[arch-general] Updating iputils over NFS
I'm having an issue updating a system that boots over NFS. Attempting to upgrade the iputils package results in the following: ---8<------------------------------- (1/1) upgrading iputils [###########################] 100% Failed to set capabilities on file `usr/bin/ping' (Operation not supported) usage: setcap [-q] [-v] (-r|-|<caps>) <filename> [ ... (-r|-|<capsN>) <filenameN> ] Note <filename> must be a regular (non-symlink) file. Failed to set capabilities on file `usr/bin/ping6' (Operation not supported) usage: setcap [-q] [-v] (-r|-|<caps>) <filename> [ ... (-r|-|<capsN>) <filenameN> ] Note <filename> must be a regular (non-symlink) file. ---8<------------------------------- I suspect this is something to do with NFS not supporting the capabilities that setcap is trying to use, but I admit I haven't encountered capabilities before I ran into this issue, so it's just a guess. Has anyone else seen this problem, or does anyone have an idea how to fix it? Paul
On 09/28/2012 11:19 AM, Paul Gideon Dann wrote:
I'm having an issue updating a system that boots over NFS. Attempting to upgrade the iputils package results in the following:
---8<------------------------------- (1/1) upgrading iputils [###########################] 100% Failed to set capabilities on file `usr/bin/ping' (Operation not supported) usage: setcap [-q] [-v] (-r|-|<caps>) <filename> [ ... (-r|-|<capsN>) <filenameN> ]
Note <filename> must be a regular (non-symlink) file. Failed to set capabilities on file `usr/bin/ping6' (Operation not supported) usage: setcap [-q] [-v] (-r|-|<caps>) <filename> [ ... (-r|-|<capsN>) <filenameN> ]
Note <filename> must be a regular (non-symlink) file. ---8<-------------------------------
I suspect this is something to do with NFS not supporting the capabilities that setcap is trying to use, but I admit I haven't encountered capabilities before I ran into this issue, so it's just a guess.
Has anyone else seen this problem, or does anyone have an idea how to fix it? NFS doesn't support any capibilities, so I guess the output is to be expected... I'm not sure what to do as a workaround, though. Does the package still install and run even though it printed the warning?
- Bryan
Paul
On Friday 28 Sep 2012 16:32:09 Bryan Schumaker wrote:
I suspect this is something to do with NFS not supporting the capabilities that setcap is trying to use, but I admit I haven't encountered capabilities before I ran into this issue, so it's just a guess.
Has anyone else seen this problem, or does anyone have an idea how to fix it? NFS doesn't support any capibilities, so I guess the output is to be expected... I'm not sure what to do as a workaround, though. Does the package still install and run even though it printed the warning?
Hmm; yeah. Well the package installs, but ping doesn't work for non-root users. It's not a critical issue, because these are network-booted worker nodes in a cluster, and I doubt ping will be needed directly on the nodes. However, it worries me that other things might be affected at some point if capabilities are increasingly used. I might put in a bug report and see what the devs think. (I am subscribed to the list, btw.) Paul
Am 01.10.2012 11:05, schrieb Paul Gideon Dann:
On Friday 28 Sep 2012 16:32:09 Bryan Schumaker wrote:
I suspect this is something to do with NFS not supporting the capabilities that setcap is trying to use, but I admit I haven't encountered capabilities before I ran into this issue, so it's just a guess.
Has anyone else seen this problem, or does anyone have an idea how to fix it? NFS doesn't support any capibilities, so I guess the output is to be expected... I'm not sure what to do as a workaround, though. Does the package still install and run even though it printed the warning?
Hmm; yeah. Well the package installs, but ping doesn't work for non-root users. It's not a critical issue, because these are network-booted worker nodes in a cluster, and I doubt ping will be needed directly on the nodes. However, it worries me that other things might be affected at some point if capabilities are increasingly used. I might put in a bug report and see what the devs think.
The lack of capability support on NFS is a shame. In general, we should probably fall back to setuid-root whenever setcap fails and silence this error message. In my opinion, capabilities should be used much more widely and replace setuid-root whereever possible.
On Monday 01 Oct 2012 11:09:05 Thomas Bächler wrote:
The lack of capability support on NFS is a shame. In general, we should probably fall back to setuid-root whenever setcap fails and silence this error message.
In my opinion, capabilities should be used much more widely and replace setuid-root whereever possible.
Agreed. I think setuid as a fallback is the solution here, but that could be a bit of a nightmare for package maintainers to deal with. I created this bug report: https://bugs.archlinux.org/task/31748 Paul
participants (3)
-
Bryan Schumaker
-
Paul Gideon Dann
-
Thomas Bächler