Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1430891

Summary: rpm and yum fail on nfs-root: error: unpacking of archive failed: cpio: cap_set_file
Product: Red Hat Enterprise Linux 7 Reporter: Konstantin Olchanski <olchansk>
Component: rpmAssignee: Packaging Maintenance Team <packaging-team-maint>
Status: CLOSED WONTFIX QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: high Docs Contact:
Priority: medium    
Version: 7.3CC: chip.schweiss, dmach, ffesti, packaging-team-maint, pmoravco, sascha.klein
Target Milestone: rcKeywords: Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-07-18 12:02:22 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1630909    

Description Konstantin Olchanski 2017-03-09 19:18:54 UTC 
All agree that NFS-Root is an important use-case for Red Hat linux. Currently it is broken due to bad interaction between package creators, rpm error handling and lack of NFS xattr support.

rpm and yum fail to install or update packages if root filesystem is NFS mounted (NFS-root):

[root@lxdaq23 ~]# yum update iputils
...
Error unpacking rpm package iputils-20160308-8.el7.x86_64
error: unpacking of archive failed on file /usr/bin/ping;58c1a09b: cpio: cap_set_file
...

[root@lxdaq23 ~]# rpm -vh --upgrade --force iputils-20160308-8.el7.x86_64.rpm 
Preparing...                          ################################# [100%]
Updating / installing...
   1:iputils-20160308-8.el7           ################################# [ 50%]
error: unpacking of archive failed on file /usr/bin/ping;58c1a725: cpio: cap_set_file failed - Operation not supported
error: iputils-20160308-8.el7.x86_64: install failed
error: iputils-20121221-7.el7.x86_64: erase skipped
[root@lxdaq23 ~]# rpm -q iputils
iputils-20121221-7.el7.x86_64

The ultimate culprit seems to be lack of support for security.capability in NFSv3 and NFSv4 (getfattr -n security.capability /usr/bin/ping: /usr/bin/ping: security.capability: Operation not supported).

But if packagers of iputils (and httpd, etc) desire to use this feature, rpm and yum should have a switch to force package update even if it is not present (similar to --force). People who use NFS-Root can be presumed to know how to deal with any fallout.

K.O.
Comment 2 Konstantin Olchanski 2017-03-09 19:38:14 UTC 
[root@lxdaq23 ~]# rpm -q rpm yum
rpm-4.11.3-21.el7.x86_64
yum-3.4.3-150.el7.centos.noarch
[root@lxdaq23 ~]# uname -a
Linux lxdaq23.triumf.ca 3.10.0-327.36.3.el7.x86_64 #1 SMP Mon Oct 24 16:09:20 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux

K.O.
Comment 3 Pavlina Moravcova Varekova 2018-07-24 08:42:26 UTC 
rpm >= 4.14.0 has --nocaps option. It makes possible to work around trouble 
of installing packages that use file capabilities in user namespaces. 
The patch from 4.14.0 
https://github.com/rpm-software-management/rpm/commit/0216aaec69feb0bb619dbc59ed77db6de3902b0c
can be manually backported to RHEL 7.
This solution is not perfect (see commit message of the patch and Bug 648654) 
but it helps.
Comment 4 Konstantin Olchanski 2018-07-24 17:00:05 UTC 
Thank you for this information. For now I use "yum versionlock" on the offending packages to make "yum update" do it's thing. I guess now I can build my own magical copy of "rpm" for a better solution. Still amazed that NFS-Root has been broken and not fixed, for how long now? K.O.
Comment 8 Daniel Mach 2019-07-18 12:02:22 UTC 
This bug is not planned to be addressed during Red Hat Enterprise Linux 7 life-cycle.
Please contact Red Hat support if you wish to have it reconsidered.