debian/*.postinst: add adduser as a dependency and specify --home when adduser #55218
debian/*.postinst: add adduser as a dependency and specify --home when adduser #55218
Conversation
|
I'm slightly confused by the whitespace changes, but the substantive changes here look right to me. Thanks for getting to this more quickly than I did! :) |
@mcv21 hi Matthew, thank you for your review. regarding the "the white space changes", please check its commit message. my editor does not use 8 spaces when rendering tab by default, hence i noticed this inconsistency. and since i was editing that file, i fixed it as well. |
|
c7c6c2e to
7a349a5
Compare
At the risk of opening a can of worms, would it be possible to build-test on Debian too? |
@mcv21 i am building the debian packages using a sid pbuilder env, is this good enough? or you prefer building it in a bookworm pbuilder env? |
|
sid is probably OK, though I think bookworm is better given that's the release we're targetting; I'd just not seen any Debian in the shaman output you linked. |
FWIW, the latest tree fails to build on sid. i don't think it's related to the change in this PR though. |
|
jenkins test api |
|
@mcv21 i am afraid that i don't have enough bandwidth chasing the FTBFS issue. do you think it's a blocker? since ubuntu focal was released back in 2020-04, while bookworm 2023-06, the dependency changes should be safe. what do you think? |
|
@ljflores hi Laura, could you please help review this change? i am not sure whom i should ping for review, if you are not, would you mind pinging the reviewer(s) who can help on this? |
|
@tchaikov Sure, will take a look |
|
Since this is an update to a cephadm package, one of the orch members (or @adk3798) would probably be best to review this. |
adk3798
left a comment
There was a problem hiding this comment.
Just reviewing from orch side. Don't know the build stuff very well, especially debian specific build stuff, but seems good to me.
ljflores
left a comment
There was a problem hiding this comment.
From the core side of things, I would definitely like to have this go through integration testing. Logistically it makes sense, but I'm wondering if there is there anything specific that was done (or that can be done) to verify this change?
thank you for your review and approval. |
It'll presumably need fixing at some point, but I can't see that it's related to this change (so I don't think it should block it). |
debian/cephadm.postinst
Outdated
| --system \ | ||
| --disabled-password \ | ||
| --home /home/cephadm \ | ||
| --gecos 'cephadm user for mgr/cephadm' \ |
There was a problem hiding this comment.
Hey, I am new to ceph, I was trying to install cephamd on Debian bookworm and ran into the problem this PR solves.
I was going through the Debian docs and found that they are going to remove --gecos option in the next release. Instead, --comment should be used. I see that for the other postinst script --comment is already used.
Does it make sense to use the new option for this script too as a part of this PR or should it be solved in a different ticket?
There was a problem hiding this comment.
@Sitiritis hi Tymur, thank you for the reminder. since this change is being tested in lab, and i hope that this fix can be backported sooner. also, --gecos has not been deprecated, so guess we can live with it a little bit longer. but once this change lands, i will create another PR to s/--gecos/--comment/ to be more future-proof. so, "in a different ticket" or pull request. in general, we file a ticket so that it can be tracked and the corresponding fixes can be backported. if the --gecos does not cause any real-world issues yet, we could dispense a ticket on tracker.
There was a problem hiding this comment.
@Sitiritis since our CI is still using ubuntu:jammy, and the adduser shipped along with it does not support --comment yet, i am not using --comment and since --gecos is going to be removed after bookworm, as you point out. i am adding a commit to use usermod directly. once we have the luxury of dropping the support of release before debian/trixie or ubuntu/mantic. we can start using adduser --comment. to be more future-proof, i will add a commit in this PR to switch to usermod.
There was a problem hiding this comment.
Thank you :)
I just got access to ceph's redmine to create a ticket for this change, but it seems I don't need to do this anymore.
in `debian/ceph-common.postinst` and `debian/cephadm.postinst`, we use `adduser --system` to create the system user when configuring the corresponding package. before this change, the dependency is not listed in the runtime `Depends` section of ceph-common and cephadm. in this change, the dependency is added. this is also suggested by Securing Debian Manual, see https://www.debian.org/doc/manuals/securing-debian-manual/bpp-lower-privs.en.html Signed-off-by: Kefu Chai <tchaikov@gmail.com>
now that adduser allows us to set its home directory, we can do this using adduser instead of using usermod. this change also silences the warning from lintian "maintainer-script-lacks-home-in-adduser". lintian complains if `adduser --system` is called without passing `--home` option. also, take this opportunity to s/-c/--comment/ in the command line of `usermod`, for better readability. Fixes: https://tracker.ceph.com/issues/64069 Signed-off-by: Kefu Chai <tchaikov@gmail.com>
for better readability. Signed-off-by: Kefu Chai <tchaikov@gmail.com>
quote from adduser/NEWS.Debian.gz: > System user home defaults to /nonexistent if --home is not specified. > Packages that call adduser to create system accounts should explicitly > specify a location for /home (see Lintian check > maintainer-script-lacks-home-in-adduser). so let's follow this change in adduser. otherwise "cephadm" would have a $HOME at `/nonexistent`. Fixes: https://tracker.ceph.com/issues/64069 Signed-off-by: Kefu Chai <tchaikov@gmail.com>
for better readability, and to be more consistent with the rest of this file, and other .postinst scripts of this project. Signed-off-by: Kefu Chai <tchaikov@gmail.com>
--gecos option of adduser is deprecated in debian/bookworm, and will be removed in debian/trixie, see https://manpages.debian.org/bookworm/adduser/adduser.8.en.html. so to be future-proof, let's switch to `usermod --comment`. please note, since we still need to support ubuntu/jammy which is used in our CI, and `adduser` shipped by ubuntu/jammy does not support `--comment` yet, so we cannot use this option. Signed-off-by: Kefu Chai <tchaikov@gmail.com>
f96bba6 to
e74ec0b
Compare
|
test passed at https://pulpito.ceph.com/kchai-2024-02-04_08:45:31-rados-wip-kefu-pr-55218-1-distro-default-smithi/ @ljflores @adk3798 hi Laura and Adam, thank you for your reviews. could you take another look? |
|
@tchaikov thanks for working on this; are you OK to backport it to reef, please? :) |
I will endeavour to, but can you set the tracker task to state: pending backport please? the |
|
@mcv21 changed. thanks in advance! |
|
@tchaikov sorry, the backport tasks are assigned to you, so |
|
i would like to warn before using hardcoded i filled issue in tracker (https://tracker.ceph.com/issues/64488) but later found issue related to this PR (https://tracker.ceph.com/issues/64069) |
|
I'd like to bring the Debian packaging in ceph-upstream and ceph-Debian (if you see what I mean) closer together; but I think fixing this bug is not the place to change where ceph-upstream sets the |
NVM, I found the |
@jhrcz-ls hi Jan, thanks for filing this issue. i think we'd need a separate PR to address it. |
|
@tchaikov @adk3798 sorry to revive an old pr, but i think this is related to a failure i'm seeing trying to install ceph packages on ubuntu 24.04 in teuthology: any idea why it's trying to |
|
@cbodley I'm pleased to see Debian-based distros making their way into teuthology :) I think we might want to make the different postinsts easier to tell apart (e.g. that "Adding system user cephadm....done" could come from either), but my best theory here is that it's running ceph-common.postinst not cephadm.postinst (which is wrong for the cephadm package), because the ceph-common postinst sets home to Can you get a shell on the failing system? I think you could then inspect |
|
thanks @mcv21,
we've always tested against ubuntu there. we're just very late in adopting 24.04
possible but tricky to keep the machine around after failure. after a test job, they get reimaged for the next one. i'm guessing it will be easier to test the package installation manually using the same repo? |
i guess on ubuntu 22, it looks like this: |
|
comparing jammy's https://manpages.ubuntu.com/manpages/jammy/man8/adduser.8.html with noble's https://manpages.ubuntu.com/manpages/noble/man8/adduser.8.html, i see that a new paragraph was added under "Add a system user":
|
|
testing #64459 to fix |
|
@cbodley Thanks for pinging me. EDIT. seems you beat me to it =) |
|
i see that this pr did correctly add |
Ah, yes, that would explain it :-/ |
in this changeset, we
adduseras the runtime dependency of ceph-common and cephadm--hometoadduserin the postinst script to accommodate the recent change in this toolFixes: https://tracker.ceph.com/issues/64069
Contribution Guidelines
To sign and title your commits, please refer to Submitting Patches to Ceph.
If you are submitting a fix for a stable branch (e.g. "quincy"), please refer to Submitting Patches to Ceph - