> Le 19 mai 2017 à 08:47, Robin Humble <[email protected]> a écrit : > On Wed, May 17, 2017 at 02:37:31PM +0000, Sebastien Buisson wrote: >> >> Reading the discussion in the ticket, supporting xattr at the time of Lustre >> 1.8 and 2.0 was causing issues on MDS side in some situations. So it was >> decided to discard security.capability xattr on Lustre client side. I think >> Andreas might have some insight, as he apparently participated in b15587. > > my word that's a long time ago... > I don't see much in the way of jira tickets about getxattr issues on > MDS in recent times, and they're much more heavily used these days, so > I hope that particular problem has long since been fixed. > > should I open a jira ticket to track re-enabling of security.capabilities?
Yes please. At the same time, would you mind pushing to review.whamcloud.com the patch you sent to lustre-devel? > >> In any case, it is important to make clear that file capabilities, the >> feature you want to use, is completely distinct from SELinux. >> On the one hand, Capabilities are a Linux mechanism to refine permissions >> granted to privileged processes, by dividing the privileges traditionally >> associated with superuser into distinct units (known as capabilities). >> On the other hand, SELinux is the Linux implementation of Mandatory Access >> Control. >> Both Capabilities and SELinux rely on values stored into file extended >> attributes, but this is the only thing they have in common. > > 10-4. thanks. > > 'ls --color' requests the security.capability xattr so this would > be heavily accessed. do you think this is handled well enough currently > to not affect performance significantly? > > setxattr would be minimal and not performance critical, unlike with eg. > selinux and creat. > For sure retrieving this xattr adds an overhead. But with recent versions of Lustre I am not aware of bugs in xattr handling. I think it would be helpful, in the Jira ticket you would open, to have comments from people that participated in the resolution of Bugzilla #15587. Thanks, Sebastien. _______________________________________________ lustre-discuss mailing list [email protected] http://lists.lustre.org/listinfo.cgi/lustre-discuss-lustre.org
