Can not chmod file in my dataset

I am currently setting up Traefik with LetsEncrypt in docker on a different machine and using NFS as volume mounts in docker. One of the things that LetsEncrypt does is create an acme.json file and then attempts to chmod 600 the file so only the user in the docker container (in this case root) can modify the file. I get an error in the docker logs saying the chmod does not have permission to change the file even though it created it. I have actually went into the /mnt/rusty/bucket/traefik/letsencrypt folder on truenas and attempted to manually do the chmod myself as my user, as admin and as root but all of them end with a permission denied. Does anyone have any idea what is going wrong here?

My setup:

cat /etc/exports

shows on my truenas scale

"/mnt/rusty/bucket/traefik"\ 192.168.100.0/24(sec=sys,rw,no_root_squash,no_subtree_check)
mount | grep nfs

on my docker host shows

:/mnt/rusty/bucket/traefik on /var/lib/docker/volumes/traefik_data/_data type nfs4 (rw,relatime,vers=4.2,rsize=1048576,wsize=1048576,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=sys,clientaddr=192.168.100.6,local_lock=none,addr=192.168.100.14)

on my my dataset I do have and acl group set up as below

It appears your docker host is mounting the NFS share as nfs4. That requires Kerberos. Does your setup actually use Kerberos? If not, that’s not going to work.

This is nothing to do with kerberos. You do not need kerberos to use NFS version4 shares in either Linux or FreeBSD.

The reason chmod fails is because you’ve picked NFSv4 style ACLs for your dataset and how SCALE sets the values of the related dataset properties of aclmode and aclinherit when the acltype is NFSv4.

For example. see here.

Please review docs here.

1 Like

Thanks this pointed me down what I guess is the correct path here. My solution that got this working was to go into the ACL manager and under the Flags section select Advanced and then uncheck the File Inherit. This seems to work not sure if its the best solution but its working.

Zur Ergänzung und das andere es leichter finden können.
Ich habe nach “no_root_squash” gesucht. Wie ich erreiche ich das im /etc/exports die Optionen gesetzt wird.
Soll so auschauen:

*(sec=sys,rw,no_root_squash,insecure,no_subtree_check)

Dazu muss man im GUI in der NFS Freigabe Einstellung folgendes bei den
Erweitertenh Optionen → Maproot User = root
Erweitertenh Optionen → Maproot Group = wheel
setzen.
Wenn man das im /etc/exports nicht direkt eintragen kann, ist das etwas mĂĽhsam zu verstehen. Wenn man das 25 Jahre einfach dort eingetragen hat. :wink: Ich hoffe das hilft weiter.