File permissions issues sync'ing to a NetAPP appliance on FSX @ AWS

[NE1ScottZT]

My data has taken many paths through it's migration from fileserver to netApp device to FreeNAS on VMware (AWS@VMC) and is no making a journey from FreeNAS to NetAPP on FSX @ AWS. (I am not in control of where it goes).

When copying data using rsync, or AWS datasync or even a 3rd party data migration broker we are being plagued by files and folders we are getting permission denied for.
When I look at these files and folders they are usually bin folders with 751 permissions.

Since we are going from essentially NAS to NFS file permissions will be controlled differently.
Currently on the TrueNAS we have many users and groups that restrict who can see what folders.

Is there a user we can use or a setting that we can set that would allow the TrueNAS root user full access to all of the files in all of the folders regardless of permissions to allow us to copy the data to it's new destination ? I never dreamed it would be so difficult to get the data back out.

 

[NE1ScottZT]

While ultimately the goal is to get it to the Ontap on FSX appliance at AWS, the immediate time-sensitive need is to get the FreeNAS deleted from the VMC@AWS due to costs. (VMC filespace is replicated and snapshot backups are taken so we're paying for 2.5 times the disk space which at 10TB raw data added up to alot)

So if some solution involving TrueNAS on EC2 would allow reliable replication then that could work as our final solution, or at least provide us a way to get out of the VMC.

A thought I had was to get TrueNAS running on EC2 12.0 Beta0 & 1 is all I see in community AMIs) and then being able to replicate between the two ....ultimately eliminating the TrueNAS inside my VMC after replication completed.

Looking for the best alternative even if I haven't mentioned it here, but needs to run in AWS EC2 and provide mounts for the AD home folders across a range of Windows and linux machines.

 

[NE1ScottZT]

No Guru's here ?

 

[blanchet]

You have to use the option maproot to allow remote acceses by root, otherwise remote access by root are mapped to the user nobody

In your case you must specify:

TrueNAS Core
maproot user = root
maproot group = wheel

TrueNAS Scale
maproot user = root
maproot group = root

The behaviour of these options are explained in the man page of exports(5)

Export options are specified as follows:

-maproot=user The credential of the specified user is used for remote ac-
cess by root. The credential includes all the groups to which the user
is a member on the local machine (see id(1)). The user may be specified
by name or number. The user string may be quoted, or use backslash es-
caping.

-maproot=user:group1:group2:... The colon separated list is used to spec-
ify the precise credential to be used for remote access by root. The el-
ements of the list may be either names or numbers. Note that user:
should be used to distinguish a credential containing no groups from a
complete credential for that user. The group names may be quoted, or use
backslash escaping.

-mapall=user or -mapall=user:group1:group2:... specifies a mapping for
all client UIDs (including root) using the same semantics as -maproot.

The option -r is a synonym for -maproot in an effort to be backward com-
patible with older export file formats.

In the absence of -maproot and -mapall options, remote accesses by root
will result in using a credential of 65534:65533. All other users will
be mapped to their remote credential. If a -maproot option is given, re-
mote access by root will be mapped to that credential instead of
65534:65533. If a -mapall option is given, all users (including root)
will be mapped to that credential in place of their own.

Note:
I do not know AWS FSx, but on any NFS server I have ever used (Linux, FreeBSD, Netapp, Isilon), remote access by root is denied by default, and you have to specifically enabled it.

 

[NE1ScottZT]

We have been able to mount and copy 90% of the disk but there are certain folders protected by group membership or 751 file permissions that have been giving us problem.
I tried adding the root account in FreeNAS 12.0 GUI to the 3 groups needed but it seemed to not make any difference.
If I su - username from a linux mount to each user folder I can see all the files, but as just root I cannot.

It's very frustrating that we can't mount the FreeNAS as some sort of superuser that doesn't care about permissions/user/groups just to allow a complete copy to the new location preserving permissions/ownership/times.

"Amazon FSx for NetApp ONTAP" was chosen because TrueNAS doesn't support AWS EC2 even though I found a community AMU of 12.x beta that seemed to work after the decision was already made.

 

[blanchet]

Could you please

• post here the content of the file /etc/exports of your TrueNAS server to check your NFS server configuration
• check that you can browse the files with the TrueNAS shell

 

[NE1ScottZT]

(~)# cat /etc/exports
V4: / -sec=sys
/mnt/Ournet
/mnt/ournet/home -alldirs -maproot="root":"wheel" 10.226.36.21

 

[blanchet]

I understand the issue, you use NFSv4 instead of NFSv3.

Could you try to use NFSv3 ?