We've set a filesystem capability in our CentOS 7-based custom template:
setcap cap_setgid,cap_setuid+ep /usr/sbin/suexec
This is to allow Apache+mod_fcgid+PHP to work properly when setting the user under which PHP scripts are supposed to run. That's neither here nor there: the problem is that the filesystem capability is NOT preserved when that template is provisioned.
I suspect you're using rsync(1) to provision a template to a new VM, in which case if you add '-X' it will preserve these filesystem extended attributes. (The '-a' flag to cp(1) does the same thing, if that's what you're using.) This is an official feature request to please add the appropriate flag to the provision process to preserve those attributes.
Please sign in to leave a comment.