Support for file capabilities #185
Comments
|
Hi @jabl, As you noted we have bsdtar doing the un-compression of the vnfs in the initrd, so if you change vnfs.conf to: cpio command = bsdcpio --quiet -o -H pax Capabilities and other xattrs will be captured. Note, the PAX format stores xattrs as K/Vs. The keys, as least when I last looked, were prefixed with text specific to the tool that created the archive. Thus it's somewhat unlikely that a GNU tar created archive will work well with bsdtar. Ben |
|
Nice, using the above "cpio command" worked! Would you like a patch to fix the out-of-the-box vnfs.conf? That would fix this issue, but would OTOH require people to have bsdcpio installed.. |
|
@jabl We probably don't want to change the default due to the additional dependency. We might want to add a comment in vnfs.conf with the example and note however. |
Would be nice if WW images would support file capabilities, as those are used for some binaries, such as ping. E.g. currently on a WW image this happens as a non-root user:
The reason is that the ping binary must be given appropriate capabilities to use raw sockets. On a non-WW machine:
whereas on a WW node the above command doesn't return anything.
I'm not super-familiar with how VNFS works, but I think the culprit is that it uses cpio ("cpio command" in vnfs.conf) to create the image, and cpio doesn't support xattrs (which is how file capabilities are stored on Linux).
One solution would be to use tar instead of cpio. GNU tar with the
--xattrsoption generates a--format=paxarchive which includes the xattrs. And, if I'm skimming the source correctly(?), for extracting the VNFS image during boot it uses bsdtar from libarchive, which should support both the cpio newc format as well as the pax format. So it might work out with relatively modest changes?The text was updated successfully, but these errors were encountered: