Re: [lustre-discuss] seclabel

2017-06-06 Thread Robin Humble
On Tue, May 23, 2017 at 08:08:54PM +, Dilger, Andreas wrote: >On May 19, 2017, at 08:47, Robin Humble wrote: >> On Wed, May 17, 2017 at 02:37:31PM +, Sebastien Buisson wrote: >>> Le 17 mai 2017 à 16:16, Robin Humble a écrit :

Re: [lustre-discuss] seclabel

2017-05-23 Thread Dilger, Andreas
On May 19, 2017, at 08:47, Robin Humble wrote: > > Hi Sebastien, > > On Wed, May 17, 2017 at 02:37:31PM +, Sebastien Buisson wrote: >> Le 17 mai 2017 à 16:16, Robin Humble a écrit : >>> I took a gander at the source and noticed that

Re: [lustre-discuss] seclabel

2017-05-19 Thread Sebastien Buisson
> Le 19 mai 2017 à 08:47, Robin Humble a écrit : > On Wed, May 17, 2017 at 02:37:31PM +, Sebastien Buisson wrote: >> >> Reading the discussion in the ticket, supporting xattr at the time of Lustre >> 1.8 and 2.0 was causing issues on MDS side in some

Re: [lustre-discuss] seclabel

2017-05-19 Thread Robin Humble
Hi Sebastien, On Wed, May 17, 2017 at 02:37:31PM +, Sebastien Buisson wrote: > Le 17 mai 2017 à 16:16, Robin Humble a écrit : >> I took a gander at the source and noticed that llite/xattr.c >> deliberately filters out 'security.capability' and returns 0/-ENODATA

Re: [lustre-discuss] seclabel

2017-05-17 Thread Sebastien Buisson
Hi Robin, b15587 refers to the old Lustre Bugzilla tracking tool: https://projectlava.xyratex.com/show_bug.cgi?id=15587 Reading the discussion in the ticket, supporting xattr at the time of Lustre 1.8 and 2.0 was causing issues on MDS side in some situations. So it was decided to discard

Re: [lustre-discuss] seclabel

2017-05-17 Thread Robin Humble
I setup a couple of VMs with 2.9 clients and servers (ldiskfs) and unfortunately setcap/getcap still are unhappy - same as with my previous 2.9 clients with 2.8 servers (ZFS). hmm. I took a gander at the source and noticed that llite/xattr.c deliberately filters out 'security.capability' and

Re: [lustre-discuss] seclabel

2017-05-16 Thread Robin Humble
Hi Eli et al, >> Le 15 mai 2017 à 14:39, E.S. Rosenberg a écrit : >> Hi Robin, >> Did you ever solve this? >> We are considering trying root-on-lustre but that would be a deal-breaker. no. instead I started down the track of layering overlayfs on top of lustre. tmpfs

Re: [lustre-discuss] seclabel

2017-05-16 Thread E.S. Rosenberg
I hope to move us to 2.9 in the very near future, currently 2.8 On Tue, May 16, 2017 at 11:17 AM, Sebastien Buisson wrote: > From Lustre 2.8, we have basic support of SELinux on Lustre client side. > It means Lustre stores the security context of files in extended >

Re: [lustre-discuss] seclabel

2017-05-16 Thread Sebastien Buisson
From Lustre 2.8, we have basic support of SELinux on Lustre client side. It means Lustre stores the security context of files in extended attributes. In this way Lustre supports seclabel. In Lustre 2.9, an additional enhancement for SELinux support was landed. Which version are you using?

Re: [lustre-discuss] seclabel

2017-05-15 Thread E.S. Rosenberg
Hi Robin, Did you ever solve this? We are considering trying root-on-lustre but that would be a deal-breaker. Thanks, Eli On Sat, Mar 4, 2017 at 9:38 AM, Dilger, Andreas wrote: > On Mar 2, 2017, at 05:55, Robin Humble > wrote: > > > >

Re: [lustre-discuss] seclabel

2017-03-03 Thread Dilger, Andreas
On Mar 2, 2017, at 05:55, Robin Humble wrote: > > Hiya, > > I'm updating an image for a root-on-lustre cluster from centos6 to 7 > and I've hit a little snag. I can't seem to mount lustre so that it > understands seclabel. ie. setcap/getcap don't work. the upshot is

[lustre-discuss] seclabel

2017-03-02 Thread Robin Humble
Hiya, I'm updating an image for a root-on-lustre cluster from centos6 to 7 and I've hit a little snag. I can't seem to mount lustre so that it understands seclabel. ie. setcap/getcap don't work. the upshot is that root can use ping (and a few other tools), but users can't. any idea what I'm