[lustre-discuss] seclabel
Robin Humble
rjh+lustre at cita.utoronto.ca
Wed May 17 07:16:51 PDT 2017
I setup a couple of VMs with 2.9 clients and servers (ldiskfs) and
unfortunately setcap/getcap still are unhappy - same as with my
previous 2.9 clients with 2.8 servers (ZFS).
hmm.
I took a gander at the source and noticed that llite/xattr.c
deliberately filters out 'security.capability' and returns 0/-ENODATA
for setcap/getcap, which is indeed what strace sees. so setcap/getcap
is never even sent to the MDS.
if I remove that filter (see patch on lustre-devel) then setcap/getcap
works ->
# df .
Filesystem 1K-blocks Used Available Use% Mounted on
10.122.1.5 at tcp:/test8 4797904 33992 4491480 1% /mnt/test8
# touch blah
# setcap cap_net_admin,cap_net_raw+p blah
# getcap blah
blah = cap_net_admin,cap_net_raw+p
and I also tested that the 'ping' binary run as unprivileged user works
from lustre.
success!
'b15587' is listed as the reason for the filtering.
I don't know what that refers to.
is it still relevant?
cheers,
robin
More information about the lustre-discuss
mailing list