We have a rebuild process for remote sites that allows us to PXE rebuild a till (actually a PC with a touch screen and various fancy bits) running CentOS. The current CentOS5 tills work just fine with a tar image restore and some personalisation. Sadly, CentOS7 introduces file capabilities on some critical stuff, such as ping so on the original source till, getcap /usr/bin/ping gives us this:-
After a tar and restore, these are lost, so ordinary users cannot use ping, which is a shame because the the till believes it cannot post the sales information to the central servers. The actual till software is proprietary, so we can't get into that to change it.
Does anyone know how to take a file and all it's file capabilities so that it can be restored?
An alternate would be to use yum or rpm to either list before or re-apply the required capabilities after the recovery, but I can't find a way to do that either of these. At worst, I might have to use getcap in a massive loop to collect them all then apply them manually after recovery, but I'd rather use the appropriate tools to do it properly.
Yes, we'd tried that without success. I hadn't considered the other file attributes options though. Sadly, it seems no better. A simple test just on CentOS7 gives me this:-
# tar -cvpzf - --xattrs --acl --selinux /usr/bin/ping | (cd /tmp;tar -xzvp --xattrs --acl --selinux -f -)
tar: Removing leading `/' from member names
/usr/bin/ping
usr/bin/ping
# getcap -v /usr/bin/ping /tmp/usr/bin/ping
/usr/bin/ping = cap_net_admin,cap_net_raw+p
/tmp/usr/bin/ping
Am I doing something daft? At worst I've scanned all local files and collected the capabilities into a file that then is part of the tarball. On recovery I can apply them within my kickstart file. It's just more steps to wory about.
I have found that simply copying a file loses the capabilities, one has to cp --preserve=xattr source target Maybe I don't understand where these are stored. Maybe I don't need to know, just understand the rules I need to follow
I know I can achieve it with rsync but I can't neatly use that when doing a PXE recovery and I'd have to get the files out to all the remote locations individually too, which would be a nightmare.
I will keep digging. Any other suggestions to explore very welcome.
Sorry for the delay, I've been in court for two weeks . Don't worry, it was only jury service
Yes! This works wonderfully. I've trimmed it down so finding that the necessary part was just --xattrs-include='security.capability' so I can now prove it with:-
# tar -cvpzf - --xattrs-include='security.capability' /usr/bin/ping | ( cd /tmp && tar -xzvp --xattrs-include='security.capability' -f - )
tar: Removing leading `/' from member names
/usr/bin/ping
usr/bin/ping
# getcap /tmp/usr/bin/ping
/tmp/usr/bin/ping = cap_net_admin,cap_net_raw+p
This command now works perfectly and I can incorporate it into our kickstart called recovery process with a minor adjustment to the procedure to build the image.
Fantastic.
One wonders why they create so many additional attributes for files and then the default doesn't recover them. I presume it is so that it you try to extract to a server that tar is not expecting them, you don't get horrible errors, but it is frustrating. Oh well :rolleyes: