#1175 Issue `closed`: tar in ReaR didn't recover ACL and capabilities attributes of files¶

Labels: enhancement, documentation, fixed / solved / done, not ReaR / invalid

gdha opened issue at 2017-01-19 10:27:¶

rear version (/usr/sbin/rear -V): 1.17.2
OS version (cat /etc/rear/os.conf or lsb_release -a): RHEL 7.2
rear configuration files (cat /etc/rear/site.conf or cat /etc/rear/local.conf):

OUTPUT=ISO
OUTPUT_URL=nfs://xxx.xxx.xxx.xxx/sswp_appshr/backup
BACKUP=NETFS
BACKUP_URL=nfs://xxx.xxx.xxx.xxx/sswp_appshr/backup
BACKUP_PROG=tar
BACKUP_PROG_OPTIONS="--anchored --acls --xattrs"
BACKUP_TYPE=incremental
FULLBACKUPDAY="Mon"
BACKUP_PROG_EXCLUDE=("${BACKUP_PROG_EXCLUDE[@]}" '/media' '/var/tmp' '/var/crash' '/var/mqm' '/applog' '/oraclient' '/appsw' '/infsw' '/infha4' '/appcore' '/appbin' '/appwrk' '/inftmp' '/appshr' '/applog')

Are you using legacy BIOS of UEFI boot? BIOS
Brief description of the issue:
Although applying the following backup options so that ACL could be backed up and recovered
for the certain files when backing filesystem up, ACL could not be applied after recovering.

gdha commented at 2017-01-19 10:28:¶

Description of problem:
Although applying the following backup options so that ACL could be backed up and recovered
for the certain files when backing filesystem up, ACL could not be applied after recovering.
Version-Release number of selected component (if applicable):
RHEL 7.2
rear-1.17.2-1.el7.noarch
How reproducible:
Always
Steps to Reproduce:
Created VM
Installed RHEL 7.2
Configured local repository after mount ISO installation image.
Install rear package
$ yum install rear
Configure /etc/reare/local.conf

OUTPUT=ISO
OUTPUT_URL=nfs://xxx.xxx.xxx.xxx/sswp_appshr/backup
BACKUP=NETFS
BACKUP_URL=nfs://xxx.xxx.xxx.xxx/sswp_appshr/backup
BACKUP_PROG=tar
BACKUP_PROG_OPTIONS="--anchored --acls --xattrs"
BACKUP_TYPE=incremental
FULLBACKUPDAY="Mon"
BACKUP_PROG_EXCLUDE=("${BACKUP_PROG_EXCLUDE[@]}" '/media' '/var/tmp' '/var/crash' '/var/mqm' '/applog' '/oraclient' '/appsw' '/infsw' '/infha4' '/appcore' '/appbin' '/appwrk' '/inftmp' '/appshr' '/applog')

Run the following command.
@ setfacl -m u::r /var/log/messages
Create backup
$ rear -d -D mkbackup
Confirm if backup is created.
We confirmed if backup data and ISO image are created in local /backup directory and backup directory in NFS Server.
Perform recovery with rear ISO created.
Recover from rear ISO and the reboot.
Confirm if ACL is properly applied with the following command.
$ getfacl /var/log/messages
You could see that ACL before backup is not applied.
Actual results:
ACL changed is not applied after recovery via rear ISO.
Expected results:
ACL changed should be applied after recovery via rear ISO.
Additional info:
Here are the configuration and log file that we'd seen

/etc/rear/local.conf

OUTPUT=ISO
OUTPUT_URL=nfs://xxx.xxx.xxx.xxx/sswp_appshr/backup
BACKUP=NETFS
BACKUP_URL=nfs://xxx.xxx.xxx.xxx/sswp_appshr/backup
BACKUP_PROG=tar
BACKUP_PROG_OPTIONS="--anchored --acls --xattrs"
BACKUP_TYPE=incremental
FULLBACKUPDAY="Mon"
BACKUP_PROG_EXCLUDE=("${BACKUP_PROG_EXCLUDE[@]}" '/media' '/var/tmp' '/var/crash' '/var/mqm' '/applog' '/oraclient' '/appsw' '/infsw' '/infha4' '/appcore' '/appbin' '/appwrk' '/inftmp' '/appshr' '/applog')

We see the following "Warning" messages when checking log files regarding recover.

