Adam Rosenwald wrote: > With cobbler-1.3.4, I had added an acl group privilege: > > * *cobbler aclsetup --addgroup=mygroup* > > I executed the above command after ensuring the mounted ext3 > filesystems involved were sane > > * *mount -o remount,acl,user_xattr /var* > > Now when I execute *cobbler reposync --only=test-64*, I receive the > following output > > ### BEGIN OUTPUT ### > [...@host ~]$ rsync -rltDv --delete --delete-excluded > --exclude-from=/etc/cobbler/rsync.exclude /opt/repos/test/x86_64/ > /var/www/cobbler/repo_mirror/test-64 > building file list ... done > ./ > rsync: failed to set times on > "/var/www/cobbler/repo_mirror/test-64/.": Operation not permitted (1) > base/ > rsync: failed to set times on > "/var/www/cobbler/repo_mirror/test-64/base": Operation not permitted (1) > repodata/ > rsync: failed to set times on > "/var/www/cobbler/repo_mirror/test-64/repodata": Operation not > permitted (1) > rsync: failed to set times on > "/var/www/cobbler/repo_mirror/test-64/.": Operation not permitted (1) > rsync: failed to set times on > "/var/www/cobbler/repo_mirror/test-64/base": Operation not permitted (1) > rsync: failed to set times on > "/var/www/cobbler/repo_mirror/test-64/repodata": Operation not > permitted (1) > ### END OUTPUT ### > > /var/www/cobbler/repo_mirror/* has owner:group=apache:apache. I tried > changing the group recursively to 'mygroup' with write permission. No > luck. > > After scouring through numerous search results, I concluded that rsync > does not modify standard mtime stats using the normal system call; it > uses its own algorithm -- /*which ultimately requires changing > "ownership" of the repos*/. > > This seems to defeat the purpose of using ACLs in conjunction w/ cobbler. > > In order to write files without worrying about rsync time oddities, I > inserted *-O* *(--omit-dir-times)* into the "action_reposync.py" file:
I was previously using ACL setup to primarily manipulate cobbler system objects, so this was probably not tested. One simple solution is to use ACLs to manipulate cobbler but to run cobbler reposync itself via sudoers and an intermediary script. It seems --omit-dir-times /might/ adversely impact reposync's performance on following syncs. We could just mention that reposync does require running as root. > * 'cmd = "rsync -rltDvO %s --delete --delete-excluded > --exclude-from=/etc/cobbler/rsync.exclude %s %s" % (spacer, > repo.mirror, dest_path)' > > The question remains, however, whether the rsync time synchronizations > are needed. If so, this patch will not work, and there will have to > be some workaround - e.g. setuid bit? > > --- > > I would *love* to hear that this is a non-issue and someone sees right > through this logic. > > --- > > But... we're not done yet. There's another 'acl gotcha' in > action_reposync.pl: *chown -R root:apache*. > > I don't see how this can be done without setuid/setguid root or some > additional acl magic. I definitely don't want to do that (it's too wide open to let anyone at it), but giving certain users sudoers access to a script that calls reposync might be fair. > > ### BEGIN OUTPUT ### > ... > ... > ... > chmod: changing permissions of > `/var/www/cobbler/repo_mirror/test-64/base/test-1.1-1.x86_64.rpm': > Operation not permitted > chmod: changing permissions of > `/var/www/cobbler/repo_mirror/test-64/base/a-1-2.noarch.rpm': > Operation not permitted > ... > ... > ... > ### END OUTPUT ### > > Any thoughts? > > Thanks, > > - A. > > ------------------------------------------------------------------------ > > _______________________________________________ > cobbler mailing list > [email protected] > https://fedorahosted.org/mailman/listinfo/cobbler > _______________________________________________ cobbler mailing list [email protected] https://fedorahosted.org/mailman/listinfo/cobbler
