[lustre-discuss] seclabel

Robin Humble rjh+lustre at cita.utoronto.ca
Tue May 16 09:38:48 PDT 2017

Hi Eli et al,

>> Le 15 mai 2017 à 14:39, E.S. Rosenberg <esr+lustre at mail.hebrew.edu> a écrit :
>> Hi Robin,
>> Did you ever solve this?
>> We are considering trying root-on-lustre but that would be a deal-breaker.

no. instead I started down the track of layering overlayfs on top of
lustre. tmpfs (used by overlayfs's upper layer) has a working seclabel
mount option. so I just 'copy up' the 3 or 4 exe's that have seclabels,
'setcap' them with the right label, and they work fine.

I'm not sure overlayfs is going to work out though, so I'd really like
seclabel in lustre.

On Tue, May 16, 2017 at 08:17:48AM +0000, Sebastien Buisson wrote:
>From Lustre 2.8, we have basic support of SELinux on Lustre client side. It means Lustre stores the security context of files in extended attributes. In this way Lustre supports seclabel.
>In Lustre 2.9, an additional enhancement for SELinux support was landed.
>Which version are you using?

2.9 clients, 2.8 servers on ZFS.
centos7 x86_64 everywhere.
sestatus disabled everywhere.
zfs has xattr=sa on osts, mdt, mgs

Andreas wrote (a while ago):
>> I try to stay away from that myself, but newer Lustre clients support SELinux
>> and similar things.  You probably need to strace and/or collect some kernel
>> debug logs (maybe with debug=-1 set) to see where the error is being generated.

a debug=-1 trace is here ->

command line was ->
  lctl set_param debug=-1 ; usleep 50000; lctl clear; usleep 50000 ; /usr/sbin/setcap cap_net_admin,cap_net_raw+p /mnt/oneSIS-overlay/lowerdir/usr/bin/ping ; /usr/sbin/getcap /mnt/oneSIS-overlay/lowerdir/usr/bin/ping ; lctl dk /lfs/data0/system/log/dk.log.-1 ; lctl set_param debug='ioctl neterror warning error emerg ha config console lfsck'

/mnt/oneSIS-overlay/lowerdir is the lustre root filesystem image
(usually mounted read-only, but read-write for this debugging)

expected output is nothing for setcap.
expected output for getcap is
  # getcap /mnt/oneSIS-overlay/lowerdir/usr/bin/ping
  /mnt/oneSIS-overlay/lowerdir/usr/bin/ping = cap_net_admin,cap_net_raw+p
but actual output is nothing ->
  # getcap /mnt/oneSIS-overlay/lowerdir/usr/bin/ping

to the copy of 'ping' on the tmpfs/overlayfs getcap/setcap works fine ->
  # getcap /usr/bin/ping
  /usr/bin/ping = cap_net_admin,cap_net_raw+p


More information about the lustre-discuss mailing list