[ClusterLabs Developers] RFC: "chown" option for the Filesystem resource agent

Christoph Böhmwalder christoph.boehmwalder at linbit.com
Fri Jan 14 09:10:20 EST 2022 

Hi all,

we have a use case where we automatically set up an NFS export, 
including a corresponding Filesystem primitive. The file system is 
replicated via DRBD, and we have another tool which makes the `mkfs` 
call when creating the DRBD resource. Since this export is only used for 
anonymous access, we are using the "all_squash" option on the NFS server.

The problem we are now facing is that the top level directory of the 
newly created filesystem will be owned by "root", but we need it to be 
owned by "nobody" so that the anonymous access via "all_squash" works.

We were wondering if there is interest in (or at least no strong 
opposition to) an option on the Filesystem resource agent which does 
exactly that: chown the top level directory to "nobody" iff it is empty 
and owned by root. So basically, something like setting the "initial 
owner" of the file system.


(Side note: your impulsive reaction may be to tell us to just do the 
chown wherever we create the file system, so let me explain our 
reasoning why we want to avoid that. This "other tool" is LINSTOR[0], 
which is – for the sake of this argument – essentially a configuration 
generator/manager for DRBD resources. The fact that we create the file 
system there is already kind of a hack. We justified it by thinking of 
the "mkfs" as part of the process of creating a DRBD resource. Mounting 
the file system, chowning the TLD and unmounting it again would be even 
worse, and hardly fits the definition of "creating a resource" anymore. 
So, in short, we think it would be less complex to do this within the 
Filesystem resource agent, where the file system is already being mounted.)


I agree that this may seem too specific of a use case, but we think that 
such an option could be a benefit in some cases. Maybe there is even an 
application beyond all_squash NFS exports that we are not thinking of.

Lars Ellenberg kindly volunteered to implement such an option if there 
is no disapproval.

Anyways, I'm looking forward to hearing your opinion on this.

[0] https://github.com/LINBIT/linstor-server

-- 
Christoph Böhmwalder
LINBIT | Keeping the Digital World Running
DRBD HA —  Disaster Recovery — Software defined Storage

More information about the Developers mailing list