SMB share ACLs broken since upgrade to Bluefin

[soko]

Hi all,

Version TrueNAS-SCALE-22.12.0, SMB ACL problems post upgrade

Symptoms:
Prior to TN Scale Bluefin I used a SMB mount to /mnt/vol that worked fine with Mac, Linux and Windows logging in as specified user
Post Bluefin upgrade I can mount the SMB share /mnt/vol on Windows, however I get "Network Error" and can no longer access directory and files that I did pre upgrade.

Attempted approach:
1) Removed SMB share in Truenas Scale Bluefin for /mnt/vol
2) Attempted recreation of SMB share in Truenas Scale Bluefin for /mnt/vol

Result:
Click "Save" above - A large number of errors produced with "ACL type mismatch with child mountpoint at <filepaths> :vol - NFSv4" etc (see attached file)

From my initial reading it looks like Truenas now supports windows ACLs better. I'm thinking I need to remove ACLs against files/directories under /mnt/vol and try recreating the SMB share. I'm really unsure of how to proceed to correct this... I'm not clear on why NFSv4 is wrapped in with the SMB errors attempting to create a SMB share.

Ideas would be appreciated.
Thanks

 

[anodos]

This error message means that you have nested datasets with incompatible ZFS properties. We need to generate a SMB ACL from either a NFSv4 ACL xattr or POSIX1E ACL xattr. Having the same path with different implementations on nested filesystems is a recipe for undefined behavior.

 

[anodos]

That said, exposing your ix-applications dataset over SMB is also not a terribly great idea. This opens possibility of an SMB client accidentally breaking all of your apps.

 

[soko]

Appreciate the feedback learning on the run. Newb in relative terms here... So I take that 1) as a solid way forward is to create a separate dataset for ix-applications 2) using my basic language here, ensure parent folder for NFS and SMB mounts are not the same, ie. mount different parents to ensure children directories and files receive completely separate NFSv4 or POSIX attrs.

 

[anodos]

Appreciate the feedback learning on the run. Newb in relative terms here... So I take that 1) as a solid way forward is to create a separate dataset for ix-applications 2) using my basic language here, ensure parent folder for NFS and SMB mounts are not the same, ie. mount different parents to ensure children directories and files receive completely separate NFSv4 or POSIX attrs.

Generally speaking, create datasets for your SMB or NFS shares. Don't share out /mnt/vol.

 

[soko]

What's the quickest and cleanest way to cleanup ix-applications dataset, move and start again? I'm ok with redoing containers as they have persistent storage on ZFS /mnt/vol. My logic is creating a new dataset with sufficient space, go into Apps >> Settings >> unset pool >> Choose pool >> set new dataset. Then that should remove file hooks to original ix-applications, should be able to delete after that.

 

[soko]

Generally speaking, create datasets for your SMB or NFS shares. Don't share out /mnt/vol.

yep thank you, it was my easy aka lazy way to get quick access to everything without knowing the ramifications... Curse those home users lol

 

[Daisuke]

Your Kubernetes apps run on PVC volumes, which are super delicate. The proper process to look at an app volume data is to stop the app, then mount the volume into a pool dataset and examine/modify its contents. You probably figured, let me look directly into ix-applications and fiddle with that data in there.

 

[soko]

Your Kubernetes apps run on PVC volumes, which are super delicate. The proper process to look at an app volume data is to stop the app, then mount the volume into a pool dataset and examine/modify its contents. You probably figured, let me look directly into ix-applications and fiddle with that data in there.

Understood, is there a "nice" way to stop Kubernetes processes to allow a clean setup of K8s/ix-applications in a new dataset. Does not appear to be a way in UI. I'm also researching command line. My final straw method is to export ZFS pools and start Truenas install from scratch but that seems pretty drastic. Thanks for any advice in advance....

Answered my own question... for completeness the UI does have an option, digging around 1) moved K8s/ix-applications pool using "Choose Pool" under Applications|Settings. There's also an option to "migrate applications to the new pool". This moved ix-applications away from /mnt/vol onto my SSD pool.

 

[soko]

Understood, is there a "nice" way to stop Kubernetes processes to allow a clean setup of K8s/ix-applications in a new dataset. Does not appear to be a way in UI. I'm also researching command line. My final straw method is to export ZFS pools and start Truenas install from scratch but that seems pretty drastic. Thanks for any advice in advance....

Answered my own question... for completeness the UI does have an option, digging around 1) moved K8s/ix-applications pool using "Choose Pool" under Applications|Settings. There's also an option to "migrate applications to the new pool". This moved ix-applications away from /mnt/vol onto my SSD pool.

For those newbs, this is really great documentation for Truenas Scale ACLs https://www.truenas.com/docs/references/aclprimer/

 

[Daisuke]

Answered my own question

Check this thread also, you will probably find other issues you did not noticed yet.