Re: [arch-dev-public] [arch-general] Updating iputils over NFS
Am 01.10.2012 11:05, schrieb Paul Gideon Dann:
On Friday 28 Sep 2012 16:32:09 Bryan Schumaker wrote:
I suspect this is something to do with NFS not supporting the capabilities that setcap is trying to use, but I admit I haven't encountered capabilities before I ran into this issue, so it's just a guess.
Has anyone else seen this problem, or does anyone have an idea how to fix it? NFS doesn't support any capibilities, so I guess the output is to be expected... I'm not sure what to do as a workaround, though. Does the package still install and run even though it printed the warning?
Hmm; yeah. Well the package installs, but ping doesn't work for non-root users. It's not a critical issue, because these are network-booted worker nodes in a cluster, and I doubt ping will be needed directly on the nodes. However, it worries me that other things might be affected at some point if capabilities are increasingly used. I might put in a bug report and see what the devs think.
The lack of capability support on NFS is a shame. In general, we should probably fall back to setuid-root whenever setcap fails and silence this error message. In my opinion, capabilities should be used much more widely and replace setuid-root whereever possible.
Le 2012-10-01 05:09, Thomas Bächler a écrit :
I suspect this is something to do with NFS not supporting the capabilities that setcap is trying to use, but I admit I haven't encountered capabilities before I ran into this issue, so it's just a guess.
Has anyone else seen this problem, or does anyone have an idea how to fix it? NFS doesn't support any capibilities, so I guess the output is to be expected... I'm not sure what to do as a workaround, though. Does the package still install and run even though it printed the warning? Hmm; yeah. Well the package installs, but ping doesn't work for non-root users. It's not a critical issue, because these are network-booted worker nodes in a cluster, and I doubt ping will be needed directly on the nodes. However, it worries me that other things might be affected at some point if capabilities are increasingly used. I might put in a bug report and see what
On Friday 28 Sep 2012 16:32:09 Bryan Schumaker wrote: the devs think. The lack of capability support on NFS is a shame. In general, we should
Am 01.10.2012 11:05, schrieb Paul Gideon Dann: probably fall back to setuid-root whenever setcap fails and silence this error message.
In my opinion, capabilities should be used much more widely and replace setuid-root whereever possible.
I am not sure what is the best way to fall back to suid root. A possible workaround for the case of installing on a filesystem that does not support capabilities could be something like : setcap cap_net_raw=ep usr/bin/ping || chmod +s usr/bin/ping But I think that we will still get into problems if it is installed on a filesystems that support capabilities and if this filesystem is exported on NFS to clients. Any ideas ? Stéphane
Am 01.10.2012 14:15, schrieb Stéphane Gaudreault:
I am not sure what is the best way to fall back to suid root. A possible workaround for the case of installing on a filesystem that does not support capabilities could be something like :
setcap cap_net_raw=ep usr/bin/ping || chmod +s usr/bin/ping
But I think that we will still get into problems if it is installed on a filesystems that support capabilities and if this filesystem is exported on NFS to clients.
If you run the post_install on the host file system and export that via NFS, yes - but we have no way to detect this scenario. IMO, root file systems on NFS are a failure by design anyway - I worked in such a scenario for years and it is a bad bad bad idea. While we should fix easy problems such as this one, we should not spend too much time on making this work.
Any ideas ?
Your solution looks fine, but the message should be silenced with 2>/dev/null.
participants (2)
-
Stéphane Gaudreault
-
Thomas Bächler