iputils build complains "could not set caps" on arping, ping, and clockdiff "due to missing filesystem support". Adds "Make sure you enable XATTR support for 'ext2/ext3' in your kernel." The system in question has ext4 filesystems on all partitions except /boot, which is ext2, and uses ext4 for ext2/3. Related config: # # File systems # CONFIG_DCACHE_WORD_ACCESS=y # CONFIG_EXT2_FS is not set # CONFIG_EXT3_FS is not set CONFIG_EXT4_FS=y CONFIG_EXT4_USE_FOR_EXT23=y CONFIG_EXT4_FS_XATTR=y # CONFIG_EXT4_FS_POSIX_ACL is not set # CONFIG_EXT4_FS_SECURITY is not set # CONFIG_EXT4_DEBUG is not set CONFIG_JBD2=y CONFIG_FS_MBCACHE=y # CONFIG_REISERFS_FS is not set # CONFIG_JFS_FS is not set # CONFIG_XFS_FS is not set # CONFIG_BTRFS_FS is not set # CONFIG_NILFS2_FS is not set # CONFIG_FS_POSIX_ACL is not set CONFIG_FILE_LOCKING=y CONFIG_FSNOTIFY=y # CONFIG_DNOTIFY is not set CONFIG_INOTIFY_USER=y # CONFIG_FANOTIFY is not set # CONFIG_QUOTA is not set # CONFIG_QUOTACTL is not set # CONFIG_AUTOFS4_FS is not set # CONFIG_FUSE_FS is not set Reproducible: Always Steps to Reproduce: n/a Actual Results: >>> Installing (1 of 1) net-misc/iputils-20121221-r1 * Could not set caps on '/bin/arping' due to missing filesystem support. * Make sure you enable XATTR support for 'ext2/ext3' in your kernel. * Could not set caps on '/bin/ping' due to missing filesystem support. * Make sure you enable XATTR support for 'ext2/ext3' in your kernel. * Could not set caps on '/usr/bin/clockdiff' due to missing filesystem support. * Make sure you enable XATTR support for 'ext2/ext3' in your kernel. Expected Results: n/a # emerge --info Portage 2.1.11.50 (default/linux/x86/10.0, gcc-4.6.3, glibc-2.16.0, 3.7.4-gentoo i686) ================================================================= System uname: Linux-3.7.4-gentoo-i686-Intel-R-_Pentium-R-_4_CPU_1300MHz-with-gentoo-2.2 KiB Mem: 773668 total, 400744 free KiB Swap: 786428 total, 786428 free Timestamp of tree: Mon, 28 Jan 2013 09:15:01 +0000 ld GNU ld (GNU Binutils) 2.23.1 ccache version 3.1.9 [enabled] app-shells/bash: 4.2_p42 dev-java/java-config: 2.1.12-r1 dev-lang/python: 2.7.3-r3, 3.2.3-r2 dev-util/ccache: 3.1.9 dev-util/cmake: 2.8.10.2-r1 dev-util/pkgconfig: 0.28 sys-apps/baselayout: 2.2 sys-apps/openrc: 0.11.8 sys-apps/sandbox: 2.6 sys-devel/autoconf: 2.13, 2.69 sys-devel/automake: 1.12.6 sys-devel/binutils: 2.23.1 sys-devel/gcc: 4.6.3 sys-devel/gcc-config: 1.8 sys-devel/libtool: 2.4.2 sys-devel/make: 3.82-r4 sys-kernel/linux-headers: 3.7 (virtual/os-headers) sys-libs/glibc: 2.16.0 Repositories: gentoo local-portage ACCEPT_KEYWORDS="x86 ~x86" ACCEPT_LICENSE="*" CBUILD="i686-pc-linux-gnu" CFLAGS="-O2 -march=pentium4 -pipe -fomit-frame-pointer" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/share/gnupg/qualified.txt" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo" CXXFLAGS="-O2 -march=pentium4 -pipe -fomit-frame-pointer" DISTDIR="/usr/portage/distfiles" FCFLAGS="-O2 -march=i686 -pipe" FEATURES="assume-digests binpkg-logs ccache config-protect-if-modified distlocks ebuild-locks fixlafiles merge-sync news parallel-fetch protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch" FFLAGS="-O2 -march=i686 -pipe" GENTOO_MIRRORS="ftp://ftp.gtlib.gatech.edu/pub/gentoo http://gentoo.osuosl.org/ http://open-systems.ufl.edu/mirrors/gentoo " LANG="en_US.UTF-8" LC_ALL="en_US.UTF-8" LDFLAGS="-Wl,--hash-style=gnu,-O1 -Wl,--as-needed" MAKEOPTS="-j2" PKGDIR="/usr/portage/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage" SYNC="rsync://rsync.namerica.gentoo.org/gentoo-portage" USE="X alsa berkdb bzip2 cairo caps cli cracklib crypt cxx dri exif ffmpeg gdbm gif gpm gtk iconv java jpeg lcms mmx modules mp3 mudflap ncurses nls nptl nsplugin ogg opengl openmp pam pcre png readline session sse sse2 ssl svg theora threads tiff truetype unicode vorbis win32codecs x86 xcb zlib" ALSA_CARDS="emu10k1" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="kexi words flow plan sheets stage tables krita karbon braindump" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx" INPUT_DEVICES="evdev" KERNEL="linux" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" LINGUAS="en_US en" PHP_TARGETS="php5-3" PYTHON_SINGLE_TARGET="python2_7" PYTHON_TARGETS="python2_7 python3_2" RUBY_TARGETS="ruby18 ruby19" USERLAND="GNU" VIDEO_CARDS="radeon" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, USE_PYTHON
same here at a ~x86 system (user mode linux image, chrooted into it, ext4), ewarn says : WARN: postinst Could not set caps on '/bin/arping' due to missing filesystem support. Make sure you enable XATTR support for 'ext2/ext3' in your kernel. Could not set caps on '/bin/ping' due to missing filesystem support. Make sure you enable XATTR support for 'ext2/ext3' in your kernel. Could not set caps on '/bin/ping6' due to missing filesystem support. Make sure you enable XATTR support for 'ext2/ext3' in your kernel. Could not set caps on '/usr/bin/clockdiff' due to missing filesystem support. Make sure you enable XATTR support for 'ext2/ext3' in your kernel. but I do have it : $ zgrep XATTR /proc/config.gz CONFIG_EXT2_FS_XATTR=y CONFIG_EXT3_FS_XATTR=y CONFIG_EXT4_FS_XATTR=y CONFIG_TMPFS_XATTR=y # CONFIG_CIFS_XATTR is not set
the `setcap` operation got back ENOTSUP which is why you got that message. so run the command yourself: sudo su - setcap cap_net_raw=ep /bin/arping as for the ext2/ext3 message, that's what statfs() returns. the kernel doesn't differentiate between them.
(In reply to comment #2) > the `setcap` operation got back ENOTSUP which is why you got that message. > so run the command yourself: > sudo su - > setcap cap_net_raw=ep /bin/arping > > as for the ext2/ext3 message, that's what statfs() returns. the kernel > doesn't differentiate between them. ------------------------------------------------------------------------ ~ # setcap cap_net_raw=ep /bin/arping Failed to set capabilities on file `/bin/arping' (Operation not supported) usage: setcap [-q] [-v] (-r|-|<caps>) <filename> [ ... (-r|-|<capsN>) <filenameN> ] Note <filename> must be a regular (non-symlink) file. ------------------------------------------------------------------------ This might be a facepalm moment, but the USE="filecaps" default on this emerge triggered my first use of file capabilities, and I think I know what the problem is. I had no intention of using any extended attributes when I created these filesystems years ago, and before creating the filesystems, to minimize inode size, I disabled not only "huge file" support but also XATTR, not only the kernel but /etc/mke2fs.conf (in the base options of the filesystems themselves as well as the default mount options). ------------------------------------------------------------------------------ # /etc/mke2fs.conf # Notes on ext4: # # The default_mntopts "acl" and "user_xattr" requires CONFIG_EXT4_FS_XATTR. # These are enabled by default, and if you don't want them, must be disabled # with a default_mntopts entry which does not include them. # # Feature "large_file" enables single files >= 2GB, is enabled automatically # on ext4 fs if "huge_file" is not set. Feature "huge_file" enables single # files >= 2TB (turns on 48 or 64-bit block numbering) and requires kernel # CONFIG_LBDAF. # # The auto_64-bit_support tag enables 64-bit block numbers if the # of blocks # requires it (and also disables resize_inode, which doesn't support 64-bit # block numbers. # # Some usage types automatically based on fs size (over-ridden by -T option): # # "floppy" <= 3 MiB # "small" <= 512 MiB # 512 MiB < "default" < 4 TiB # "big" >= 4 TiB # "huge" >= 16 TiB # [defaults] # base_features = sparse_super,filetype,resize_inode,dir_index,ext_attr base_features = sparse_super,filetype,resize_inode,dir_index ----------------------------------------------------------------------------- That's not changeable by tune2fs; it's a base option. So I'll have to disable the USE="filecaps" flag for now, and actually create new filesystems if I want to use this (and I think it's now mature enough to do so, thereby getting rid of some setuid risks). I haven't tested, but I think this resolves my problem. Sorry for the unnecessary bug. I
if we get more reports, we can mention ext_attr in the message, but if it's a one off, we'll just file it away
I'm also affected here. I'm running ext4, have "CONFIG_EXT4_FS_XATTR=y" in my config and: miramis ~ # dumpe2fs /dev/mapper/root | grep -i attr dumpe2fs 1.42.6 (21-Sep-2012) Filesystem features: has_journal ext_attr resize_inode dir_index filetype needs_recovery extent flex_bg sparse_super large_file huge_file uninit_bg dir_nlink extra_isize
Ditto. caribou ~ # setcap cap_net_raw=ep /bin/arping Failed to set capabilities on file `/bin/arping' (Operation not supported) caribou ~ # strace setcap cap_net_raw=ep /bin/arping execve("/sbin/setcap", ["setcap", "cap_net_raw=ep", "/bin/arping"], [/* 65 vars */]) = 0 brk(0) = 0x13b2000 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f67c8ee7000 access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory) open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3 fstat(3, {st_mode=S_IFREG|0644, st_size=134628, ...}) = 0 mmap(NULL, 134628, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f67c8ec6000 close(3) = 0 open("/lib64/libcap.so.2", O_RDONLY|O_CLOEXEC) = 3 read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\240\31\340\3244\0\0\0"..., 832) = 832 fstat(3, {st_mode=S_IFREG|0755, st_size=25408, ...}) = 0 mmap(0x34d4e00000, 2118240, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x34d4e00000 mprotect(0x34d4e04000, 2097152, PROT_NONE) = 0 mmap(0x34d5004000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x4000) = 0x34d5004000 close(3) = 0 open("/lib64/libc.so.6", O_RDONLY|O_CLOEXEC) = 3 read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0p\32b\2715\0\0\0"..., 832) = 832 fstat(3, {st_mode=S_IFREG|0755, st_size=1719528, ...}) = 0 mmap(0x35b9600000, 3828792, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x35b9600000 mprotect(0x35b979d000, 2097152, PROT_NONE) = 0 mmap(0x35b999d000, 24576, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x19d000) = 0x35b999d000 mmap(0x35b99a3000, 15416, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x35b99a3000 close(3) = 0 open("/lib64/libattr.so.1", O_RDONLY|O_CLOEXEC) = 3 read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\200\23\240\2765\0\0\0"..., 832) = 832 fstat(3, {st_mode=S_IFREG|0755, st_size=21024, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f67c8ec5000 mmap(0x35bea00000, 2113896, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x35bea00000 mprotect(0x35bea04000, 2093056, PROT_NONE) = 0 mmap(0x35bec03000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x3000) = 0x35bec03000 close(3) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f67c8ec4000 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f67c8ec3000 arch_prctl(ARCH_SET_FS, 0x7f67c8ec4700) = 0 mprotect(0x601000, 4096, PROT_READ) = 0 mprotect(0x34d5004000, 4096, PROT_READ) = 