[Bugs] [Bug 1292778] New: (RHEL6) Setting security.* xattrs fails
bugzilla at redhat.com
bugzilla at redhat.com
Fri Dec 18 10:24:51 UTC 2015
https://bugzilla.redhat.com/show_bug.cgi?id=1292778
Bug ID: 1292778
Summary: (RHEL6) Setting security.* xattrs fails
Product: Red Hat Gluster Storage
Version: 3.1
Component: glusterfs-fuse
Keywords: EasyFix, Triaged, ZStream
Severity: high
Assignee: rhs-bugs at redhat.com
Reporter: madam at redhat.com
QA Contact: storage-qa-internal at redhat.com
CC: bugs at gluster.org, chrisw at redhat.com, csaba at redhat.com,
gluster-bugs at redhat.com, ndevos at redhat.com,
nlevinki at redhat.com, rtalur at redhat.com
Depends On: 1283103, 1283107
Blocks: 1279240 (glusterfs-3.7.7)
Keywords: ZStream
+++ This bug was initially created as a clone of Bug #1283107 +++
+++ This bug was initially created as a clone of Bug #1283103 +++
+++ This bug was initially created as a clone of Bug #1127457 +++
+++ +++
+++ Use this bug to provide a patch for the master branch. +++
Description of problem:
I have an issue with xattrs with the security prefix. This command work in
all the servers involved (bricks, clients) in all the filesystems mounted
(including the bricks), but fails on the volume mounted in the clients.
# touch testfile && setfattr -n security.NTACL -v foo testfile
setfattr: testfile: Operation not supported
If I try "-n whatever", works.
Versions:
Ubuntu 14.04
# uname -a
Linux storage01 3.13.0-32-generic #57-Ubuntu SMP Tue Jul 15 03:51:08 UTC
2014 x86_64 x86_64 x86_64 GNU/Linux
# glusterfs --version
glusterfs 3.5.2
All the boxes involved have the same version.
When I try that operation, I see the following in the brick logs:
[2014-08-06 14:39:06.231495] E [marker.c:2542:marker_removexattr_cbk]
0-gv0-marker: No data available occurred while creating symlinks
[2014-08-06 14:39:06.231543] I
[server-rpc-fops.c:727:server_removexattr_cbk] 0-gv0-server: 124:
REMOVEXATTR /testfile (473fd975-a619-47d7-9ebc-d2a077ed1ac8) of key
security.ima ==> (No data available)
--- Additional comment from Diego Woitasen on 2014-08-07 00:09:37 CEST ---
More information, my fstab line:
storage01:/gv0 /srv/data glusterfs defaults,acl 0 0
Adding user_xattr doesn't work, I can't mount the volume with that option. BTW,
I can set xattrs, the problem is with security prefixed xattrs.
--- Additional comment from Niels de Vos on 2014-08-29 11:55:59 CEST ---
>From xlators/mount/fuse/src/fuse-bridge.c:
3136 if (!priv->selinux) {
3137 if (strncmp (name, "security.", 9) == 0) {
3138 send_fuse_err (this, finh, EOPNOTSUPP);
3139 GF_FREE (finh);
3140 return;
3141 }
3142 }
Checking a little further, it seems that you can mount with the 'selinux'
option. In /etc/fstab this would then look like this:
storage01:/gv0 /srv/data glusterfs defaults,acl,selinux 0 0
I understand that Ubuntu does not use selinux, but that does not matter for
using this mount option. Could you test and report if that works for you?
Proposed fix:
We should not disallow setting security.* xattrs when selinux is not in use,
selinux is not the only component that uses security.* xattrs. I think that
instead of filtering out all security.* xattrs, only security.selinux should be
denied.
--- Additional comment from Diego Woitasen on 2014-08-29 13:39:36 CEST ---
Adding the selinux mount options it works.
Thanks for your help.
--- Additional comment from pille on 2015-01-23 11:38:48 CET ---
i'm currently ingesting several TB into our glusterfs-cluster and my logfile
grows multiple GB/day because of (three times per file):
[2015-01-23 10:31:04.835822] E [marker.c:2542:marker_removexattr_cbk]
0-storage_www-marker: No data available occurred while creating symlinks
[2015-01-23 10:31:04.835850] I [server-rpc-fops.c:693:server_removexattr_cbk]
0-storage_www-server: 88351: REMOVEXATTR /file1234
(85c82646-7c31-4773-ae5f-fa7661452f67) of key security.ima ==> (No data
available)
mounting using -o selinux doesn't help.
i'm on ubuntu 14.04, too. glusterfs is v3.6.1.
--- Additional comment from Niels de Vos on 2015-01-23 12:26:06 CET ---
The missing (No data available) security.ima extended attribute might be a
kernel issue. I think this patch (or some follow up) fixes it:
https://lkml.org/lkml/2014/7/11/259
It would be interesting to know if Ubuntu 14.04 has these patches applied.
Alternatively, you can probably disable the IMA function in Ubuntu to prevent
these messages.
Could you let us know if that helps?
--- Additional comment from pille on 2015-01-23 15:08:10 CET ---
i couldn't figure out, whether these patches are applied to the stock ubuntu
kernel, but found nothing in the changelog.
but i installed a 14.10 kernel (3.16), which should have these commits already
in. unfortunately the behavior didn't change.
i didn't try to disable IMA yet.
--- Additional comment from Jeff Byers on 2015-03-03 03:25:09 CET ---
Using the -o selunux mount option does not seem to be a good work-around, at
least not when selinux is not in use, and Gluster replica volumes are in use.
