[arch-dev-public] [arch-general] Updating iputils over NFS

[Stéphane Gaudreault]

Le 2012-10-01 05:09, Thomas Bächler a écrit :
> Am 01.10.2012 11:05, schrieb Paul Gideon Dann:
>> On Friday 28 Sep 2012 16:32:09 Bryan Schumaker wrote:
>>>> I suspect this is something to do with NFS not supporting the capabilities
>>>> that setcap is trying to use, but I admit I haven't encountered
>>>> capabilities before I ran into this issue, so it's just a guess.
>>>>
>>>> Has anyone else seen this problem, or does anyone have an idea how to fix
>>>> it?
>>> NFS doesn't support any capibilities, so I guess the output is to be
>>> expected... I'm not sure what to do as a workaround, though.  Does the
>>> package still install and run even though it printed the warning?
>> Hmm; yeah.  Well the package installs, but ping doesn't work for non-root
>> users.  It's not a critical issue, because these are network-booted worker
>> nodes in a cluster, and I doubt ping will be needed directly on the nodes.
>> However, it worries me that other things might be affected at some point if
>> capabilities are increasingly used.  I might put in a bug report and see what
>> the devs think.
> The lack of capability support on NFS is a shame. In general, we should
> probably fall back to setuid-root whenever setcap fails and silence this
> error message.
>
> In my opinion, capabilities should be used much more widely and replace
> setuid-root whereever possible.
>
>
I am not sure what is the best way to fall back to suid root. A possible 
workaround for the case of installing on a filesystem that does not 
support capabilities could be something like :

setcap cap_net_raw=ep usr/bin/ping || chmod +s usr/bin/ping

But I think that we will still get into problems if it is installed on a 
filesystems that support capabilities and if this filesystem is exported 
on NFS to clients.

Any ideas ?

Stéphane