Darwin ACL on O3X 2.x

All your general support questions for OpenZFS on OS X.

Darwin ACL on O3X 2.x

Postby CL_Jeremy » Thu Apr 14, 2022 7:20 pm

New adopter here. Started fresh on O3X 2.1.0 on OS X Server Yosemite 10.10.5.
After trying out the various settings outlined on GitHub and in the forum, I still couldn't make ACL work, at all.

The datasets are created using the default settings as outlined in https://openzfsonosx.org/wiki/Zpool#Creating_a_pool
The settings applied are:
  • aclmode=passthrough
  • aclinherit=passthrough
  • acltype=nfsv4 (unchanged)
  • xattr=on (unchanged)
  • com.apple.mimic=hfs (testing with off made no difference)
As suggested by various sources, these settings would enable compatibility with Darwin ACL through extended attributes. Some users reported Apple's native rsync -E working, others (such as ilovezfs) have suggested using the brewed version with rsync -X, but neither worked for me. Regular extended attributes got copied successfully, though. Plain chmod +a didn't do the trick, either, seemingly doing nothing.

Brewed rsync has -A which was not supposed to be used in 2014. Trying that made no difference.

Tested on macOS High Sierra 10.13.6 on a MacBook Air just to make sure it's not due to OS being too old. It may still be due to system framework versions, but the probability would be pretty low, I suppose.

My question: what's the status of Darwin ACL since the major xattr overhaul (sourced from upstream) in 2.x? What should/could be done in order to have working ACL for use in a multi-user environment? Should I try 1.9.x instead?

Many thanks in advance. I'm unable to generate any useful log for sharing, unfortunately. Any input is appreciated.
CL_Jeremy
 
Posts: 3
Joined: Thu Apr 14, 2022 5:56 pm

Re: Darwin ACL on O3X 2.x

Postby monroo » Fri Apr 15, 2022 12:13 am

Hi Jeremy,

As you have noticed I've also had the same problem and had started a thread. I'm reposting my experience here too in hope that even if someone with knowledge sees this thread but misses the other one, extra info might be helpful shed some light on this matter.


Guess it is a good thing that I'm not alone on this. I've read your post and my experience is the same.

1) I've created a folder on my desktop and setting permissions via Finder gui then tried to copy it to my dataset using rsync -ar. The folder got copied with correct chown and chmod settings but that extra acl permission didn't get copied.

2) I've tried setting the acl with this command:
Code: Select all
sudo chmod +a "media-user allow list,add_file,search,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity" "/Volumes/tank/Media/test"

It returns without error but Finder and ls -le doesn't show alc for "media-user"

I don't exactly remember how I did it but on Catalina and v1.9.4 I was able to set acls before. Same dataset/folder setup was working before I had to upgrade to Monterey / v2.1.0. So, as you have said in your post, maybe this a regression in the 2.x.x branch?

Any help on clarifying this would be much appreciated.
monroo
 
Posts: 13
Joined: Sat May 31, 2014 11:32 pm

Re: Darwin ACL on O3X 2.x

Postby CL_Jeremy » Sat Apr 16, 2022 10:18 am

Just downgraded to 1.9.4 and am pretty satisfied in general.

I thought performance on encrypted datasets could benefit a bit from having AES-NI on our cMP5,1 (Westmere Xeon), but it seems to have gone down a bit (could be my problem though, due to having a 160 GB L2ARC when a VM is running during extensive I/O on host - may bring more benefits in the long run as it'll serve as network Time Machine target, we'll see).

Anyway, downgrading solved the original issues. Just had to recompile ZetaWatch.app for use on 10.10 and redo the migration from Core Storage/JHFS+ volume.

I initially chose 2.x in order to be able to cross-mount different pools with Linux from time to time and retain access to most features, especially in case of an outage (The server is 12 years old now! Could happen at any time). Hopefully read-only imports could work and at least give me a chance to dig through files during a disastrous event. Also not using ZVOLs for the same reason - after all, what's the point of having JHFS+ again if a major argument of migration was to have a better data recovery experience with dedicated tools for ZFS?

In any case, still a very impressive effort to ship 2.x rebased on upstream repo. Looking forward to future improvements and definitely will try things out locally (server is in production environment, though mostly for archival purposes and not exactly critical).
CL_Jeremy
 
Posts: 3
Joined: Thu Apr 14, 2022 5:56 pm

Re: Darwin ACL on O3X 2.x

Postby monroo » Mon Apr 18, 2022 12:23 am

Well, that's unfortunate. I've upgraded my pools and started using zstd. I guess downgrading to v1.9.4 is not an option for me at the moment.

But glad you cleared up that this is a regression in 2.x.x branch. Fingers crossed for it to be an easy-to-fix issue since it was already working in earlier releases.

Also thank you for sharing your mileage.
monroo
 
Posts: 13
Joined: Sat May 31, 2014 11:32 pm

Re: Darwin ACL on O3X 2.x

Postby monroo » Mon Jul 25, 2022 11:30 pm

Hi all,

@lundman is there any fix included in the latest 2.1.x release for this issue by any chance?

I believe this actually is a serious issue for file servers, not being able to provide custom access like read-only etc.
monroo
 
Posts: 13
Joined: Sat May 31, 2014 11:32 pm

Re: Darwin ACL on O3X 2.x

Postby Heinrich » Tue Jan 31, 2023 5:04 am

Hello,
I set up a new server with O3x version 2.1.6-1 and also created a new pool. Is there any chance for me to downgrade to a version with working ACLs? I don't think that I need any features that older versions do not have.

TIA,
Heinrich
Heinrich
 
Posts: 2
Joined: Tue Feb 11, 2020 8:28 am

Re: Darwin ACL on O3X 2.x

Postby Heinrich » Wed Feb 01, 2023 7:47 am

Answering my own question: Importing on older ZFS version is not possible:

Code: Select all
bash-3.2# zpool import
   pool: data
     id: 7217057964332187890
  state: UNAVAIL
status: The pool uses the following feature(s) not supported on this sytem:
   com.delphix:head_errlog
   org.zfsonlinux:project_quota
   org.openzfs:zilsaxattr
   org.zfsonlinux:userobj_accounting
   com.delphix:log_spacemap
action: The pool cannot be imported. Access the pool on a system that supports
   the required feature(s), or recreate the pool from backup.
 config:

   data                                          UNAVAIL  unsupported feature(s)
     media-313D0BE9-2A09-634F-A046-6B506613FEB7  ONLINE
bash-3.2#
Heinrich
 
Posts: 2
Joined: Tue Feb 11, 2020 8:28 am

Re: Darwin ACL on O3X 2.x

Postby lundman » Sun Feb 05, 2023 4:06 pm

When you create the pool you can use "-d" as in, "zpool create -d ......" which will make a pool without any features, then you can turn on features supported by both platforms.

You can also look at the compat code, I believe we can "zpool create -o compatibility=compat-2020 ...."
like from https://github.com/openzfsonosx/openzfs ... tibility.d
User avatar
lundman
 
Posts: 1335
Joined: Thu Mar 06, 2014 2:05 pm
Location: Tokyo, Japan


Return to General Help

Who is online

Users browsing this forum: No registered users and 39 guests