-
-
Notifications
You must be signed in to change notification settings - Fork 170
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ACL is not working for secondary groups, only works for primary groups. #1028
Comments
https://github.com/trapexit/mergerfs#supplemental-user-groups Did you account for this? |
Hello, thanks for your fast reply. When I created this bug, I didn't account for yet and it is working on the main system now. However, I originally encountered that bug in LXC containers and it doesn't work there (when I wrote the bug, I wanted to keep the bug as simple as possible and I could reproduce it until I rebooted it, which is not the case for containers). Inside the containers, I still cannot create mkdir:
Inside LXC containers, UIDs and GIDs get mapped, so uid 1000 becomes 101000, and root (0) becomes 100000 and hostwrite (2000) becomes 102000. Note this behavior is different from docker where no uid mapping takes place. The mergerfs filesystem is shared via rbind mounts:
Here is the strace for the containers: sudo -u matt3o12 cp /tmp/container.strace.txt /mnt/nas/homes/matt3o12/ I am not sure how to assist you best here. Are you familiar with proxmox or at least LXC containers? Proxmox should not be required for the problem here but it makes managing LXC containers very easy. My guess is that the problem is that the cache does not account for uid mapping properly. My best guess is that another user with that uid but different groups is already in the cache from another container. If that's the case, mergerfs needs to either: account for the cgroup namespace of the process when caching or disable caching for containers. This could also be a security issue because it would allow me to escape the ACL permissions if the cache picks up a uid with "better" secondary groups first. Is there a way to dump the cache? I'd be happy to take a look. Thank for taking the time to read and understand my issue and for your hard on the mergerfs project! :) |
I'll have a closer look later but...
There isn't a way to dump the cache as it's extremely straight forward and there was never a need: https://github.com/trapexit/mergerfs/blob/master/src/gidcache.cpp It simply calls get and set groups based on demand. |
I've encountered the same issue, unfortunately. I did find a workaround though. |
It must be remembered that containers don't automatically share users/groups. They are different systems. The details have to be shared between them. This isn't a mergerfs thing. It's a basic multi system / multi container thing. When a request is made mergerfs has to look up the supplemental groups because that's not something the kernel manages. It's userspace. And so wherever mergerfs is is where it will pick up those supplemental groups. For your average system you can bind in /etc/passwd, /etc/group, and /etc/nsswitch.conf |
Thank you for the explanation. I suppose because other in-kernel fs drivers or not running in userspace there are no issues with them. There is a way to map container users/groups to host's user/groups with I'm perfectly happy with running mergerfs within the container. It has minimal overhead and I probably get to use a newer version of mergerfs at the same time as well (arch container vs debian host). I guess I thought there was a better way, but it looks like I was wrong. Cheers. |
Describe the bug
I cannot create directories when using ACL and the group is not the primary group. I can create the directory just fine if I either become the primary group (
sudo -g group -s
or if I create the directory in the real path).I am using mergerfs 2.33.3.
To Reproduce
mount the file system like this:
/mnt/hdds/hdd* /mnt/media fuse.mergerfs allow_other,use_ino,cache.files=partial,dropcacheonclose=true,category.create=eppfrd,moveonenospc=true,posix_acl=true,fsname=media-merger,cache.readdir=true,noatime 0 2
(using fstab)Set acl permissions:
setfacl -Rm g:hostwrite:rwx,d:g:hostwrite:rwx /mnt/hdds/hdd*
Ensure acl is working in mergerfs:
Add group to user & verify that the group is not the primary:
Note: gid must not be hostwrite
I cannot create directories:
System information:
uname -a
:Linux pve 5.13.19-5-pve #1 SMP PVE 5.13.19-13 (Tue, 08 Mar 2022 07:32:25 +0100) x86_64 GNU/Linux
(pve is proxmox, a custom debian bullseye distribution running an ubuntu kernel for zfs boot support)mergerfs -V
: mergerfs version: 2.33.3app.strace.txt
mergerfs.strace.txt
Additional context
Add any other context about the problem here.
The text was updated successfully, but these errors were encountered: