With cobbler-1.3.4, I had added an acl group privilege:
* *cobbler aclsetup --addgroup=mygroup*
I executed the above command after ensuring the mounted ext3 filesystems
involved were sane
* *mount -o remount,acl,user_xattr /var*
Now when I execute *cobbler reposync --only=test-64*, I receive the
following output
### BEGIN OUTPUT ###
[me@host ~]$ rsync -rltDv --delete --delete-excluded
--exclude-from=/etc/cobbler/rsync.exclude /opt/repos/test/x86_64/
/var/www/cobbler/repo_mirror/test-64
building file list ... done
./
rsync: failed to set times on "/var/www/cobbler/repo_mirror/test-64/.":
Operation not permitted (1)
base/
rsync: failed to set times on
"/var/www/cobbler/repo_mirror/test-64/base": Operation not permitted (1)
repodata/
rsync: failed to set times on
"/var/www/cobbler/repo_mirror/test-64/repodata": Operation not permitted (1)
rsync: failed to set times on "/var/www/cobbler/repo_mirror/test-64/.":
Operation not permitted (1)
rsync: failed to set times on
"/var/www/cobbler/repo_mirror/test-64/base": Operation not permitted (1)
rsync: failed to set times on
"/var/www/cobbler/repo_mirror/test-64/repodata": Operation not permitted (1)
### END OUTPUT ###
/var/www/cobbler/repo_mirror/* has owner:group=apache:apache. I tried
changing the group recursively to 'mygroup' with write permission. No luck.
After scouring through numerous search results, I concluded that rsync
does not modify standard mtime stats using the normal system call; it
uses its own algorithm -- /*which ultimately requires changing
"ownership" of the repos*/.
This seems to defeat the purpose of using ACLs in conjunction w/ cobbler.
In order to write files without worrying about rsync time oddities, I
inserted *-O* *(--omit-dir-times)* into the "action_reposync.py" file:
* 'cmd = "rsync -rltDvO %s --delete --delete-excluded
--exclude-from=/etc/cobbler/rsync.exclude %s %s" % (spacer,
repo.mirror, dest_path)'
The question remains, however, whether the rsync time synchronizations
are needed. If so, this patch will not work, and there will have to be
some workaround - e.g. setuid bit?
---
I would *love* to hear that this is a non-issue and someone sees right
through this logic.
---
But... we're not done yet. There's another 'acl gotcha' in
action_reposync.pl: *chown -R root:apache*.
I don't see how this can be done without setuid/setguid root or some
additional acl magic.
### BEGIN OUTPUT ###
...
...
...
chmod: changing permissions of
`/var/www/cobbler/repo_mirror/test-64/base/test-1.1-1.x86_64.rpm':
Operation not permitted
chmod: changing permissions of
`/var/www/cobbler/repo_mirror/test-64/base/a-1-2.noarch.rpm': Operation
not permitted
...
...
...
### END OUTPUT ###
Any thoughts?
Thanks,
- A.