Warning: Cannot acl_from_text


2016-11-10 08:58:21 Including restore/NETFS/default/38_prepare_multiple_isos.sh
2016-11-10 08:58:21 Including restore/NETFS/default/40_restore_backup.sh
2016-11-10 08:58:21 Decrypting disabled
2016-11-10 08:58:21 Restoring tar archive '/tmp/rear.yRb6VE9IiDq3wUW/outputfs/skt-sswpbt04/2016-11-10-1743-I.tar.gz'
2016-11-10 08:58:21 dd if=/tmp/rear.yRb6VE9IiDq3wUW/outputfs/skt-sswpbt04/2016-11-10-1736-F.tar.gz | cat | tar --block-number --totals --verbose --anchored --acls --xattrs --gzip -C /mnt/local/ -x -f -
tar: var/log/messages: Warning: Cannot acl_from_text
10003278+1 records in
10003278+1 records out
5121678690 bytes (5.1 GB) copied, 65.728 s, 77.9 MB/s
Total bytes read: 11235604480 (11GiB, 164MiB/s)
2016-11-10 08:59:31 dd if=/tmp/rear.yRb6VE9IiDq3wUW/outputfs/skt-sswpbt04/2016-11-10-1743-I.tar.gz | cat | tar --block-number --totals --verbose --anchored --acls --xattrs --gzip -C /mnt/local/ -x -f -
tar: var/log/messages: Warning: Cannot acl_from_text
10003847+1 records in
10003847+1 records out
5121969805 bytes (5.1 GB) copied, 92.0977 s, 55.6 MB/s

We see this issue when checking if ACL is properly applied or not at the filesystem recovered as running "rear recover" after entering Recovery menu since booting with "Rear ISO" media.
Initial logged as RHBZ# https://bugzilla.redhat.com/show_bug.cgi?id=1398082

andral commented at 2017-01-26 15:24:¶

I think we are having the same issue, although not with ACLs but with the sticky bit not being recovered.
We discovered this when running ping as a non-root user after a otherwise successful restore.

 $ ping ntp
ping: icmp open socket: Operation not permitted

Further inspection showed that other files are also affected.

Before restore:

 $ sudo ls -al /usr/bin/a*
-rwxr-xr-x  1 root root 107824 Jul  7  2015 /usr/bin/a2p
-rwxr-xr-x  1 root root   1661 Jul  2  2015 /usr/bin/abs2rel
-rwxr-xr-x  1 root root  29032 Oct 13  2015 /usr/bin/addr2line
-rwxr-xr-x  1 root root  66928 Jul  3  2014 /usr/bin/afio
-rwxr-xr-x  1 root root  19616 Mar 18  2016 /usr/bin/agentxtrap
-rwxr-xr-x  1 root root     29 Jul 12  2016 /usr/bin/alias
-rwxr-xr-x  1 root root   2668 Jan 26  2014 /usr/bin/amuFormat.sh
lrwxrwxrwx. 1 root root      6 Sep  7  2015 /usr/bin/apropos -> whatis
-rwxr-xr-x  1 root root  62576 Oct 13  2015 /usr/bin/ar
-rwxr-xr-x  1 root root  33048 Nov 25  2015 /usr/bin/arch
-rwxr-xr-x  1 root root 365208 Oct 13  2015 /usr/bin/as
-rwxr-xr-x. 1 root root  28800 Sep 16  2014 /usr/bin/aserver
-rwsr-xr-x  1 root root  52944 Jun 22  2015 /usr/bin/at
lrwxrwxrwx  1 root root      2 Apr 18  2016 /usr/bin/atq -> at
lrwxrwxrwx  1 root root      2 Apr 18  2016 /usr/bin/atrm -> at
-rwxr-xr-x  1 root root  11416 Jan 29  2014 /usr/bin/attr
-rwxr-xr-x. 1 root root  19872 Jan 14  2015 /usr/bin/aulast
-rwxr-xr-x. 1 root root  11544 Jan 14  2015 /usr/bin/aulastlog
-rwxr-xr-x. 1 root root  11360 Jan 14  2015 /usr/bin/ausyscall
-rwxr-xr-x. 1 root root  32672 Jan 14  2015 /usr/bin/auvirt
lrwxrwxrwx. 1 root root      4 Sep  7  2015 /usr/bin/awk -> gawk

After restore:

 $ sudo ls -al /usr/bin/a*
-rwxr-xr-x 1 root root 107824 Jul  7  2015 /usr/bin/a2p
-rwxr-xr-x 1 root root   1661 Jul  2  2015 /usr/bin/abs2rel
-rwxr-xr-x 1 root root  29032 Oct 13  2015 /usr/bin/addr2line
-rwxr-xr-x 1 root root  66928 Jul  3  2014 /usr/bin/afio
-rwxr-xr-x 1 root root  19616 Mar 18  2016 /usr/bin/agentxtrap
-rwxr-xr-x 1 root root     29 Jul 12  2016 /usr/bin/alias
-rwxr-xr-x 1 root root   2668 Jan 26  2014 /usr/bin/amuFormat.sh
lrwxrwxrwx 1 root root      6 Sep  4  2015 /usr/bin/apropos -> whatis
-rwxr-xr-x 1 root root  62576 Oct 13  2015 /usr/bin/ar
-rwxr-xr-x 1 root root  33048 Nov 25  2015 /usr/bin/arch
-rwxr-xr-x 1 root root 365208 Oct 13  2015 /usr/bin/as
-rwxr-xr-x 1 root root  28800 Sep 16  2014 /usr/bin/aserver
-rwsr-xr-x 1 root root  52944 Jun 22  2015 /usr/bin/at
lrwxrwxrwx 1 root root      2 Apr 18  2016 /usr/bin/atq -> at
lrwxrwxrwx 1 root root      2 Apr 18  2016 /usr/bin/atrm -> at
-rwxr-xr-x 1 root root  11416 Jan 29  2014 /usr/bin/attr
-rwxr-xr-x 1 root root  19872 Jan 14  2015 /usr/bin/aulast
-rwxr-xr-x 1 root root  11544 Jan 14  2015 /usr/bin/aulastlog
-rwxr-xr-x 1 root root  11360 Jan 14  2015 /usr/bin/ausyscall
-rwxr-xr-x 1 root root  32672 Jan 14  2015 /usr/bin/auvirt
lrwxrwxrwx 1 root root      4 Sep  4  2015 /usr/bin/awk -> gawk

But rpm only complains about these files, which have 'capabilities' changed.

 $ sudo rpm -Va
[snip]
........P    /usr/bin/ping
........P    /usr/bin/ping6
........P    /usr/sbin/arping
........P    /usr/sbin/clockdiff
[snip]

Versions:

 $ lsb_release -d
Description:    Red Hat Enterprise Linux Server release 7.2 (Maipo)
 $ rear -V
Relax-and-Recover 1.18 / Git

Rear config:

OUTPUT=ISO
BACKUP_URL=nfs://xxx/rear
BACKUP=NETFS

A reinstall of the iputils package fixes the issue.
Does anyone have an idea what went wrong during the restore?

Cheers

jsmeix commented at 2017-01-26 15:51:¶

@andral
you need to run rear with debugging and
then inspect the log file, cf.
"Debugging issues with Relax-and-Recover" at
https://en.opensuse.org/SDB:Disaster_Recovery

Excerpt from
https://github.com/rear/rear/issues/1175#issuecomment-273737147

dd if=/tmp/rear.yRb6VE9IiDq3wUW/outputfs/skt-sswpbt04/2016-11-10-1736-F.tar.gz | cat | tar --block-number --totals --verbose --anchored --acls --xattrs --gzip -C /mnt/local/ -x -f -
tar: var/log/messages: Warning: Cannot acl_from_text

At first glance this looks more like an issue in tar
and not like an issue in ReaR itself, cf.
"Relax-and-Recover versus backup and restore" in
https://en.opensuse.org/SDB:Disaster_Recovery

jsmeix commented at 2017-01-26 18:13:¶

Google finds only ancient issues at Red Hat about
"tar Cannot acl_from_text" like
https://rhn.redhat.com/errata/RHBA-2010-0224.html
that reads (excerpt)

Last updated on: 2010-03-30
Affected Products: Red Hat Enterprise Linux (v. 5 server)
...
This updated tar package provides fixes for the following bugs:
...
extracting a tar archive that had been created
using the "--xattrs" flag, which saves extended
attribute information to the file, resulted in tar displaying
"Warning: Cannot acl_from_text: Invalid argument"
error messages for many extracted files. This was caused
by an off-by-one coding error, and has been fixed in this
update so that extended attributes are restored correctly
from archive files. (BZ#472553)

Regardless that this one is old and that the error message
is a bit different, it indicates that the root cause is more
likely in tar and not in ReaR.

gdha commented at 2017-02-24 14:57:¶

@andral According your rpm -Va output some executables like ping have a changed (or missing) capabilities? Can you confirm?
The title of this topic is IMHO wrong - it is not ACL, but capabilities.
Capabilities are saved by tar with the --xattrs flag, which was set in your rear configuration file. Therefore, it might be a bug in your tar executable...

gdha commented at 2017-02-24 16:25:¶

@andral @jsmeix @gozora @schlomo Nice story:

