Bug 798716
Summary: | xattr namespace flipping is broken for symlinks | |||
---|---|---|---|---|
Product: | [Community] GlusterFS | Reporter: | Csaba Henk <csaba> | |
Component: | fuse | Assignee: | Csaba Henk <csaba> | |
Status: | CLOSED CURRENTRELEASE | QA Contact: | Vijaykumar Koppad <vkoppad> | |
Severity: | unspecified | Docs Contact: | ||
Priority: | high | |||
Version: | mainline | CC: | amarts, bbandari, gluster-bugs, shaines, vkoppad | |
Target Milestone: | --- | Keywords: | Triaged | |
Target Release: | --- | |||
Hardware: | Unspecified | |||
OS: | Unspecified | |||
Whiteboard: | ||||
Fixed In Version: | glusterfs-3.4.0 | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | ||
Clone Of: | ||||
: | 848324 (view as bug list) | Environment: | ||
Last Closed: | 2013-07-24 17:11:17 UTC | Type: | --- | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | ||||
Bug Blocks: | 848324, 858444 |
Description
Csaba Henk
2012-02-29 16:12:20 UTC
Actually there is no need to fiddle with mountbroker to reproduce the issue. We can call glusterfs directly, like glusterfs --volfile-server=localhost --volfile-id=<volname> --client-pid=-1 --user-map-root=<user> <mountpoint> * * * Further observation: for symlinks, the user.*.xtime attribute is not even flipped to trusted namespace internally. If glusterfs is invoked with debug log level, setting such an xattr on a regular file induces the following log messages: [2012-02-29 22:54:54.505596] D [fuse-helpers.c:484:fuse_flip_xattr_ns] 0-glusterfs-fuse: PID: -1, checking xattr(s): volume-mark*, *xtime [2012-02-29 22:54:54.505661] D [fuse-helpers.c:502:fuse_flip_xattr_ns] 0-glusterfs-fuse: flipping user.glusterfs.688de47f-6cc3-4ad1-b336-f1c9b0a4dcb2.xtime to trusted equivalent Now, doing this for a symlink, these messages don't come. That in itself is weird and most likely bogus, but I cannot see how it's related to the EPERM issue -- if the attribute remains in user namespace, it should just successfully set with its original name. So the plea is not just make the EPERM go away but pls also make sure that namespace flipping is fully functional for symlinks, too. http://lxr.linux.no/#linux+v3.2.9/fs/xattr.c#L58 /* * In the user.* namespace, only regular files and directories can have * extended attributes. For sticky directories, only the owner and * privileged users can write attributes. */ Don't know why this constraint is there. Damnit, too bad. Actually the attr(5) manpage: http://linux.die.net/man/5/attr gives a brief summary of the namespaces + policies + rationale. It's never too late to read the reference of the APIs we use! ;) So, as of attr(5), maybe "system" should be our bet instead of "user". Do you see any issue with that? Yeh, security.* and system.* are not blocked by VFS; so that should be good for us. Best bet as you said would be system.* since security.* would look some security related attribute. CHANGE: http://review.gluster.com/2890 (cleanup and fix xattr namespace flip) merged in master by Vijay Bellur (vijay) This bug is still there in 3.3.0qa45 Vijaykumar, can you please check this on 3.4.0qaN releases? |