FAI 5.0.3 Debian jessie: ftar ACL bug?

Alexander Bugl alexander.bugl at mpimet.mpg.de
Wed May 11 17:35:25 CEST 2016

Hi Thomas!

Thanks for your reply, that helped understanding the situation better:

>      > After some investigation we saw that there has been set a default ACL on
>      > _every_ directory in the installed clients -- removing this default ACL
>      > (setfacl -k) made sssd working again.
> Mmmm, can you please check if this is a tar bug? Maybe it's related to
> https://bugs.launchpad.net/ubuntu/+source/tar/+bug/1386237

The above cited bug report showed the strange behavior of tar:

When packing the base.tar.xz in /usr/sbin/fai-make-nfsroot tar is called 
in create_base() like this:
     tar --one-file-system -C $NFSROOT -cf $NFSROOT/var/tmp/base.tar 
--exclude etc/machine-id --exclude var/tmp/base.tar --exclude 
'var/lib/apt/lists/*_*' .

So there is no option --xattrs or --acl used.

When the base.tar.xz is extracted FAI uses /usr/sbin/ftar, and there it 
is tested if tar supports --xattrs (which the jessie version does):
# check if tar has xattrs support
tar --xattrs -cf /dev/null /dev/null 2>/dev/null 1>/dev/null
if [ $? -eq 0 ]; then
     xattrs="--xattrs --xattrs-include=*.* --selinux --acl"
So we have the case that --xattrs and --acl are used when extracting.

And the bug report for tar in 
https://bugs.launchpad.net/ubuntu/+source/tar/+bug/1386237 says: "The 
one that caught us there was that extracting a tar file with '--acl' 
that was created without '--acl' results in default acl being set on the 
top level extracted directory."

This is exactly what we noticed as our problem.

The example output in https://launchpadlibrarian.net/188428776/out shows 
the case:

=== extract-with/src-without/no-defaults ===
  == getfacl extract-with/src-without/no-defaults ==
  # file: extract-with/src-without/no-defaults
  # owner: root
  # group: root

  == ls -l extract-with/src-without/no-defaults ==
  total 0
  -rw-r--r-- 1 root root 0 Oct 27 10:56 foo
  == ls -ld extract-with/src-without/no-defaults ==
  drwxr-xr-x+ 2 root root 4096 Oct 27 10:56 

> I would be happy if you could suggest a solution that works for
> (hopefully) everybody.

If I follow the discussion in 
https://bugzilla.redhat.com/show_bug.cgi?id=771927 it looks like there 
might not be a solution to make everybody happy. :-(
If I create the base.tar.xz on the same machine and file system as I 
extract it, the best option would be to use the same options for tar 
when creating and extracting, e.g. in both cases --xattrs and --acl or 
none of them.

But what if different FS are used (one without the possibility to use 
ACLs)? Or even different machines?

For me the solution would be to stop using ACLs/CAPs/EAs at all.

With regards, Alex

Alexander Bugl,        Central IT Services
Max  Planck  Institute   for   Meteorology
Bundesstrasse 53, D-20146 Hamburg, Germany
tel +49-40-41173-351, fax -356, room d0014

More information about the linux-fai mailing list