Details
-
Improvement
-
Resolution: Fixed
-
Minor
-
Lustre 2.9.0
-
None
-
centos7 x86_64
-
9223372036854775807
Description
folks (me included) would like to (continue to) use lustre as a root filesystem in clusters. however CentOS7/RHEL7 uses File Capabilities to set eg. cap_net_admin,cap_net_raw+ep on the 'ping' exe instead of making it setuid root.
llite has long filtered out the security.capability xattr that Capabilities uses. llite currently fakes a return value of success for 'setcap' and returns 'no content' for 'getcap'. This breaks ping, clockdiff, suexec, arping and possibly others.
The behaviour from llite is deliberate and used to be due to stability concerns (b=15587), but stability is unlikely to be a current issue as an enormous amount of work has gone into xattr's since.
Andreas pointed out on lustre-discuss that more recently it's because of performance concerns as eg. 'ls --color' reads security.capability for every file and so more rpc's would be sent. it's expected that the xattr cache (since Lustre 2.5) takes care of some of these concerns as xattr's are cached on clients after the initial accesses.
I made a patch (in gerrit in a sec) that removes the filtering out of security.capability in llite, which I've tested and setcap/getcap and ping etc. now work.