FAI 5.0.3 Debian jessie: ftar ACL bug?

Alexander Bugl alexander.bugl at mpimet.mpg.de
Tue May 10 20:16:24 CEST 2016


some time ago we started with a jessie FAI server with jessie included FAI 
packages. Later we added the fai-project.org repository and rebuilt the 
NFSROOT. Currently we use:
Package: fai-server                      
Version: 5.0.3

We had to update our config space to the new version and are mostly done, but 
one problem still is open:

When installing a client we saw a problem with systemd complaining about sssd 
(System Security Services Daemon), there were missing rights in 

After some investigation we saw that there has been set a default ACL on 
_every_ directory in the installed clients -- removing this default ACL 
(setfacl -k) made sssd working again.

We did not really find why there are ACLs set -- they are created during the 
run of task_extrbase() from the file /srv/fai/nfsroot/usr/lib/fai/subroutines.

In this function there is a call to ftar, and it looks like ftar became a new 
feature -- the use of xattrs.

So if we patch the ftar in the NFSROOT to explicitly _not_ use ACLs, 
everything is working again:

# diff /srv/fai/nfsroot/usr/sbin/ftar /srv/fai/nfsroot/usr/sbin/ftar.defect
<     xattrs="--xattrs --xattrs-include=*.* --selinux --no-acls"
>     xattrs="--xattrs --xattrs-include=*.* --selinux --acl"

Is this a bug in ftar, is this a feature we need but which needs some 
adaptation in our config space (or in /etc/fai?), is this a problem in 
creating the bast.tar.xz, or has someone else a good idea how to proceed?

Our current solution would be to patch the ftar in the NFSROOT through a hook 
in /etc/fai/nfsroot-hooks/, but that seems not the best possible solution ...

With regards, Alex

Alexander Bugl,        Central IT Services
Max  Planck  Institute   for   Meteorology
Bundesstrasse 53, D-20146 Hamburg, Germany
tel +49-40-41173-351, fax -298, room d0010

More information about the linux-fai mailing list