[arch-dev-public] [arch-general] Updating iputils over NFS
stephane at archlinux.org
Mon Oct 1 08:15:06 EDT 2012
Le 2012-10-01 05:09, Thomas Bächler a écrit :
> Am 01.10.2012 11:05, schrieb Paul Gideon Dann:
>> On Friday 28 Sep 2012 16:32:09 Bryan Schumaker wrote:
>>>> I suspect this is something to do with NFS not supporting the capabilities
>>>> that setcap is trying to use, but I admit I haven't encountered
>>>> capabilities before I ran into this issue, so it's just a guess.
>>>> Has anyone else seen this problem, or does anyone have an idea how to fix
>>> NFS doesn't support any capibilities, so I guess the output is to be
>>> expected... I'm not sure what to do as a workaround, though. Does the
>>> package still install and run even though it printed the warning?
>> Hmm; yeah. Well the package installs, but ping doesn't work for non-root
>> users. It's not a critical issue, because these are network-booted worker
>> nodes in a cluster, and I doubt ping will be needed directly on the nodes.
>> However, it worries me that other things might be affected at some point if
>> capabilities are increasingly used. I might put in a bug report and see what
>> the devs think.
> The lack of capability support on NFS is a shame. In general, we should
> probably fall back to setuid-root whenever setcap fails and silence this
> error message.
> In my opinion, capabilities should be used much more widely and replace
> setuid-root whereever possible.
I am not sure what is the best way to fall back to suid root. A possible
workaround for the case of installing on a filesystem that does not
support capabilities could be something like :
setcap cap_net_raw=ep usr/bin/ping || chmod +s usr/bin/ping
But I think that we will still get into problems if it is installed on a
filesystems that support capabilities and if this filesystem is exported
on NFS to clients.
Any ideas ?
More information about the arch-dev-public