Test 1 on RHEL 7.2 with `--xattrs`¶

# tar --version
tar (GNU tar) 1.26
# rpm -qf $(which tar)
tar-1.26-29.el7.x86_64

# ls -l /bin/ping
-rwxr-xr-x. 1 root root 44896 Jun  5  2015 /bin/ping

# getcap /bin/ping
/bin/ping = cap_net_admin,cap_net_raw+p

# tar --xattrs -cpvf /tmp/ping.tar /bin/ping
# tar --xattrs -xpvf /tmp/ping.tar
# getcap bin/ping
# ls -l bin/ping
-rwxr-xr-x 1 root root 44896 Jun  5  2015 bin/ping

Test 2 with `--format=pax` (according https://www.gnu.org/software/tar/manual/html_node/Extended-File-Attributes.html)¶

# tar --xattrs --format=pax -cpvf /tmp/ping.tar /bin/ping
# tar --xattrs --format=pax -xpvf /tmp/ping.tar
bin/ping
# getcap bin/ping
#

Test 3 with `--selinux`¶

# tar --xattrs --format=pax --selinux -cpvf /tmp/ping.tar /bin/ping
# tar --xattrs --format=pax --selinux -xpvf /tmp/ping.tar
# getcap bin/ping
#

=> https://rhn.redhat.com/errata/RHBA-2016-2681.html
Previously, using the tar command with the --selinux option failed, as the tar
utility freed memory incorrectly. With this update, the memory is freed
correctly, and tar works as expected with the --selinux option. (BZ#1365645)
New version: tar-1.26-30.el7_2.x86_64.rpm

Test 4 with `--acls`:¶

# tar --xattrs --format=pax --selinux --acls -cpvf /tmp/ping.tar /bin/ping
# tar --xattrs --format=pax --selinux --acls -xpvf /tmp/ping.tar
# getcap bin/ping
#

According https://www.lesbonscomptes.com/pages/extattrs.html xattrs are visible with:

# getfattr /bin/ping
# getfattr bin/ping

Test 5 with `star`:¶

# star -artype=exustar -xattr-linux -c -f archive.star /bin/ping
star: 7 blocks + 0 bytes (total of 71680 bytes = 70.00k).
# star -artype=exustar -xattr-linux -x -f ./archive.star
#

Unfortunately, my knowledge of star is limited...

Conclusions¶

tar-1.26-29.el7.x86_64 does not save the capabilities (extend attributes) as describe in the man pages. This should be reported upstream (or via RH).

star hits the same bug, or I used the wrong options? To be investigated by ??

praiskup commented at 2017-03-01 12:27:¶

tar-1.26-29.el7.x86_64 does not save the capabilities

When you do 'tar -c --xattrs', capabilities (== extended attributes in security.capability namespace) is stored in archive, but it is not automatically restored with --xattrs (only 'user.*' namespace is restored). Have a look ate '--xattrs-include' option for more info. But note that security.capability namespace is stored in pax archive in binary form (more info in rhbz 771927)

gdha commented at 2017-03-01 12:28:¶

@andral I can only suggest to open a bugzilla with redhat to tackle the tar issue

gdha commented at 2017-03-01 12:47:¶

@praiskup Thank you for your valuable comment and the interesting link to the tar rhbz 771927.

According http://git.savannah.gnu.org/cgit/tar.git/plain/NEWS?id=release_1_27 :

Support for POSIX ACLs, extended attributes and SELinux context.

Starting with this version tar is able to store, extract and list
extended file attributes, POSIX.1e ACLs and SELinux context. This is
controlled by the command line options --xattrs, --acls and --selinux,
correspondingly. Each of these options has a `--no-' counterpart
(e.g. --no-xattrs), which disables the corresponding feature.
Additionally, the options --xattrs-include and --xattrs-exclude allow
you to selectively control for which files to store (or extract) the
extended attributes.
==> however, I think rh added this also in the tar rpm, no?

However, no trace yet of adding capabilities (as in rh patch https://bugzilla.redhat.com/attachment.cgi?id=849830)

praiskup commented at 2017-03-01 12:55:¶

however, I think rh added this also in the tar rpm, no?

I believe --xattrs-include is in RHEL 7 already.

However, no trace yet of adding capabilities

That's to be discussed upstream.

eblazquez commented at 2017-07-12 11:14:¶

Hi, it seems that the capabilities, same as with the SELinux and ACLs extended attributes, are not included on the xattrs filters used by tar. We've solved this issue using the following BACKUP_PROG_OPTIONS:

BACKUP_PROG_OPTIONS="--anchored --xattrs --xattrs-include='*.*'"

This way you're modifying the xattrs filter of tar, and telling it to store every extended attribute, including ACLs, SELinux context and capabilities.

