Uploaded image for project: 'Lustre'
  1. Lustre
  2. LU-9562

turn on the security.capability xattr

    Details

    • Type: Improvement
    • Status: Resolved
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: Lustre 2.9.0
    • Fix Version/s: Lustre 2.10.0
    • Labels:
      None
    • Environment:
      centos7 x86_64
    • Rank (Obsolete):
      9223372036854775807

      Description

      folks (me included) would like to (continue to) use lustre as a root filesystem in clusters. however CentOS7/RHEL7 uses File Capabilities to set eg. cap_net_admin,cap_net_raw+ep on the 'ping' exe instead of making it setuid root.

      llite has long filtered out the security.capability xattr that Capabilities uses. llite currently fakes a return value of success for 'setcap' and returns 'no content' for 'getcap'. This breaks ping, clockdiff, suexec, arping and possibly others.

      The behaviour from llite is deliberate and used to be due to stability concerns (b=15587), but stability is unlikely to be a current issue as an enormous amount of work has gone into xattr's since.

      Andreas pointed out on lustre-discuss that more recently it's because of performance concerns as eg. 'ls --color' reads security.capability for every file and so more rpc's would be sent. it's expected that the xattr cache (since Lustre 2.5) takes care of some of these concerns as xattr's are cached on clients after the initial accesses.

      I made a patch (in gerrit in a sec) that removes the filtering out of security.capability in llite, which I've tested and setcap/getcap and ping etc. now work.

        Attachments

          Activity

            People

            • Assignee:
              wc-triage WC Triage
              Reporter:
              rjh Robin Humble
            • Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: