configuration

HOWTO: Use NFSv4 ACL

ipstor

23 Feb 2017 — 3 min read

This document shows you how to use the NFSv4 ACL permissions system. An ACL is a list of permissions associated with a file or directory. These permissions allow you to restrict access to a certian file or directory by user or group. NFSv4 ACLs provide more specific options than typical POSIX read/write/execute permissions used in most systems.

Understanding NFSv4 ACL

This is an example of an NFSv4 ACL

A::user@nfsdomain.org:rxtncy

A::alice@nfsdomain.org:rxtncy

A::alice@nfsdomain.org:rxtncy

A::alice@nfsdomain.org:rxtncy

The following sections will break down this example from left to right and provide more usage options

ACE Type

The 'A' in the example is known as the ace type. The 'A' denotes "Allow" meaning this ACL is allowing the user or group to perform actions requiring permissions. Anything that is not explicitly allowed is denied by default.

Note: 'D' can denote a Deny ACE. While this is a valid option, this ACE type is not reccomended since any permission that is not explicity granted is automatically denied meaning Deny ACE's can be redundant and complicated.

ACE Flags

The above example could have a distinction known as a flag shown below

A:d:user@osc.edu:rxtncy

The 'd' used above is called an inheritence flag. This makes it so the ACL set on this directory will be automatically established on any new subdirectories. Inheritence flags only work on directories and not files. Multiple inheritence flags can be used in combonation or omitted entirely. Examples of inheritence flags are listed below:

Flag	Name	Function
d	directory-inherit	New subdirectories will have the same ACE
f	file-inherit	New files will have the same ACE minus the inheritence flags
n	no-propogate inherit	New subdirectories will inherit the ACE minus the inheritence flags
i	inherit-only	New files and subdirectories will have this ACE but the ACE for the directory with the flag is null

ACE Principal

The 'user@nfsdomain.org' is a principal. The principle denotes the people the ACL is allowing access to. Principals can be the following:

A named user
- Example: user@nfsdomain.org
Special principals
- OWNER@
- GROUP@
- EVERYONE@
A group
- Note: When the principal is a group, you need to add a group flag, 'g', as shown in the below example
- ```
A:g:group@osc.edu:rxtncy
```

ACE Permissions

The 'rxtncy' are the permissions the ACE is allowing. Permissions can be used in combonation with each other. A list of permissions and what they do can be found below:

Permission	Function
r	read-data (files) / list-directory (directories)
w	write-data (files) / create-file (directories)
a	append-data (files) / create-subdirectory (directories)
x	execute (files) / change-directory (directories
d	delete the file/directory
D	delete-child : remove a file or subdirectory from the given directory (directories only)
t	read the attributes of the file/directory
T	write the attribute of the file/directory
n	read the named attributes of the file/directory
N	write the named attributes of the file/directory
c	read the file/directory ACL
C	write the file/directory ACL
o	change ownership of the file/directory

Note: Aliases such as 'R', 'W', and 'X' can be used as permissions. These work simlarly to POSIX Read/Write/Execute. More detail can be found below.

Alias	Name	Expansion
R	Read	rntcy
W	Write	watTNcCy (with D added to directory ACE's
X	Execute	xtcy

Using NFSv4 ACL

This section will show you how to set, modify, and view ACLs

Set and Modify ACLs

To set an ACE use this command:

nfs4_setfacl [OPTIONS] COMMAND file

To modify an ACE, use this command:

nfs4_editfacl [OPTIONS] file

Where file is the name of your file or directory. More information on Options and Commands can be found below.

Options

Options can be used in combination or ommitted entirely. A list of options is shown below:

Option	Name	Function
-R	recursive	Applies ACE to a directory's files and subdirectories
-L	logical	Used with -R, follows symbolic links
-P	physical	Used with -R, skips symbolic links

Commands

Commands are only used when first setting an ACE. Commands and their uses are listed below.

View ACLs

To view ACLs, use the following command:

nfs4_getfacl file

Where file is your file or directory

Supercomputer:

Service:

How to migrate Raspberry Pi 5 OS from micro SD to NVME m.2 SSD

首先我買了Raspberry Pi CM5後來買了Raspberry Pi CM5 I/O board來當個人電腦使用，系統是安裝在256GB SD卡上運行的很好。用久了在開啟較肥的程式像Web Browser或LiberOffice會有慢半拍的反應，而有了升級NVME m.2 SSD念頭。因為Raspberry Pi 5支援的最快PCIe gen3 x 4就不去考慮快的Gen4 or Gen5 m.2 SSD。找了ADATA出的 LEGEND 710入門級的產品，會利用HMB(Host Memory Buffer)來加速I/O速度，因為是Raspberry Pi OS kernel會認不得而無法正常使用事先在SD卡的/boot/firmware/cmdline.txt 加入 kernel command line參數如下，然後重開機m.

How to document Home Lab and Network

運維機房和跨域的網路，會遇到各式需求與問題，用對工具才能分析問題，個人覺得最重要的是使用能處理問題的工具。推薦目前想學和正在使用的平台與軟體，協助將公司/家用機房文件化佈告欄任務管理 Focalboard 白板可管理任務指派網路架構文件編寫 netbox 精細管理網路設備與連接線路 IP 資源管理 phpipam 專注網路IP分配邏輯塊文件編寫 draw.io 視覺化概念圖機房設備管理 ITDB 管理設備生命週期與使用者

如何在Raspberry Pi4上安裝Proxmox for ARM64

第一步準備好Raspberry Pi 4 / CM4 4GB RAM，這裡要留意CM4如果是買有內建eMMC storage會限制不能使用SD卡開機而限制本地空間容量，如果沒有NAS外接空間或使用USB開機的話，建議買CM4 Lite插上大容量SD卡第二步去Armbian官網下載最小化Debian bookworm image https://www.armbian.com/rpi4b/ Armbian 25.2.2 Bookworm Minimal / IOT 然後寫入SD/USB開機碟，寫入方法參考官方文件 https://github.com/raspberrypi/usbboot/blob/master/Readme.md Note: 官方提供的預先設定系統方法，可以在Armbian初次啟動自動化完成系統設定。連結在此 https://docs.armbian.com/User-Guide_Autoconfig/

世界越快心越慢

在晚飯後的休息時間，我特別享受在客廳瀏灠youtube上各樣各式創作者的影音作品。很大不同於傳統媒體，節目多是針對大多數族群喜好挑選的，在youtube上我會依心情看無腦的動畫、一些旅拍記錄、新聞時事談論。尤其在看了大量的Youtube的分享後，我真的感受到會限制我的是我的無知，特別是那些我想都沒想過的實際應用，在學習後大大幫助到我的生活和工作層面。休息在家時，我喜歡想一些沒做過的菜，動手去設計生活和工作上的解決方案，自己是真的很難閒著沒事做。如創作文章，陪養新的習慣都能感覺到成長的喜悅，是不同於吃喝玩樂的快樂的。創作不去限制固定的形式，文字是創作、影像聲音也是創作，記錄生活也是創作，我想留下的就是創造—》實現—》回憶，這樣子的循環過程，在留下的足跡面看到自己一路上的成長、失敗、絕望、重新再來。雖然大部份的時候去做這些創作也不明白有什麼特別的意義，但不去做也不會留下什麼，所以呀不如反事都去試試看，也許能有不一樣的水花也許有意想不到的結果，投資自己永遠不會是失敗的決定，不是嗎？先問問自己再開始計畫下一步，未來沒人說得準。像最近看youtube仍大一群人在為DOS開