On Wed, Aug 28, 2019 at 03:09:03PM -0400, Olga Kornievskaia wrote: > On Wed, Aug 28, 2019 at 2:06 PM J. Bruce Fields <bfields@xxxxxxxxxxxx> wrote: > > > > On Mon, Aug 26, 2019 at 11:28:21PM +0000, de Vandiere, Louis wrote: > > > Thank you Olga! Somehow, I failed to look into this file although I looked in fs/nfs/ without success and I understand why now. > > > > > > I'd like to see it increased and be scalable like XFS is, but I understand it might impact multiple libraries. Should I open a bug/feature request somewhere? > > > > I wonder if it'd be OK to remove the limit completely (and then leave > > it to the filesystem to reject if if it wants). > > > > It does mean we're passing an arbitrary client-supplied value to > > kmalloc. Is it OK to do that and just leave it to the allocator to > > reject excessive requests, or do we risk pushing it into making heroic > > efforts to satisfy a possibly malicious or broken client? > > > > I wonder if there's also a risk in passing down posix ACLs larger than > > could have been created with the setxattr system call. > > > > Assuming it's still safest to have a limit.... > > > > XATTR_LIST_MAX is a global limit on the size of xattrs. We could try to > > estimate how big the converted posix ACL will be and work out a maximum > > based on that. > > I agree there should be a limit and using XATTR_LIST_MAX sounds > reasonable to me. OK. And, whoops, I meant to say XATTR_SIZE_MAX. (Both are currently 64K, though.) --b. > > > > > --b. > > > > > > > > Best, > > > Louis de Vandière > > > > > > -----Original Message----- > > > From: Olga Kornievskaia <aglo@xxxxxxxxx> > > > Sent: Monday, August 26, 2019 2:31 PM > > > To: de Vandiere, Louis <louis.devandiere@xxxxxxxx> > > > Cc: linux-nfs@xxxxxxxxxxxxxxx > > > Subject: Re: Maximum Number of ACL on NFSv4 > > > > > > From fs/nfsd/acl.h > > > /* > > > * Maximum ACL we'll accept from a client; chosen (somewhat > > > * arbitrarily) so that kmalloc'ing the ACL shouldn't require a > > > * high-order allocation. This allows 204 ACEs on x86_64: > > > */ > > > #define NFS4_ACL_MAX ((PAGE_SIZE - sizeof(struct nfs4_acl)) \ > > > / sizeof(struct nfs4_ace)) > > > > > > I don't know how Bruce feels about increasing that limit. Perhaps he'd be opened to a patch that increases that. > > > > > > On Mon, Aug 26, 2019 at 2:30 PM de Vandiere, Louis <louis.devandiere@xxxxxxxx> wrote: > > > > > > > > Thanks Niels, I tried your suggestion. According to the documentation (https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flinux.die.net%2Fman%2F8%2Fmkfs.xfs&data=02%7C01%7Clouis.devandiere%40atos.net%7Ce185f99cb3ad476fd39308d72a5bf6d5%7C33440fc6b7c7412cbb730e70b0198d5a%7C0%7C0%7C637024446785324973&sdata=HZbnVSzTKKCXpEv5JLgZKeEgQx5BPKeEs4SYZqRhhbk%3D&reserved=0), the maximum size for the inode is 2048 byte. So I set it to this value, and faced the exact same limitation. On the other hand, when I used setfacl -m on the XFS mounted disk, I did not face any limitation and I was able to set thousands of ACLs on a single file. > > > > > > > > When I do a strace, I see two different types of ACL used when the system calls setxattr: system.posix_acl_default and system.nfsv4_acl. I tried to look for hardcoded limits associated with system.nfsv4_acl but I don't have much experience with C and linux kernel. > > > > > > > > Thank you for your help. > > > > Best, > > > > Louis de Vandière > > > > > > > > -----Original Message----- > > > > From: Niels de Vos <ndevos@xxxxxxxxxx> > > > > Sent: Monday, August 26, 2019 11:46 AM > > > > To: de Vandiere, Louis <louis.devandiere@xxxxxxxx> > > > > Cc: linux-nfs@xxxxxxxxxxxxxxx > > > > Subject: Re: Maximum Number of ACL on NFSv4 > > > > > > > > On Mon, Aug 26, 2019 at 02:53:05PM +0000, de Vandiere, Louis wrote: > > > > > Yes, I assume it's not very frequent to have hundreds of NFSv4 ACLs. For compliance and organizational issue, we cannot use groups efficiently to manage access to the shares, so it's user-based and case by case. > > > > > > > > > > My real goal is to be able to replicate some files to a new NFSv4 server while preserving the ACLs. By using "cp -R --preserve=all acl-folder/", I'm able to preserve the ACLs when their number does not exceed 200, above it, I see the "File too large" error while rsync does not work at all (even in version 3.1.3). That's why I'm digging into this and checking what possibly could go wrong. > > > > > > > > You might be hitting a limit in the filesystem on the NFS server. The > > > > ACLs are stored in extended attributes. Depending on the filesystem, > > > > you may be able to configure larger inode sizes (or other storage for > > > > xattrs). With XFS this can be done with 'mkfs -t xfs -i size=.. ...', > > > > > > > > HTH, > > > > Niels > > > > > > > > > > > > > > > > > > Thank you. > > > > > Best, > > > > > Louis de Vandière > > > > > > > > > > > > > > > -----Original Message----- > > > > > From: Goetz, Patrick G <pgoetz@xxxxxxxxxxxxxxx> > > > > > Sent: Monday, August 26, 2019 8:44 AM > > > > > To: de Vandiere, Louis <louis.devandiere@xxxxxxxx>; > > > > > linux-nfs@xxxxxxxxxxxxxxx > > > > > Subject: Re: Maximum Number of ACL on NFSv4 > > > > > > > > > > I'm dying to know what the use case is for this, and why you can't just do this with group permissions (unless you're talking about hundreds of group ACLs). > > > > > > > > > > On 8/23/19 5:31 PM, de Vandiere, Louis wrote: > > > > > > Hi, > > > > > > > > > > > > I'm currently trying to apply hundreds of ACLs on file hosted on a NFSv4 server (nfs-utils-1.3.0-0.61.el7.x86_64 and nfs4-acl-tools.0.3.3-19.el7.x86_64). It appears that the limit I can apply is 207. After the limit is reached, the command "nfs4_setfacl -a" returned the error "Failed setxattr operation: File too large". The same problem happens if I use an ACL with more than 200 line in it. I did a little debugging session but I was not able to come up with an explanation on why I'm facing such an issue. > > > > > > > > > > > > On the other hand, I can apply hundreds of ACLs on XFS without issue. Do you know if it could be a bug with the nfs4-acl-tools package? > > > > > > Thank you for your support. > > > > > > Best, > > > > > > Louis de Vandière > > > > > >>> This message is from an external sender. Learn more about why this << > > > > > >>> matters at https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flinks.utexas.edu%2Frtyclf&data=02%7C01%7Clouis.devandiere%40atos.net%7Ce185f99cb3ad476fd39308d72a5bf6d5%7C33440fc6b7c7412cbb730e70b0198d5a%7C0%7C0%7C637024446785324973&sdata=r345rqWN4GKT0mBmQmMTnaC%2FFEyUTidjBlGeAMRdEpA%3D&reserved=0. << > > > > > >
