Skip to content

DAOS-18262 common: make sure DAOS file permissions are always 0XXY#17680

Open
janekmi wants to merge 1 commit intomasterfrom
janekmi/DAOS-18262-0660
Open

DAOS-18262 common: make sure DAOS file permissions are always 0XXY#17680
janekmi wants to merge 1 commit intomasterfrom
janekmi/DAOS-18262-0660

Conversation

@janekmi
Copy link
Contributor

@janekmi janekmi commented Mar 10, 2026

At least:

  • 0660 for files
  • 0770 for directories.

So daos_server group can access DAOS files.

Guide MD-on-PMEM

daos/                           src/control/server/storage/mount/provider.go:23
├── 8ac60360-eae4-4071-86ac-a83a42dc22a3        src/mgmt/srv_target.c:699
│   ├── rdb-pool                No change
│   └── vos-X                   src/vos/vos_pool.c:1001
├── control_raft                src/control/system/raft/raft_recovery.go:93
│   ├── daos_system.db          src/control/system/raft/raft.go:269
│   └── snapshots               No change
├── daos_sys                    src/vos/sys_db.c:131
│   └── sys_db                  No change
├── NEWBORNS                    src/mgmt/srv_target.c:452
├── superblock                  src/control/common/file_utils.go:141,src/control/server/instance_superblock.go:208
└── ZOMBIES                     src/mgmt/srv_target.c:460

Guide MD-on-SSD

tree daos/
daos/                           src/control/server/storage/mount/provider.go:23
├── b4defdf5-a92f-45fe-9be0-b96122efa42d        src/mgmt/srv_target.c:699
│   ├── rdb-pool                No change
│   └── vos-X                   src/mgmt/mgmt_common.c:211
├── NEWBORNS                    src/mgmt/mgmt_common.c:134
└── ZOMBIES                     src/mgmt/mgmt_common.c:134
tree config/daos_control/
config/daos_control/            src/control/server/storage/metadata/provider.go:207
├── control_raft                src/control/system/raft/raft_recovery.go:93
│   ├── daos_system.db          src/control/system/raft/raft.go:269
│   └── snapshots               No change
│       └── 2-39-1773083440395
│           ├── meta.json
│           └── state.bin
└── engine0                     src/control/server/storage/metadata/provider.go:233
    ├── daos_nvme.conf          src/control/server/storage/bdev/backend_class.go:106
    ├── daos_sys                src/vos/sys_db.c:131
    │   └── sys_db              No change
    └── superblock              src/control/common/file_utils.go:141,src/control/server/instance_superblock.go:208

Steps for the author:

  • Commit message follows the guidelines.
  • Appropriate Features or Test-tag pragmas were used.
  • Appropriate Functional Test Stages were run.
  • At least two positive code reviews including at least one code owner from each category referenced in the PR.
  • Testing is complete. If necessary, forced-landing label added and a reason added in a comment.

After all prior steps are complete:

  • Gatekeeper requested (daos-gatekeeper added as a reviewer).

@janekmi
DAOS-18262 common: make sure DAOS file permissions are always 0XXY
8eece70 
At least:

- 0660 for files
- 0770 for directories.

So daos_server group can access DAOS files.

Signed-off-by: Jan Michalski <jan-marian.michalski@hpe.com>
@janekmi janekmi requested review from a team as code owners March 10, 2026 20:32
@github-actions
Copy link

github-actions bot commented Mar 10, 2026

Ticket title is 'dlck command seems to require sudo privileges. Also hit the DER_NOMEM (-1009) issue.'
Status is 'Awaiting Verification'
Labels: 'test_2.8'
https://daosio.atlassian.net/browse/DAOS-18262

@janekmi janekmi requested review from rpadma2 and tanabarr March 10, 2026 21:23
liw
liw reviewed Mar 11, 2026
View reviewed changes
src/rdb/rdb.c

#define D_LOGFAC DD_FAC(rdb)

#include <sys/stat.h>
Copy link
Contributor

@liw liw Mar 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[Nit] Would you mind adding this line...

src/rdb/rdb.c

#include <daos_srv/rdb.h>

#include <daos_srv/daos_mgmt_srv.h>
Copy link
Contributor

@liw liw Mar 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

... here instead? rdb.h was intentionally included first, without any inclusion before it, for it is the public API header of this whole module:

#include <daos_srv/rdb.h>

#include <sys/stat.h>
#include <daos...>
...

Copy link
Contributor

@liw liw Mar 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If we move the umask calls elsewhere (see below), this inclusion will be unnecessary.

src/rdb/rdb.c
path, (unsigned char *)uuid, params->rcp_size, 0 /* data_sz */, 0 /* meta_sz */,
VOS_POF_SMALL | VOS_POF_EXCL | VOS_POF_RDB | VOS_POF_EXTERNAL_CHKPT,
params->rcp_vos_df_version, &pool);
(void)umask(stored_mask);
Copy link
Contributor

@liw liw Mar 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would it be safer and more appropriate to do this in dss_vos_pool_create (actually why not in server_init or daos_engine's main) instead? Is rdb special in some way?

@janekmi janekmi requested a review from grom72 March 11, 2026 09:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@liw liw liw left review comments

@rpadma2 rpadma2 Awaiting requested review from rpadma2

@tanabarr tanabarr Awaiting requested review from tanabarr

@grom72 grom72 Awaiting requested review from grom72

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@janekmi @liw