0 mprotect(0x35b999d000, 16384, PROT_READ) = 0 mprotect(0x35bec03000, 4096, PROT_READ) = 0 mprotect(0x35b9421000, 4096, PROT_READ) = 0 munmap(0x7f67c8ec6000, 134628) = 0 brk(0) = 0x13b2000 brk(0x13d3000) = 0x13d3000 capget({_LINUX_CAPABILITY_VERSION_3, 0}, NULL) = 0 capget({_LINUX_CAPABILITY_VERSION_3, 0}, {CAP_CHOWN|CAP_DAC_OVERRIDE|CAP_DAC_READ_SEARCH|CAP_FOWNER|CAP_FSETID|CAP_KILL|CAP_SETGID|CAP_SETUID|CAP_SETPCAP|CAP_LINUX_IMMUTABLE|CAP_NET_BIND_SERVICE|CAP_NET_BROADCAST|CAP_NET_ADMIN|CAP_NET_RAW|CAP_IPC_LOCK|CAP_IPC_OWNER|CAP_SYS_MODULE|CAP_SYS_RAWIO|CAP_SYS_CHROOT|CAP_SYS_PTRACE|CAP_SYS_PACCT|CAP_SYS_ADMIN|CAP_SYS_BOOT|CAP_SYS_NICE|CAP_SYS_RESOURCE|CAP_SYS_TIME|CAP_SYS_TTY_CONFIG|CAP_MKNOD|CAP_LEASE|CAP_AUDIT_WRITE|CAP_AUDIT_CONTROL|CAP_SETFCAP, CAP_CHOWN|CAP_DAC_OVERRIDE|CAP_DAC_READ_SEARCH|CAP_FOWNER|CAP_FSETID|CAP_KILL|CAP_SETGID|CAP_SETUID|CAP_SETPCAP|CAP_LINUX_IMMUTABLE|CAP_NET_BIND_SERVICE|CAP_NET_BROADCAST|CAP_NET_ADMIN|CAP_NET_RAW|CAP_IPC_LOCK|CAP_IPC_OWNER|CAP_SYS_MODULE|CAP_SYS_RAWIO|CAP_SYS_CHROOT|CAP_SYS_PTRACE|CAP_SYS_PACCT|CAP_SYS_ADMIN|CAP_SYS_BOOT|CAP_SYS_NICE|CAP_SYS_RESOURCE|CAP_SYS_TIME|CAP_SYS_TTY_CONFIG|CAP_MKNOD|CAP_LEASE|CAP_AUDIT_WRITE|CAP_AUDIT_CONTROL|CAP_SETFCAP, 0}) = 0 capget({_LINUX_CAPABILITY_VERSION_3, 0}, NULL) = 0 capset({_LINUX_CAPABILITY_VERSION_3, 0}, {CAP_CHOWN|CAP_DAC_OVERRIDE|CAP_DAC_READ_SEARCH|CAP_FOWNER|CAP_FSETID|CAP_KILL|CAP_SETGID|CAP_SETUID|CAP_SETPCAP|CAP_LINUX_IMMUTABLE|CAP_NET_BIND_SERVICE|CAP_NET_BROADCAST|CAP_NET_ADMIN|CAP_NET_RAW|CAP_IPC_LOCK|CAP_IPC_OWNER|CAP_SYS_MODULE|CAP_SYS_RAWIO|CAP_SYS_CHROOT|CAP_SYS_PTRACE|CAP_SYS_PACCT|CAP_SYS_ADMIN|CAP_SYS_BOOT|CAP_SYS_NICE|CAP_SYS_RESOURCE|CAP_SYS_TIME|CAP_SYS_TTY_CONFIG|CAP_MKNOD|CAP_LEASE|CAP_AUDIT_WRITE|CAP_AUDIT_CONTROL|CAP_SETFCAP, CAP_CHOWN|CAP_DAC_OVERRIDE|CAP_DAC_READ_SEARCH|CAP_FOWNER|CAP_FSETID|CAP_KILL|CAP_SETGID|CAP_SETUID|CAP_SETPCAP|CAP_LINUX_IMMUTABLE|CAP_NET_BIND_SERVICE|CAP_NET_BROADCAST|CAP_NET_ADMIN|CAP_NET_RAW|CAP_IPC_LOCK|CAP_IPC_OWNER|CAP_SYS_MODULE|CAP_SYS_RAWIO|CAP_SYS_CHROOT|CAP_SYS_PTRACE|CAP_SYS_PACCT|CAP_SYS_ADMIN|CAP_SYS_BOOT|CAP_SYS_NICE|CAP_SYS_RESOURCE|CAP_SYS_TIME|CAP_SYS_TTY_CONFIG|CAP_MKNOD|CAP_LEASE|CAP_AUDIT_WRITE|CAP_AUDIT_CONTROL|CAP_SETFCAP, 0}) = 0 lstat("/bin/arping", {st_mode=S_IFREG|S_ISUID|0711, st_size=23080, ...}) = 0 setxattr("/bin/arping", "security.capability", "\x01\x00\x00\x02\x00 \x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", 20, 0) = -1 EOPNOTSUPP (Operation not supported) write(2, "Failed to set capabilities on fi"..., 75Failed to set capabilities on file `/bin/arping' (Operation not supported) ) = 75 write(2, "usage: setcap [-q] [-v] (-r|-|<c"..., 140usage: setcap [-q] [-v] (-r|-|<caps>) <filename> [ ... (-r|-|<capsN>) <filenameN> ] Note <filename> must be a regular (non-symlink) file. ) = 140 exit_group(1) = ? +++ exited with 1 +++
Gah, bugzilla needs an edit button.
i suspect you haven't set CONFIG_EXT4_FS_SECURITY either
(In reply to comment #8) > i suspect you haven't set CONFIG_EXT4_FS_SECURITY either I have: kripton@miramis ~ $ zcat /proc/config.gz | grep CONFIG_EXT4_FS_SECURITY CONFIG_EXT4_FS_SECURITY=y
(In reply to comment #9) it's hard to review with various snippets. if you see "Could not set caps" when installing iputils, then create a tarball of logs and attach it: - emerge iputils >& emerge.log - strace -s 4096 -o strace.log setcap cap_net_raw=ep /bin/arping - zcat /proc/config.gz > config.log - cat /proc/mounts > mount.log - dumpe2fs -h /dev/ROOT > root.log # assuming extN fs, and replace "ROOT"
*** Bug 454748 has been marked as a duplicate of this bug. ***
*** Bug 482828 has been marked as a duplicate of this bug. ***
