Enabling POSIX ACL on Filesystem

phoenixmage · October 11, 2017, 12:45pm

Hi All,

I am attempting to run a Samba DC on a Resin OS instance inside a container. When I attempt to provision a domain controller I get the error “ProvisioningError: Your filesystem or build does not support posix ACLs, which s3fs requires. Try the mounting the filesystem with the ‘acl’ option.”

The error itself is pretty self explanatory but I have no idea what the correct way to enable posix ACLs on Resin is? According to mount it is running ext4 which means it is certainly possible but reviewing /etc/fstab none of the mounted filesystems correspond.

michal · August 14, 2017, 11:06am

What platform and OS version are you using? If you look at the device from the web terminal you can try something like this:

mount -o remount,acl /data

or:

mount -o remount,noacl /data

to see if you see any change.

phoenixmage · August 14, 2017, 12:16pm

Thanks for the reply, I am running resin/beaglebone-black-alpine:3.6.

I am not currently running through the web console but remounting /mnt/data with acl doesnt seem to help but I am not sure if the base OS has the acl package or equivalent installed?

willnewton · August 14, 2017, 1:29pm

You should be able to check in /proc/config.gz which kernel options are enabled, the appropriate option is CONFIG_FS_POSIX_ACL.

phoenixmage · August 14, 2017, 11:44pm

It is enabled in the kernel, but unfortunately its not mounting with ACL when remounted. Any other ideas?

willnewton · August 15, 2017, 1:33am

Do you also have CONFIG_EXT4_FS_POSIX_ACL?

Also do you know if the error you are seeing is being caused by access to the /data volume or some other part of the filesystem? It’s unclear whether the default storage driver for docker (aufs) supports ACLs or not but /data should be a simple ext4 volume.

Thanks,

phoenixmage · August 15, 2017, 1:43am

CONFIG_EXT4_FS_POSIX_ACL=y
CONFIG_FS_POSIX_ACL=y

I am using the vanilla Beaglebone image found on the resin.io download page. It doesn’t have /data but does have /mnt/data which seems to contain the docker containers.

According to the aufs homepage it does support xattr and acls. I am unsure why the remount isn’t mounting with acls. According to dmesg the remount is occurring.

willnewton · August 15, 2017, 2:00am

Is it possible to mount the storage needed by Samba as a volume in Docker?

phoenixmage · August 15, 2017, 2:15am

I cant see why not but wouldn’t I have the same issues as the underlying filesystem isn’t mounted with ACLs?

willnewton · August 15, 2017, 2:22am

After remounting with the acl option do you see a change in /proc/mounts? It might be worth also trying stopping docker (systemctl stop docker) before remounting.

phoenixmage · August 15, 2017, 2:28am

I stopped docker and remounted, same output from mount and /proc/mounts, no acl option.

dmesg output is EXT4-fs (mmcblk1p6): re-mounted. Opts: data=ordered,acl

floion · August 28, 2017, 2:04pm

Hi. Can you use a .dev image and try logging into the host OS?
You can use the serial debug conenction to log in the host OS or ssh to port 22222 (-p 22222) if you are in the same network with the board. Once connected, you can check with “tune2fs -l /dev/mmcblk0p6” and see if acl is really enabled on that partition’s filesystem

imrehg · August 28, 2017, 9:22pm

I’ve just checked a fresh Raspberry Pi 3 2.3.0+rev1, and have this for tune2fs -l /dev/mmcblk0p6 (snip):

...
Filesystem features:      has_journal ext_attr resize_inode dir_index filetype needs_recovery extent 64bit flex_bg sparse_super large_file huge_file dir_nlink extra_isize
Filesystem flags:         signed_directory_hash 
Default mount options:    user_xattr acl
...

phoenixmage · October 3, 2017, 11:09am

Sorry, I have been on vacation, I have updated and seen similar results to imrehg.

I spent some time with the issue again this evening and managed to modify the docker daemon so that it now uses overlay2 which resolved my issue.

The only painful thing about that is I will need modify any ResinOS instance manually to start the daemon with aufs.

Where can I lodge a feature request to move the storage driver into the config.json or something similar?

imrehg · October 3, 2017, 11:23am

@phoenixmage need some care with this, as the modifications to the system might prevent you from resin host upgrading the device in the future (or lose the modifications / data)

It would be interesting to see what’s the core issue that switching to overlay2 fixed compared to aufs, because if both has ACL enabled, then maybe the original reported issue is incorrect/incomplete… Do you have a project that you can share with us, and we can try on devices to try to reproduce the issue?

Overlay2 is already used for some of the devices but not the default for all, what’s the device type that you are using? (looks like haven’t asked that yet). We are working on some resinOS modifications that would allow you to make these changes reliably and in a “proper” way, but it’s still in the works…

phoenixmage · October 3, 2017, 11:41am

@imrehg At the moment I am doing everything manually in an exec session as its easier to try things but ultimately my current project is to get samba running as a DC on Resin (in the larger goal of only spinning up my compute lab when needed).

I think the core issue is despite the fact that the latest versions of aufs support POSIX ACLs the version that is shipping with the ResinOS docker instance isn’t, and that may not be a ResinOS specific issue.

I switched to overlay2 because it definitely does support POSIX ACL in docker.

I am rolling with Beagle Bone Black for my current testing but will also be running with Raspberry Pi 3 once I have a working image.

I will share the working Dockerfile once I have that working. Ultimately an easy manual test inside a container is:
touch test.txt
setfacl -m g:adm:rwx test.txt
getfacl test.txt

The output should be something like:
# file: test.txt
# owner: root
# group: root
user::rw-
group::r–
group:adm:rwx
mask::rwx
other::r–

willnewton · October 3, 2017, 12:07pm

Which version of resinOS and what hardware platform are you using?

phoenixmage · October 3, 2017, 12:08pm

@willn Beagle Bone Black with resinOS 2.2.0+rev1.dev

floion · October 7, 2017, 12:01pm

Hi, how did you asses that the aufs version shipped in resinOS does not support aufs? I have double-checked and we do have the aufs version which has a fix for acl. I checked the upstream and haven’t found new acl related commits in aufs 4.9
Have you seen recent fixes in aufs that we do not ship?

For the reference, this is the aufs revision in the 4.9 branch that we are shipping with resinOS for the beaglebone black device: https://github.com/resin-os/meta-resin/blob/master/meta-resin-common/classes/kernel-resin.bbclass#L512

phoenixmage · October 9, 2017, 3:16am

Hi, I just assumed given that aufs says they support ACLs and it doesnt work in reality.

The only thing I changed was from using aufs to overlay and ACLs now work.