> Le 19 mai 2017 à 08:47, Robin Humble <rjh+lus...@cita.utoronto.ca> a écrit :
> On Wed, May 17, 2017 at 02:37:31PM +0000, Sebastien Buisson wrote:
>> Reading the discussion in the ticket, supporting xattr at the time of Lustre 
>> 1.8 and 2.0 was causing issues on MDS side in some situations. So it was 
>> decided to discard security.capability xattr on Lustre client side. I think 
>> Andreas might have some insight, as he apparently participated in b15587.
> my word that's a long time ago...
> I don't see much in the way of jira tickets about getxattr issues on
> MDS in recent times, and they're much more heavily used these days, so
> I hope that particular problem has long since been fixed.
> should I open a jira ticket to track re-enabling of security.capabilities?

Yes please. At the same time, would you mind pushing to review.whamcloud.com 
the patch you sent to lustre-devel?

>> In any case, it is important to make clear that file capabilities, the 
>> feature you want to use, is completely distinct from SELinux.
>> On the one hand, Capabilities are a Linux mechanism to refine permissions 
>> granted to privileged processes, by dividing the privileges traditionally 
>> associated with superuser into distinct units (known as capabilities).
>> On the other hand, SELinux is the Linux implementation of Mandatory Access 
>> Control.
>> Both Capabilities and SELinux rely on values stored into file extended 
>> attributes, but this is the only thing they have in common.
> 10-4. thanks.
> 'ls --color' requests the security.capability xattr so this would
> be heavily accessed. do you think this is handled well enough currently
> to not affect performance significantly?
> setxattr would be minimal and not performance critical, unlike with eg.
> selinux and creat.

For sure retrieving this xattr adds an overhead. But with recent versions of 
Lustre I am not aware of bugs in xattr handling.
I think it would be helpful, in the Jira ticket you would open, to have 
comments from people that participated in the resolution of Bugzilla #15587.

lustre-discuss mailing list

Reply via email to