Uploaded image for project: 'Lustre'
  1. Lustre
  2. LU-9562

turn on the security.capability xattr


    • Type: Improvement
    • Status: Resolved
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: Lustre 2.9.0
    • Fix Version/s: Lustre 2.10.0
    • Labels:
    • Environment:
      centos7 x86_64
    • Rank (Obsolete):


      folks (me included) would like to (continue to) use lustre as a root filesystem in clusters. however CentOS7/RHEL7 uses File Capabilities to set eg. cap_net_admin,cap_net_raw+ep on the 'ping' exe instead of making it setuid root.

      llite has long filtered out the security.capability xattr that Capabilities uses. llite currently fakes a return value of success for 'setcap' and returns 'no content' for 'getcap'. This breaks ping, clockdiff, suexec, arping and possibly others.

      The behaviour from llite is deliberate and used to be due to stability concerns (b=15587), but stability is unlikely to be a current issue as an enormous amount of work has gone into xattr's since.

      Andreas pointed out on lustre-discuss that more recently it's because of performance concerns as eg. 'ls --color' reads security.capability for every file and so more rpc's would be sent. it's expected that the xattr cache (since Lustre 2.5) takes care of some of these concerns as xattr's are cached on clients after the initial accesses.

      I made a patch (in gerrit in a sec) that removes the filtering out of security.capability in llite, which I've tested and setcap/getcap and ping etc. now work.




            • Assignee:
              wc-triage WC Triage
              rjh Robin Humble
            • Votes:
              0 Vote for this issue
              6 Start watching this issue


              • Created: