. My problem is that I can't find a working way to always have new files and folders created with group-write permissions like it is commonly used in a simple office scenario.

Technical details:
Mac mini
OS X Yosemite 10.10.5
Server.app 5.0.4
OpenZFS 1.3.1-r2 and 1.4.2
External Thunderbolt connected RAIDZ2 zpool.

The zpool has been created like this:

Code: Select all

# zpool create -o ashift=12 -O compression=lz4 -O casesensitivity=insensitive -O atime=off -O normalization=formD rzeppelin raidz2 <devices>

There are more datasets on this pool, but I'll use this on in my example.

Code: Select all

$ zfs list rzeppelin/SharePoints/IT-Crowd
NAME                             USED  AVAIL  REFER  MOUNTPOINT
rzeppelin/SharePoints/IT-Crowd  62.9G  8.80T  62.9G  /Volumes/IT-Crowd

I've set this dataset to inherit acls via passthrough.

Code: Select all

$ zfs get aclmode rzeppelin/SharePoints/IT-Crowd
NAME                            PROPERTY  VALUE        SOURCE
rzeppelin/SharePoints/IT-Crowd  aclmode   passthrough  inherited from rzeppelin/SharePoints

$ zfs get aclinherit rzeppelin/SharePoints/IT-Crowd
NAME                            PROPERTY    VALUE          SOURCE
rzeppelin/SharePoints/IT-Crowd  aclinherit  passthrough    inherited from rzeppelin/SharePoints

POSIX permissions and ACLs are set like this:

Code: Select all

$ ls -laed ./IT-Crowd
drwxrwx---+ 18 radmin  itcrowd  18 Oct  1 15:06 ./IT-Crowd
 0: user:_spotlight allow list,search,file_inherit,directory_inherit
 1: group:owner allow list,add_file,search,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown,file_inherit,directory_inherit
 2: group:group allow list,add_file,search,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown,file_inherit,directory_inherit

The shared folder itself has a path of /Volumes/IT-Crowd/IT-Crowd and when I try to add an ACL for the group itcrowd like this

Code: Select all

# chmod +a "group:itcrowd allow list,add_file,search,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown,file_inherit,directory_inherit" IT-Crowd

chmod has a return value of 0 indicating success.

When I look at the ACLs immediately after that, there is no ACL for group itcrowd added but for a totally different user. This is pretty surprising as I don't seem to be able to add an ACL for a group at all. (Other than the autogenerated ZFS simple ACLs for owner/group)

Code: Select all

$ ls -laed ./IT-Crowd
drwxrwx---+ 19 radmin  itcrowd  19 Oct  1 15:07 ./IT-Crowd
 0: user:claudia allow list,add_file,search,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown,file_inherit,directory_inherit
 1: user:_spotlight allow list,search,file_inherit,directory_inherit
 2: group:owner allow list,add_file,search,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown,file_inherit,directory_inherit
 3: group:group allow list,add_file,search,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown,file_inherit,directory_inherit

No matter what I try, I can't add an ACL for a group, let alone get it to inherit.

From my understanding OpenZFS does ignore Darwin ACLs by design and implements ZFS ACLs which should allow inheritance just fine.

Now, when creating a new folder via SMB, the permissions end up like this, preventing other users to write.

Code: Select all

$ ls -laed ./IT-Crowd/TEST
drwxr-xr-x+ 2 maclemon  itcrowd  2 Oct  1 15:07 ./IT-Crowd/TEST
 0: group:owner allow list,add_file,search,add_subdirectory,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown
 1: group:group allow list,search,readattr,readextattr,readsecurity
 2: group:everyone allow list,search,readattr,readextattr,readsecurity

Should it be possible to correctly set OpenZFS ACLs via chmod(1) on OS X?
If yes, what settings must I use for aclmode and aclinherit if not passthrough?
If no, which tools should I use to do so to achieve inherited write permissions on new files/folders for everyone in the group? (If those tools aren't part of the O3X installation, where can I get them?)

If you have any questions for further details of the setup I'm happy to provide them.
Thanks!
Best regards
MacLemon

I too have failed utterly to get any level of ACL inheritance working on my system:

Mac Mini 2015 model
Yosemite 10.10.5
OpenZFS 1.4.5

The acl properties on my test zfs filesystem are:

aclmode=discard (have also tested passthrough)
aclinherit=passthrough

These properties are what I have set on my production Solaris systems here, which do dutifully propagate ACLs.

Whilst I can chmod and apply file_inherit and directory_inherit successfully to a folder, if I then 'touch' a file in that folder to create it, no ACLs are propagated. Creating a subdirectory in the folder also fails to inherit any ACLs. In both cases the bare posix entries are available. It's as if the aclinherit mode is hardwired to discard.

I do not seem to have the same issue as MacLemon as far as getting the correct group or user to be listed in the ACLs I create. Having said that, a ls -le will display a UUID rather than a name. For example, if I:

Code: Select all

chmod +a "group:admin allow ...."

...and then perform a ls -le, the entry appears as:

Code: Select all

0:  FFFFEEEE-DDDD-CCCC-BBBB-AAAA00000050 allow list,add_file...file_inherit,directory_inherit

But, of course, this ACL fails to propagate any further.

Yes, it is a known and real issue. Sorry you've spent time fighting it. MacLemon has been using

10.11
https://t.co/P1Dt8yVg1d

10.10
https://t.co/EXfmGk8XoG

with success:

https://twitter.com/MacLemon/status/657584916071370752
https://twitter.com/MacLemon/status/657585040336035840

Yes, I can confirm that the custom builds that store ACLs in xattr (if I understood that correctly) do actually work fine. They preserve group ACLs correctly. You can set them with chmod(1) or even with OS X Server.app in the storage tab.

Thanks ilovezfs for being seriously helpful over and over again, here and on Twitter as well.

MacLemon

Lovely stuff. Downloaded, installed, tested. Works! Like a charm. Many thanks!

I have set up a FreeNAS server using AFP as the sharing protocol. During initial testing, I dragged a folder from my desktop to the server share and it copied perfectly. Then, I attempted to drag a folder from an OpenZFS pool. The folder would not copy, giving an error message before it even started. (Sorry, I don't remember what it said and now (thankfully) I can't recreate it.) I suspected that maybe strange file permissions were to blame. Looking at the permissions on the contents of the pool revealed all sorts of odd-looking stuff, certainly not the typical user/group/everyone permissions. It was clear that these were ACLs so I tried several commands to remove them, but nothing changed (I used sudo chmod -R -N /path/to/dir). I tried the same command on a desktop folder with ACLs, and they disappeared, so the command is good.

Confused and thinking perhaps this is an OpenZFS issue, I searched this forum and came up with this thread. I installed the custom build referenced above and magically, none of the folders on my pool appear to have ACLs any more (no need to run the chmod command). And, most importantly, they now copy just fine to the FreeNAS AFP share.

So, thanks to those who contributed to this solution.

PS: I believe I was running 1.4.2. Maybe this was already fixed in 1.4.5 without the need to install a custom build?

The links to the special builds seem to be dead. Could you please repost? Thanks.

Indeed.

Is it possible to repost? I've got a pool that I can't copy the contents of to my FreeNAS due to screwy ACLs that can't be removed by the normal means. Thanks!

And I'd suggest trying

viewtopic.php?f=26&t=2402#p6331

after you clean out the xattr ones. We've hidden the ZFS trivial ACLs, so your feedback on whether that new way works well for you would be interesting.