Discussion:
[xcat-user] /usr/bin/ping on diskless lost capabilities rhel7.2
David D. Johnson
2017-04-10 18:50:18 UTC
Permalink
mgt# getcap /usr/bin/ping
/usr/bin/ping = cap_net_admin,cap_net_raw+p
mgt# ssh compute
compute# getcap /usr/bin/ping
compute#

Somewhere along the line, unpacking the rootimg I would guess, the binary for ping and its friends
loses the required privilege / capability to actually function for non-root user.

With RH6, ping was setuid, which didn’t get lost at boot time.

Anybody have a workaround?

Thanks,
— ddj
Dave Johnson
Jarrod Johnson
2017-04-10 20:09:15 UTC
Permalink
There's a new packmigae format, txz. -m tar -c xz.

Tar will preserve those capabilities, cpio will not. Too bad we didn't pick tar to start with back in the day...

-----Original Message-----
From: David D. Johnson [mailto:***@brown.edu]
Sent: Monday, April 10, 2017 2:50 PM
To: xCAT Users Mailing list
Subject: [xcat-user] /usr/bin/ping on diskless lost capabilities rhel7.2

mgt# getcap /usr/bin/ping
/usr/bin/ping = cap_net_admin,cap_net_raw+p mgt# ssh compute compute# getcap /usr/bin/ping compute#

Somewhere along the line, unpacking the rootimg I would guess, the binary for ping and its friends loses the required privilege / capability to actually function for non-root user.

With RH6, ping was setuid, which didn’t get lost at boot time.

Anybody have a workaround?

Thanks,
— ddj
Dave Johnson
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________
xCAT-user mailing list
xCAT-***@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/xcat-user
David D. Johnson
2017-04-13 16:39:15 UTC
Permalink
Thanks for the help. Tar works where cpio didn’t. However, switching from gzip to xz
costs 9 extra minutes (10 vs 1) in the packimage step. I couldn’t find a knob to twist to
make it use xz -0 or xz -3 rather than the default level -6 compression, and XZ_OPTS was
not passed from the environment where packimage was called to the actual xz process.

— ddj
Post by Jarrod Johnson
There's a new packmigae format, txz. -m tar -c xz.
Tar will preserve those capabilities, cpio will not. Too bad we didn't pick tar to start with back in the day...
-----Original Message-----
Sent: Monday, April 10, 2017 2:50 PM
To: xCAT Users Mailing list
Subject: [xcat-user] /usr/bin/ping on diskless lost capabilities rhel7.2
mgt# getcap /usr/bin/ping
/usr/bin/ping = cap_net_admin,cap_net_raw+p mgt# ssh compute compute# getcap /usr/bin/ping compute#
Somewhere along the line, unpacking the rootimg I would guess, the binary for ping and its friends loses the required privilege / capability to actually function for non-root user.
With RH6, ping was setuid, which didn’t get lost at boot time.
Anybody have a workaround?
Thanks,
— ddj
Dave Johnson
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________
xCAT-user mailing list
https://lists.sourceforge.net/lists/listinfo/xcat-user
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
xCAT-user mailing list
https://lists.sourceforge.net/lists/listinfo/xcat-user
Song BJ Yang
2017-04-17 03:32:57 UTC
Permalink
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot

Loading...