SD plugin scsicrypto check, set, unset cap_sys_rawio capabilities

[bruno-at-bareos]

• Platform: bareos-sd.service
  • Remove CapabilityBoundingSet=CAP_SYS_RAWIO as the daemon doesn't run with root.
  • Discourage the use of AmbientCapabilities due to the lack of flag support in systemd.
• Packaging: add postinstall hooks for enabling cap_sys_rawio capabilities
• Doc: review section about linux sg_io ioctl interface
  • Explain the usage of our bareos-config help and related scsicrypto functions
    • bareos-config check_scsicrypto_capabilities
    • bareos-config set_scsicrypto_capabilities
    • bareos-config unset_scsicrypto_capabilities

Please check

• Short description and the purpose of this PR is present above this paragraph
• Your name is present in the AUTHORS file (optional)

If you have any questions or problems, please give a comment in the PR.

Helpful documentation and best practices

• Git Workflow
• Automatic Sourcecode Formatting
• Check your commit messages

Checklist for the reviewer of the PR (will be processed by the Bareos team)

General

• PR name is meaningful
• Purpose of the PR is understood
• Separate commit for this PR in the CHANGELOG.md, PR number referenced is same
• Commit descriptions are understandable and well formatted

Source code quality

• Source code changes are understandable
• Variable and function names are meaningful
• Code comments are correct (logically and spelling)
• Required documentation changes are present and part of the PR
• bareos-check-sources --since-merge does not report any problems
• git status should not report modifications in the source tree after building and testing

[arogge]

I see some minor and easy-to-fix issues with the shell code.
However, this does not (yet) fix the upgrade-problem our users are facing.

[joergsteffens]

As @arogge pointed out, you should a warning to the documentation, that the capabilities are removed by a package update.

So I read this section correctly, that I do not require the capability, if I run the b*-tools as root? Will it cause problems to run these commands as root?

[bruno-at-bareos]

As @arogge pointed out, you should a warning to the documentation, that the capabilities are removed by a package update.

We will find a way to handle this the best as we can. Let discuss this today and choose a solution.

So I read this section correctly, that I do not require the capability, if I run the b*-tools as root? Will it cause problems to run these commands as root?
I didn't see any differences with capabilities set or not and the usage of tools with root user.

[bruno-at-bareos]

Final comment, after having tested in RHEL 8, openSUSE 15.3, Debian 11, I just fixed some typos errors in warn function and also mistyped the config file name in post macro. Now I'm confident everything looks ok.
Thanks for your final review.
If ok, I'm in favor of doing also a backport to 21.

[arogge]

The code looks good. However, as the implementation escalated quite a bit (from documentation-only to scripts and packaging changeS) the PR title and description don't reflect the changes anymore.

[arogge]

There was some nitpicking left for me to do.
But other than a few text suggestions this looks great!
PR title and description need to be updated though.

[arogge]

Great work! Thank you!