Project

General

Profile

Bug #38195

Use UNIX ACLs on iocage datasets

Added by Roman M 9 months ago. Updated 7 months ago.

Status:
Done
Priority:
No priority
Assignee:
Brandon Schneider
Category:
Middleware
Target version:
Seen in:
Severity:
Med High
Reason for Closing:
Reason for Blocked:
Needs QA:
No
Needs Doc:
No
Needs Merging:
No
Needs Automation:
No
Support Suite Ticket:
n/a
Hardware Configuration:
ChangeLog Required:
No

Description

When creating a new jail following error occurs:


Error: concurrent.futures.process._RemoteTraceback: 
""" 
Traceback (most recent call last):
  File "/usr/local/lib/python3.6/concurrent/futures/process.py", line 175, in _process_worker
    r = call_item.fn(*call_item.args, **call_item.kwargs)
  File "/usr/local/lib/python3.6/site-packages/middlewared/worker.py", line 122, in main_worker
    res = loop.run_until_complete(coro)
  File "/usr/local/lib/python3.6/asyncio/base_events.py", line 468, in run_until_complete
    return future.result()
  File "/usr/local/lib/python3.6/site-packages/middlewared/worker.py", line 82, in _run
    return await self._call(f'{service_name}.{method}', serviceobj, methodobj, params=args, job=job)
  File "/usr/local/lib/python3.6/site-packages/middlewared/worker.py", line 75, in _call
    return methodobj(*params)
  File "/usr/local/lib/python3.6/site-packages/middlewared/worker.py", line 75, in _call
    return methodobj(*params)
  File "/usr/local/lib/python3.6/site-packages/middlewared/schema.py", line 662, in nf
    return f(*args, **kwargs)
  File "/usr/local/lib/python3.6/site-packages/middlewared/plugins/jail.py", line 149, in create_job
    empty=empty)
  File "/usr/local/lib/python3.6/site-packages/iocage/lib/iocage.py", line 588, in create
    exit_on_error=self.exit_on_error).create_jail()
  File "/usr/local/lib/python3.6/site-packages/iocage/lib/ioc_create.py", line 87, in create_jail
    return self._create_jail(jail_uuid, location)
  File "/usr/local/lib/python3.6/site-packages/iocage/lib/ioc_create.py", line 176, in _create_jail
    config = self.create_config(jail_uuid, cloned_release)
  File "/usr/local/lib/python3.6/site-packages/iocage/lib/ioc_create.py", line 507, in create_config
    jail_props = ioc_json.json_check_default_config()
  File "/usr/local/lib/python3.6/site-packages/iocage/lib/ioc_json.py", line 1761, in json_check_default_config
    self.json_write(default_props, default_json_location)
  File "/usr/local/lib/python3.6/site-packages/iocage/lib/ioc_json.py", line 426, in json_write
    json.dump(data, out, sort_keys=True, indent=4, ensure_ascii=False)
  File "/usr/local/lib/python3.6/contextlib.py", line 88, in __exit__
    next(self.gen)
  File "/usr/local/lib/python3.6/site-packages/iocage/lib/ioc_common.py", line 430, in open_atomic
    os.chmod(filepath, 0o644)
PermissionError: [Errno 1] Operation not permitted: '/mnt/wd/iocage/defaults.json'
""" 

The above exception was the direct cause of the following exception:

Traceback (most recent call last):
  File "/usr/local/lib/python3.6/site-packages/middlewared/job.py", line 332, in run
    await self.future
  File "/usr/local/lib/python3.6/asyncio/coroutines.py", line 129, in throw
    return self.gen.throw(type, value, traceback)
  File "/usr/local/lib/python3.6/site-packages/middlewared/job.py", line 356, in __run_body
    rv = await self.middleware._call_worker(self.serviceobj, self.method_name, *self.args, job={'id': self.id})
  File "/usr/local/lib/python3.6/asyncio/coroutines.py", line 129, in throw
    return self.gen.throw(type, value, traceback)
  File "/usr/local/lib/python3.6/site-packages/middlewared/main.py", line 977, in _call_worker
    job,
  File "/usr/local/lib/python3.6/asyncio/coroutines.py", line 129, in throw
    return self.gen.throw(type, value, traceback)
  File "/usr/local/lib/python3.6/site-packages/middlewared/main.py", line 908, in run_in_proc
    return await self.run_in_executor(self.__procpool, method, *args, **kwargs)
  File "/usr/local/lib/python3.6/asyncio/coroutines.py", line 129, in throw
    return self.gen.throw(type, value, traceback)
  File "/usr/local/lib/python3.6/site-packages/middlewared/main.py", line 902, in run_in_executor
    return await loop.run_in_executor(pool, functools.partial(method, *args, **kwargs))
PermissionError: [Errno 1] Operation not permitted: '/mnt/wd/iocage/defaults.json'

Related issues

Has duplicate FreeNAS - Bug #38185: Cant install pluginClosed

History

#1 Updated by Dru Lavigne 9 months ago

  • Assignee changed from Release Council to Erin Clark
  • Target version changed from Backlog to 11.2-BETA2

#2 Updated by Dru Lavigne 9 months ago

  • Private changed from No to Yes

#3 Updated by Erin Clark 9 months ago

  • Assignee changed from Erin Clark to Lola Yang

#5 Updated by Lola Yang 9 months ago

  • Category changed from GUI (new) to Middleware
  • Assignee changed from Lola Yang to Brandon Schneider

#7 Updated by William Grzybowski 9 months ago

  • Status changed from Unscreened to Blocked
  • Assignee changed from Brandon Schneider to William Grzybowski
  • Reason for Blocked set to Waiting for feedback

Did you change the permissions of /mnt/wd recursively?

What are the permissions of /mnt/wd/iocage dir and beneath it?

#8 Updated by Roman M 9 months ago

William Grzybowski wrote:

Did you change the permissions of /mnt/wd recursively?

What are the permissions of /mnt/wd/iocage dir and beneath it?

I cant check the permission on the iocage folder, what is the command line tool to do so?

#9 Updated by William Grzybowski 9 months ago

Roman M wrote:

William Grzybowski wrote:

Did you change the permissions of /mnt/wd recursively?

What are the permissions of /mnt/wd/iocage dir and beneath it?

I cant check the permission on the iocage folder, what is the command line tool to do so?

ls -la /mnt/wd/iocage

#10 Updated by Roman M 9 months ago

William Grzybowski wrote:

ls -la /mnt/wd/iocage

#11 Updated by William Grzybowski 9 months ago

Roman M wrote:

William Grzybowski wrote:

ls -la /mnt/wd/iocage

Looks like you have ACL set on /mnt/wd/iocage, you need to remove those.

#12 Updated by Roman M 9 months ago

William Grzybowski wrote:

Looks like you have ACL set on /mnt/wd/iocage, you need to remove those.

How can I do that? I never created the iocage folder in the first place...

#13 Updated by William Grzybowski 9 months ago

Roman M wrote:

William Grzybowski wrote:

Looks like you have ACL set on /mnt/wd/iocage, you need to remove those.

How can I do that? I never created the iocage folder in the first place...

So you tried to create a jail after setting Windows ACL to /mnt/wd?

Try this:
zfs set aclmode=passthrough wd/iocage
zfs set aclinherit=passthrough wd/iocage
setfacl -b /mnt/wd/iocage

#14 Updated by William Grzybowski 9 months ago

  • Assignee changed from William Grzybowski to Brandon Schneider
  • Target version changed from 11.2-BETA2 to 11.2-BETA3

Brandon,

For RC1, when iocage creates the dataset, I believe we need to make sure the dataset is created with unix acl, not inheriting the parent dataset.

#15 Updated by William Grzybowski 9 months ago

  • Has duplicate Bug #38185: Cant install plugin added

#16 Updated by Dru Lavigne 9 months ago

  • Status changed from Blocked to Unscreened
  • Reason for Blocked deleted (Waiting for feedback)

#18 Updated by Brandon Schneider 9 months ago

  • Status changed from Unscreened to In Progress

#19 Updated by Brandon Schneider 9 months ago

  • Status changed from In Progress to Ready for Testing

PR: https://github.com/freenas/iocage/pull/5
DESC: Use unix ACL on iocage datasets
RISK: Low
ACCEPTANCE: Destroy all iocage datasets including the root (zfs destroy -r POOL/iocage) and then do iocage list to recreate them. Verify aclmode is passthrough.

#20 Updated by Dru Lavigne 9 months ago

  • Status changed from Ready for Testing to In Progress

#21 Updated by Dru Lavigne 9 months ago

  • Target version changed from 11.2-BETA3 to 11.2-BETA2

#22 Updated by Dru Lavigne 9 months ago

  • File deleted (debug.tgz)

#23 Updated by Dru Lavigne 9 months ago

  • Subject changed from Cant create a jail to Use UNIX ACLs on iocage datasets
  • Private changed from Yes to No
  • Needs Doc changed from Yes to No

#24 Updated by Roman M 9 months ago

Brandon Schneider wrote:

PR: https://github.com/freenas/iocage/pull/5
DESC: Use unix ACL on iocage datasets
RISK: Low
ACCEPTANCE: Destroy all iocage datasets including the root (zfs destroy -r POOL/iocage) and then do iocage list to recreate them. Verify aclmode is passthrough.

Hi I tried to do this but got the following result:

#25 Updated by William Grzybowski 9 months ago

Roman M wrote:

Brandon Schneider wrote:

PR: https://github.com/freenas/iocage/pull/5
DESC: Use unix ACL on iocage datasets
RISK: Low
ACCEPTANCE: Destroy all iocage datasets including the root (zfs destroy -r POOL/iocage) and then do iocage list to recreate them. Verify aclmode is passthrough.

Hi I tried to do this but got the following result:

Hi, this is not for you to try. These are steps for our QA team.

The fix will be available in BETA2. You will have to stop all jails and destroy all iocage datasets before trying again once the release is out.

#26 Updated by William Grzybowski 9 months ago

  • Status changed from In Progress to Ready for Testing

#27 Updated by Dru Lavigne 9 months ago

  • Needs Merging changed from Yes to No

#28 Updated by Roman M 9 months ago

William Grzybowski wrote:

Hi, this is not for you to try. These are steps for our QA team.

The fix will be available in BETA2. You will have to stop all jails and destroy all iocage datasets before trying again once the release is out.

Ok, sorry

#29 Updated by Bonnie Follweiler 9 months ago

  • Status changed from Ready for Testing to Passed Testing
  • Needs QA changed from Yes to No

Test Passed in FreeNAS-11.2-MASTER-201807300838
(Build Date: Jul 30, 2018 11:47)

Test Case:
DESC: Use unix ACL on iocage datasets
RISK: Low
ACCEPTANCE: Destroy all iocage datasets including the root (zfs destroy -r POOL/iocage) and then do iocage list to recreate them. Verify aclmode is passthrough (zfs get all | grep aclinherit).

#30 Updated by Dru Lavigne 9 months ago

  • Status changed from Passed Testing to Done

#31 Updated by Roman M 7 months ago

This is with beta 3...

Deleting the dataset gives an error too...

Ok following this guide it was solved, ty.

https://forums.freenas.org/index.php?threads/iocage-set-up-itself-on-wrong-pool-how-can-i-move-it.61234/#post-435258

Also available in: Atom PDF