This seems to be a similar behaviour than when you execute

getfattr -d <file>

because with that command you don't get neither ACLs nor SELinux contexts, but if you change the filter to match everything with

getfattr -d -m '.*' <file>

you see all this information.

jsmeix commented at 2017-07-13 08:07:¶

@Eblazquez
many thanks for your analysis.
It helps a lot to better understand the issue!

In ReaR we already use --anchored by default,
see usr/share/rear/conf/default.conf that contains

BACKUP_PROG_OPTIONS="--anchored"

Accordingly only additionally the options

--xattrs --xattrs-include='*.*'

are needed to get full xattrs support via 'tar' backup
(if I understand it correctly)
e.g in etc/rear/local.conf via something like

BACKUP_PROG_OPTIONS="$BACKUP_PROG_OPTIONS --xattrs-include='*.*' --xattrs"

FYI:

We cannot just have in default.conf

BACKUP_PROG_OPTIONS="--anchored --xattrs --xattrs-include='*.*'"

because it seems older tar versions do not support
the --xattrs and --xattrs-include options because
at least on my SLES11 system with GNU tar 1.26
"man tar" shows nothing about xattrs or xattrs-include
but on my openSUSE Leap 42.1 system with GNU tar 1.27
"man tar" shows both xattrs and xattrs-include.

Therefore some magic would be needed to let ReaR
use the --xattrs and --xattrs-include options automatically
if the tar program that is currently installed on the system
where ReaR runs provides --xattrs and --xattrs-include.

But I still think any special backup stuff
does not really belong to ReaR itself, cf.
"Relax-and-Recover versus backup and restore" in
https://en.opensuse.org/SDB:Disaster_Recovery

I think BACKUP_PROG_OPTIONS could be
in general better described in ReaR.

But I think the ReaR documentation is the wrong place
how to use special 'tar' options because ReaR is not
meant to document how to use 'tar'.

schlomo commented at 2017-07-13 10:15:¶

IMHO we should do our best to support standard setups. As many distros now enable xattr and acl by default we should make an effort to support that as well.

To support older and newer tar versions I suggest dynamically check for the capabilities of tar and to add more options based on that. The code for syslinux is already doing something similar.

jsmeix commented at 2017-07-14 10:38:¶

@schlomo
I agree - but such things are enhancements for the future:
https://github.com/rear/rear/issues/1411

eblazquez commented at 2017-07-19 12:22:¶

Hi, I've seen that on the script located on /usr/share/rear/restore/NETFS/default/40_restore_backup.sh, the first action taken if the backup program is tar, is to include the --selinux flag in case it's supported:

case "$BACKUP_PROG" in
    # tar compatible programs here
    (tar)
        # Add the --selinux option to be safe with SELinux context restoration
        if [[ ! $BACKUP_SELINUX_DISABLE =~ ^[yY1] ]]; then
            if tar --usage | grep -q selinux;  then
                BACKUP_PROG_OPTIONS="$BACKUP_PROG_OPTIONS --selinux"
            fi
        fi

Maybe the option to store/restore the xattrs can be included on the scripts on a similar way.

Another issue that I've encountered is that the option --xattrs-include='*.*' works creating the backup, but for some reason is ignored on the restore (it has to do with the * symbols), at least on RHEL7 which is the OS we are using. If you want this to work with capabilities you should include the specific attribute:

BACKUP_PROG_OPTIONS="--anchored --xattrs --xattrs-include=security.capability"

On our case we used that options since we don't use SELinux, but if you do you should also include its xattr, since if you add a xattrs-include mask it ignores the rest, even if you use the --selinux option. Therefor if you use SELinux your options should look like this:

BACKUP_PROG_OPTIONS="--anchored --xattrs --xattrs-include=security.capability --xattrs-include=security.selinux"

Since this issue causes ping not to work on RHEL7 systems, I think it's important enough to at least include this information on the documentation.

gdha commented at 2018-02-23 17:27:¶

I believe issue is fixed in the meantime: https://gist.github.com/fce4dabba6719a3f615cb8dc02a4c913

jsmeix commented at 2018-02-27 09:37:¶

I close the issue because it is considered to be fixed.

[Export of Github issue for rear/rear.]

#1175 Issue closed: tar in ReaR didn't recover ACL and capabilities attributes of files¶