-
Notifications
You must be signed in to change notification settings - Fork 258
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SD plugin scsicrypto check, set, unset cap_sys_rawio capabilities #1057
SD plugin scsicrypto check, set, unset cap_sys_rawio capabilities #1057
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I see some minor and easy-to-fix issues with the shell code.
However, this does not (yet) fix the upgrade-problem our users are facing.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As @arogge pointed out, you should a warning to the documentation, that the capabilities are removed by a package update.
So I read this section correctly, that I do not require the capability, if I run the b*-tools as root? Will it cause problems to run these commands as root?
docs/manuals/source/TasksAndConcepts/Plugins/StorageDaemonPlugins/ScsicryptoSd.rst.inc
Outdated
Show resolved
Hide resolved
docs/manuals/source/TasksAndConcepts/Plugins/StorageDaemonPlugins/ScsicryptoSd.rst.inc
Outdated
Show resolved
Hide resolved
docs/manuals/source/TasksAndConcepts/Plugins/StorageDaemonPlugins/ScsicryptoSd.rst.inc
Outdated
Show resolved
Hide resolved
docs/manuals/source/TasksAndConcepts/Plugins/StorageDaemonPlugins/ScsicryptoSd.rst.inc
Show resolved
Hide resolved
We will find a way to handle this the best as we can. Let discuss this today and choose a solution.
|
c88a980
to
c0fc097
Compare
docs/manuals/source/TasksAndConcepts/Plugins/StorageDaemonPlugins/ScsicryptoSd.rst.inc
Outdated
Show resolved
Hide resolved
2146608
to
0ff303b
Compare
docs/manuals/source/TasksAndConcepts/Plugins/StorageDaemonPlugins/ScsicryptoSd.rst.inc
Outdated
Show resolved
Hide resolved
docs/manuals/source/TasksAndConcepts/Plugins/StorageDaemonPlugins/ScsicryptoSd.rst.inc
Outdated
Show resolved
Hide resolved
63a1ace
to
4073ff8
Compare
Final comment, after having tested in RHEL 8, openSUSE 15.3, Debian 11, I just fixed some typos errors in warn function and also mistyped the config file name in post macro. Now I'm confident everything looks ok. |
The code looks good. However, as the implementation escalated quite a bit (from documentation-only to scripts and packaging changeS) the PR title and description don't reflect the changes anymore. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was some nitpicking left for me to do.
But other than a few text suggestions this looks great!
PR title and description need to be updated though.
docs/manuals/source/TasksAndConcepts/Plugins/StorageDaemonPlugins/ScsicryptoSd.rst.inc
Outdated
Show resolved
Hide resolved
docs/manuals/source/TasksAndConcepts/Plugins/StorageDaemonPlugins/ScsicryptoSd.rst.inc
Outdated
Show resolved
Hide resolved
docs/manuals/source/TasksAndConcepts/Plugins/StorageDaemonPlugins/ScsicryptoSd.rst.inc
Outdated
Show resolved
Hide resolved
29274fb
to
0272788
Compare
- Remove CapabilityBoundingSet. SD daemon is not running as root. We don't use nor recommend the AmbientCapabilities due to the lack of systemd support for limited rights (+ep) Signed-off-by: Bruno Friedmann <bruno.friedmann@bareos.com>
- check_scsicrypto_capabilities() - set_scsicrypto_capabilities() - unset_scsicrypto_capabilities() Signed-off-by: Bruno Friedmann <bruno.friedmann@bareos.com>
- Add instruction for systemd AmbientCapabilities - Add instructions for shell mode - Add instructions for bareos-config.sh helper usage Signed-off-by: Bruno Friedmann <bruno.friedmann@bareos.com>
Signed-off-by: Bruno Friedmann <bruno.friedmann@bareos.com>
- Use lowercase variables, none used are going to env - Use a safe list of binaries names, double quote any var used - Return error earlier in function for non Linux operating system - Improve test return of commands Signed-off-by: Bruno Friedmann <bruno.friedmann@bareos.com>
…ins/ScsicryptoSd.rst.inc Co-authored-by: Jörg Steffens <joergsteffens@users.noreply.github.com>
…ins/ScsicryptoSd.rst.inc Co-authored-by: Jörg Steffens <joergsteffens@users.noreply.github.com>
Signed-off-by: Bruno Friedmann <bruno.friedmann@bareos.com>
- Order alphabetically binaries list. - Add missing bcopy and bextract. - Fix paragraph remove capabilities. - Add warning about binary update loosing capabilities. - Set a config file ${BAREOS_CONFIG_DIR}/.enable_capabilities to be used with pre/post packaging. - Add chmod 0750 to binaries with capabilities to restrict their usage. Signed-off-by: Bruno Friedmann <bruno.friedmann@bareos.com>
- Explain how to use helper function - Add note about the support in packages updates Signed-off-by: Bruno Friedmann <bruno.friedmann@bareos.com>
- doc: better formulate capabilities introduction and systemd part Reorder helper set/unset/check presentation - helper: reorder actions to chgrp, chmod, setcap Signed-off-by: Bruno Friedmann <bruno.friedmann@bareos.com>
- Add cfg to code-block - Add :file: tag Signed-off-by: Bruno Friedmann <bruno.friedmann@bareos.com>
- Rename config file to explicitly show which capabilities is setup - Add :file: tag in documentation for config file Signed-off-by: Bruno Friedmann <bruno.friedmann@bareos.com>
- Add function scsicrypto for postinstall in spec and debian. - Add new debian/*.postinst files in .gitignore. - Add instruction in documentation to have scscicrypto enabled at package install time by creating manually the file /etc/bareos/.enable-cap_sys_rawio file. - Move manual setup before not recommended systemd paragraph in documentation. - Dont fail function unset if setcap -r failed due to capabilities not set. Signed-off-by: Bruno Friedmann <bruno.friedmann@bareos.com>
Signed-off-by: Bruno Friedmann <bruno.friedmann@bareos.com>
Co-authored-by: Andreas Rogge <andreas.rogge@bareos.com> Signed-off-by: Bruno Friedmann <bruno.friedmann@bareos.com>
Signed-off-by: Bruno Friedmann <bruno.friedmann@bareos.com>
0272788
to
550652f
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Great work! Thank you!
Please check
If you have any questions or problems, please give a comment in the PR.
Helpful documentation and best practices
Checklist for the reviewer of the PR (will be processed by the Bareos team)
General
Source code quality
bareos-check-sources --since-merge
does not report any problemsgit status
should not report modifications in the source tree after building and testing