preserve posix capabilities

POSIX capabilities are stored as security.capability xattr.
The --xattrs option alone won't store anything outside the
usernamespace, so we have to specifically ask for this
capability to be included when calling tar.
Note that we deliberately don't store the entire security
namespace as labeling by xattr is common with some security
modules and possibly a planned apparmor feature, too, so
this way we avoid restoring arbitrary lables from dumps and
templates we might not want.

Since these flags are used in two separate files I moved
them to @$PVE::LXC::COMMON_TAR_FLAGS;

The --acls flag for tar (and -A flag for rsync) have also
been added.

diff --git a/src/PVE/LXC.pm b/src/PVE/LXC.pm
index fd9a1afd76d268b3d73e55ce4891b68a439f94fb..4bcdcb473abe069cbd9e5dae98bde279f10c540c 100644 (file)
--- a/src/PVE/LXC.pm
+++ b/src/PVE/LXC.pm
@@ -26,6 +26,11 @@ my $nodename = PVE::INotify::nodename();
 
 my $cpuinfo= PVE::ProcFSTools::read_cpuinfo();
 
+our $COMMON_TAR_FLAGS = [ '--totals', '--sparse', '--numeric-owner', '--acls',
+                          '--xattrs',
+                          '--xattrs-include=user.*',
+                          '--xattrs-include=security.capability' ];
+
 cfs_register_file('/lxc/', \&parse_pct_config, \&write_pct_config);
 
 my $rootfs_desc = {

diff --git a/src/PVE/LXC/Create.pm b/src/PVE/LXC/Create.pm
index d6a6a0d0c7b84d2af8742b1ed82ecb0d1dea4e8d..be90d668a5887aed91357421e1b969633e1f0687 100644 (file)
--- a/src/PVE/LXC/Create.pm
+++ b/src/PVE/LXC/Create.pm
@@ -33,8 +33,9 @@ sub restore_archive {
 #      PVE::Tools::run_command(['chown', '-R', '100000:100000', $rootdir]);
 #    }
 
-    my $cmd = [@$userns_cmd, 'tar', 'xpf', $archive, '--numeric-owner', '--totals',
-           '--sparse', '-C', $rootdir];
+    my $cmd = [@$userns_cmd, 'tar', 'xpf', $archive, '--totals',
+               @$PVE::LXC::COMMON_TAR_FLAGS,
+               '-C', $rootdir];
 
     # skip-old-files doesn't have anything to do with time (old/new), but is
     # simply -k (annoyingly also called --keep-old-files) without the 'treat

diff --git a/src/PVE/VZDump/LXC.pm b/src/PVE/VZDump/LXC.pm
index a7fafe99b6ea37c4e2bcb1909c2dce8273d30284..f138588650140897efab49e05214d0b7afaab803 100644 (file)
--- a/src/PVE/VZDump/LXC.pm
+++ b/src/PVE/VZDump/LXC.pm
@@ -24,7 +24,7 @@ my $rsync_vm = sub {
 
     my $opts = $self->{vzdump}->{opts};
 
-    my $rsync = ['rsync', '--stats', '-X', '--numeric-ids',
+    my $rsync = ['rsync', '--stats', '-X', '-A', '--numeric-ids',
                  '-aH', '--delete', '--no-whole-file', '--inplace',
                  '--one-file-system', '--relative'];
     push @$rsync, "--bwlimit=$opts->{bwlimit}" if $opts->{bwlimit};
@@ -278,8 +278,8 @@ sub archive {
     my $snapdir = $task->{snapdir};
     my $tmpdir = $task->{tmpdir};
 
-    my $tar = ['tar', 'cpf', '-',
-               '--totals', '--sparse', '--numeric-owner', '--xattrs',
+    my $tar = ['tar', 'cpf', '-', '--totals',
+               @$PVE::LXC::COMMON_TAR_FLAGS,
                '--one-file-system', '--warning=no-file-ignored'];
 
     # note: --remove-files does not work because we do not