NFS and xattrs

Message

Ant P. · Post by **Ant P.** » Fri Dec 18, 2020 10:52 am

Recently I found out kernel 5.9 added xattr support, which surprised me at first because it seems like too basic a feature to possibly be adding this late.

For a while now I've been updating my weaker systems by mounting their rootfs over NFS and treating it like a regular stage3 chroot env. For the most part this has worked fine. But after learning the above I went to check up on a suspicion, and it turns out everywhere I'd been using USE=filecaps I was actually getting fallback setuid-root binaries installed instead. A few things had been running as root that shouldn't have, and a bunch of data files needed their ownership fixing. That isn't a great silent failure mode to find months after the fact but whatever.

My question is: how do I get xattr support to *work*?
I've got a bare v4 setup right now, everything is on kernel 5.9.x, `findmnt` says vers=4.2 is in use, but I seem to be missing a piece because something like `getcap /bin/ping` within the nfs mounts currently returns an "Operation not supported" error. I have nfs-utils installed with USE=nfsv41 and its manpages don't seem to have caught up yet, as it doesn't mention extended attributes at all.

I'm aware I'm wading into rough territory here so maybe it just doesn't work in Gentoo yet.

----

A month later on kernel 5.10 I'm still no closer to getting this working. I'm going to leave some sample emerge output here in the hopes it shows up better in search:

Code: Select all

 * Messages for package net-misc/iputils-20200821-r2:

 * Could not set caps on '/bin/ping' due to missing filesystem support:
 * * enable XATTR support for 'nfs' in your kernel (if configurable)
 * * mount the fs with the user_xattr option (if not the default)
 * * enable the relevant FS_SECURITY option (if configurable)
 * Could not set caps on '/bin/arping' due to missing filesystem support:
 * * enable XATTR support for 'nfs' in your kernel (if configurable)
 * * mount the fs with the user_xattr option (if not the default)
 * * enable the relevant FS_SECURITY option (if configurable)

(none of the three mentioned options apply)

dinominant · Post by **dinominant** » Sun Jan 30, 2022 10:07 am

All that is needed is a recent kernel on both the server and client, then mount with version 4.2 or newer, which is done automatically if both server and client support nfs 4.2. The extended attributes will be enabled automatically. I have kernel version 5.15.16 on both my server and client, nfs-utils-2.5.4-r3, and it is working for me:

NFS Server /etc/exports

Code: Select all

/  192.168.0.42(rw,subtree_check,no_root_squash)

NFS Client /etc/fstab

Code: Select all

192.168.0.42:/  /mnt/slowpc  nfs  noatime,nodiratime,noauto,hard,rsize=1048576,wsize=1048576,timeo=60,retrans=60  0 0

NFS Client

Code: Select all

# mount | grep /mnt/slowpc
192.168.0.42:/ on /mnt/slowpc type nfs4 (rw,noatime,nodiratime,vers=4.2,rsize=1048576,wsize=1048576,namlen=255,hard,proto=tcp,timeo=60,retrans=60,sec=sys,local_lock=none)
# cd /mnt/slowpc/tmp
# touch file
# printf bar | attr -s foo file
Attribute "foo" set to a 3 byte value for file:
bar
# attr -l file
Attribute "foo" has a 3 byte value for file

NFS Server

Code: Select all

# attr -l /tmp/file
Attribute "foo" has a 3 byte value for /tmp/file

At https://lwn.net/Articles/799185/ it is mentioned that the new mount option user_xattr is required. However the current nfs utilities do not support that option. Fortunately user_xattr is enabled automatically when possible.

Code: Select all

# mount /mnt/test
mount.nfs: an incorrect mount option was specified
# tail -n 1 /var/log/messages 
Jan 30 02:51:08 utl01 kernel: nfs: Unknown parameter 'user_xattr'