[lustre-discuss] seclabel

Robin Humble rjh+lustre at cita.utoronto.ca
Wed May 17 07:16:51 PDT 2017

I setup a couple of VMs with 2.9 clients and servers (ldiskfs) and
unfortunately setcap/getcap still are unhappy - same as with my
previous 2.9 clients with 2.8 servers (ZFS).

I took a gander at the source and noticed that llite/xattr.c
deliberately filters out 'security.capability' and returns 0/-ENODATA
for setcap/getcap, which is indeed what strace sees. so setcap/getcap
is never even sent to the MDS.

if I remove that filter (see patch on lustre-devel) then setcap/getcap
works ->

 # df .
Filesystem            1K-blocks  Used Available Use% Mounted on at tcp:/test8   4797904 33992   4491480   1% /mnt/test8
 # touch blah
 # setcap cap_net_admin,cap_net_raw+p blah
 # getcap blah
blah = cap_net_admin,cap_net_raw+p

and I also tested that the 'ping' binary run as unprivileged user works
from lustre.

'b15587' is listed as the reason for the filtering.
I don't know what that refers to.
is it still relevant?


More information about the lustre-discuss mailing list