Bug#843597: More robust capability handling
Hi. Looking at ftar in current fai, it looks like it already is fairly aggressive about using tar --xattrs for extraction. If my reading of the code is correct, this bug should probably be closed as never having been an issue. --Sam
Bug#843597: More robust capability handling
> "Thomas" == Thomas Lange writes: > On Mon, 07 Nov 2016 17:36:41 -0500, Sam Hartman >> Currently, the sample configuration namespace has a shell script >> to restore the common capabilities found in base files; see >> scripts/DEBIAN/20-capabilities. Thomas> In this script, I'm doing the same things that are done in Thomas> the postinst script of the package. No, you're doing what the postinst script did on the day you wrote that config script. First, there's no guarantee that you'll notice when the packages in question change. Secondly, even if you do update the examples, each FAI user has to update every one of their configuration spaces. That tends to produce unexpected behavior over time. Thomas> Also there was a bug in tar which added some xattr or Thomas> capabilities even no were defined when creating the tar Thomas> file. Have a look at #819978. IIRC this was one reason to no Thomas> use xattrs with tar by default. -- regards Thomas That seems to be dealing with --acls not --xattrs --xattrs-include=security.capability. At least with the stretch tar, I do not get default ACLs when I use --xattrs --xattrs-include=security.capability.
Bug#843597: More robust capability handling
> On Mon, 07 Nov 2016 17:36:41 -0500, Sam Hartman > said: > Currently, the sample configuration namespace has a shell script to > restore the common capabilities found in base files; see > scripts/DEBIAN/20-capabilities. In this script, I'm doing the same things that are done in the postinst script of the package. Also there was a bug in tar which added some xattr or capabilities even no were defined when creating the tar file. Have a look at #819978. IIRC this was one reason to no use xattrs with tar by default. -- regards Thomas
Bug#843597: More robust capability handling
package: fai version: 5.2 Currently, the sample configuration namespace has a shell script to restore the common capabilities found in base files; see scripts/DEBIAN/20-capabilities. This approach is brittle because as new packages in the base system gain capabilities, everyone's configuration space needs to be updated. tar does support saving and restoring capabilities. If base file tars are created using tar --xattrs --xattrs-include=security.capability -cf blah blah and restored with tar -xf filename --xattrs --xattrs-include=security.capability Then capabilities are directly preserved. I understand that you may want to preserve the script in the configuration space because you cannot guarantee how people create base files. However for restore of base files, please include the xattrs options.