[lustre-discuss] seclabel

Sebastien Buisson sbuisson at ddn.com
Fri May 19 00:22:26 PDT 2017

> Le 19 mai 2017 à 08:47, Robin Humble <rjh+lustre at cita.utoronto.ca> a écrit :
> On Wed, May 17, 2017 at 02:37:31PM +0000, Sebastien Buisson wrote:
>> Reading the discussion in the ticket, supporting xattr at the time of Lustre 1.8 and 2.0 was causing issues on MDS side in some situations. So it was decided to discard security.capability xattr on Lustre client side. I think Andreas might have some insight, as he apparently participated in b15587.
> my word that's a long time ago...
> I don't see much in the way of jira tickets about getxattr issues on
> MDS in recent times, and they're much more heavily used these days, so
> I hope that particular problem has long since been fixed.
> should I open a jira ticket to track re-enabling of security.capabilities?

Yes please. At the same time, would you mind pushing to review.whamcloud.com the patch you sent to lustre-devel?

>> In any case, it is important to make clear that file capabilities, the feature you want to use, is completely distinct from SELinux.
>> On the one hand, Capabilities are a Linux mechanism to refine permissions granted to privileged processes, by dividing the privileges traditionally associated with superuser into distinct units (known as capabilities).
>> On the other hand, SELinux is the Linux implementation of Mandatory Access Control.
>> Both Capabilities and SELinux rely on values stored into file extended attributes, but this is the only thing they have in common.
> 10-4. thanks.
> 'ls --color' requests the security.capability xattr so this would
> be heavily accessed. do you think this is handled well enough currently
> to not affect performance significantly?
> setxattr would be minimal and not performance critical, unlike with eg.
> selinux and creat.

For sure retrieving this xattr adds an overhead. But with recent versions of Lustre I am not aware of bugs in xattr handling.
I think it would be helpful, in the Jira ticket you would open, to have comments from people that participated in the resolution of Bugzilla #15587.


More information about the lustre-discuss mailing list