Adam Rosenwald wrote:
With cobbler-1.3.4, I had added an acl group privilege:
* *cobbler aclsetup --addgroup=mygroup*
I executed the above command after ensuring the mounted ext3
filesystems involved were sane
* *mount -o remount,acl,user_xattr /var*
Now when I execute *cobbler reposync --only=test-64*, I receive the
following output
### BEGIN OUTPUT ###
[me@host ~]$ rsync -rltDv --delete --delete-excluded
--exclude-from=/etc/cobbler/rsync.exclude /opt/repos/test/x86_64/
/var/www/cobbler/repo_mirror/test-64
building file list ... done
./
rsync: failed to set times on
"/var/www/cobbler/repo_mirror/test-64/.": Operation not permitted (1)
base/
rsync: failed to set times on
"/var/www/cobbler/repo_mirror/test-64/base": Operation not permitted (1)
repodata/
rsync: failed to set times on
"/var/www/cobbler/repo_mirror/test-64/repodata": Operation not
permitted (1)
rsync: failed to set times on
"/var/www/cobbler/repo_mirror/test-64/.": Operation not permitted (1)
rsync: failed to set times on
"/var/www/cobbler/repo_mirror/test-64/base": Operation not permitted (1)
rsync: failed to set times on
"/var/www/cobbler/repo_mirror/test-64/repodata": Operation not
permitted (1)
### END OUTPUT ###
/var/www/cobbler/repo_mirror/* has owner:group=apache:apache. I tried
changing the group recursively to 'mygroup' with write permission. No
luck.
After scouring through numerous search results, I concluded that rsync
does not modify standard mtime stats using the normal system call; it
uses its own algorithm -- /*which ultimately requires changing
"ownership" of the repos*/.
This seems to defeat the purpose of using ACLs in conjunction w/ cobbler.
In order to write files without worrying about rsync time oddities, I
inserted *-O* *(--omit-dir-times)* into the "action_reposync.py" file:
I was previously using ACL setup to primarily manipulate cobbler system
objects, so this was probably not tested.
One simple solution is to use ACLs to manipulate cobbler but to run
cobbler reposync itself via sudoers and an intermediary script.
It seems --omit-dir-times /might/ adversely impact reposync's
performance on following syncs. We could just mention that reposync
does require running as root.
* 'cmd = "rsync -rltDvO %s --delete --delete-excluded
--exclude-from=/etc/cobbler/rsync.exclude %s %s" % (spacer,
repo.mirror, dest_path)'
The question remains, however, whether the rsync time synchronizations
are needed. If so, this patch will not work, and there will have to
be some workaround - e.g. setuid bit?
---
I would *love* to hear that this is a non-issue and someone sees right
through this logic.
---
But... we're not done yet. There's another 'acl gotcha' in
action_reposync.pl: *chown -R root:apache*.
I don't see how this can be done without setuid/setguid root or
some
additional acl magic.
I definitely don't want to do that (it's too wide open to let anyone at
it), but giving certain users sudoers access to a script that calls
reposync might be fair.
### BEGIN OUTPUT ###
...
...
...
chmod: changing permissions of
`/var/www/cobbler/repo_mirror/test-64/base/test-1.1-1.x86_64.rpm':
Operation not permitted
chmod: changing permissions of
`/var/www/cobbler/repo_mirror/test-64/base/a-1-2.noarch.rpm':
Operation not permitted
...
...
...
### END OUTPUT ###
Any thoughts?
Thanks,
- A.
------------------------------------------------------------------------
_______________________________________________
cobbler mailing list
cobbler(a)lists.fedorahosted.org
https://fedorahosted.org/mailman/listinfo/cobbler