In GlusterFS 3.6.1, copying a directory tree takes more than 600% longer when
the FUSE mount has the selinux option than it does without it.
This seems to be due to all of the:
fuse-bridge.c:3335:fuse_xattr_cbk ... GETXATTR(security.capability) ... (No
data available)
failures.
--- Additional comment from on 2015-08-06 21:31:45 CEST ---
My logs are filled with these messages too on RHS 3.0 on RHEL 6.7. Also,
replacing a brick and heal is taking exceptionally long. Don't know if they are
related. On replacing a brick in distributed replicated volume, it had managed
to move only 100G in 24 hours.
--- Additional comment from Vijay Bellur on 2015-12-11 10:18:54 EST ---
REVIEW: http://review.gluster.org/12953 (fuse: forbid only access to
security.selinux xattr if not mounted with 'selinux') posted (#1) for review on
release-3.7 by Michael Adam (obnox at samba.org)
--- Additional comment from Vijay Bellur on 2015-12-11 10:19:11 EST ---
REVIEW: http://review.gluster.org/12954 (tests:bugs:fuse: add test for bug
#1283103 - selinux mount vs security xattrs) posted (#1) for review on
release-3.7 by Michael Adam (obnox at samba.org)
--- Additional comment from Vijay Bellur on 2015-12-16 14:18:46 EST ---
COMMIT: http://review.gluster.org/12953 committed in release-3.7 by Raghavendra
Talur (rtalur at redhat.com)
------
commit 96da2fbc7fa7f9e27c645b98d8b12491be24a4c4
Author: Michael Adam <obnox at samba.org>
Date: Wed Nov 18 09:01:30 2015 +0100
fuse: forbid only access to security.selinux xattr if not mounted with
'selinux'
Originally, all selinux.* xattrs were forbidden, causing
for example Samba's acl_xattr module which uses security.NTACL
to fail without the 'selinux' mount option, which is confusing
at least. This change specializes the check to the security.selinux
attribute, so other selinux.* attributes work with or without the option.
> Change-Id: I9d3083123efbf403f20572cfb325a300ce2e90d9
> BUG: 1283103
> Signed-off-by: Michael Adam <obnox at samba.org>
> Reviewed-on: http://review.gluster.org/12826
> Tested-by: Gluster Build System <jenkins at build.gluster.com>
> Tested-by: NetBSD Build System <jenkins at build.gluster.org>
> Reviewed-by: Rajesh Joseph <rjoseph at redhat.com>
> Reviewed-by: Raghavendra G <rgowdapp at redhat.com>
(cherry picked from commit 4fefa3d7dbcdad1e71c74db11113ac1e74b01656)
Change-Id: Ia1ab1ef70b0ce8085afc7f8b09accff2a5966161
BUG: 1283107
Signed-off-by: Michael Adam <obnox at samba.org>
Reviewed-on: http://review.gluster.org/12953
Tested-by: NetBSD Build System <jenkins at build.gluster.org>
Tested-by: Gluster Build System <jenkins at build.gluster.com>
Reviewed-by: Raghavendra Talur <rtalur at redhat.com>
--- Additional comment from Vijay Bellur on 2015-12-16 14:19:53 EST ---
REVIEW: http://review.gluster.org/12954 (tests:bugs:fuse: add test for bug
#1283103 - selinux mount vs security xattrs) posted (#2) for review on
release-3.7 by Raghavendra Talur (rtalur at redhat.com)
--- Additional comment from Vijay Bellur on 2015-12-17 07:06:10 EST ---
COMMIT: http://review.gluster.org/12954 committed in release-3.7 by Niels de
Vos (ndevos at redhat.com)
------
commit 12f36283d9e18246a97ac6a397cc54dc46ff89c5
Author: Michael Adam <obnox at samba.org>
Date: Mon Nov 30 10:51:13 2015 +0100
tests:bugs:fuse: add test for bug #1283103 - selinux mount vs security
xattrs
> BUG: 1283103
> Change-Id: Ic4485d650275f67eb6b0b8382a92eb829c06e27c
> Signed-off-by: Michael Adam <obnox at samba.org>
> Reviewed-on: http://review.gluster.org/12827
> Tested-by: Gluster Build System <jenkins at build.gluster.com>
> Reviewed-by: Niels de Vos <ndevos at redhat.com>
> Reviewed-by: Raghavendra G <rgowdapp at redhat.com>
(cherry picked from commit 8df88683c334c0652770e8e0fcec59dbc8bb5748)
Change-Id: I6b8e6f1c295ab951e29519113b39c7d7e75b90ee
BUG: 1283107
Signed-off-by: Michael Adam <obnox at samba.org>
Reviewed-on: http://review.gluster.org/12954
Tested-by: NetBSD Build System <jenkins at build.gluster.org>
Tested-by: Gluster Build System <jenkins at build.gluster.com>
Reviewed-by: Niels de Vos <ndevos at redhat.com>
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1279240
[Bug 1279240] GlusterFS 3.7.7 release tracker
https://bugzilla.redhat.com/show_bug.cgi?id=1283103
[Bug 1283103] Setting security.* xattrs fails
https://bugzilla.redhat.com/show_bug.cgi?id=1283107
[Bug 1283107] Setting security.* xattrs fails
--
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug https://bugzilla.redhat.com/token.cgi?t=PnDIfL2A9i&a=cc_unsubscribe
More information about the Bugs
mailing list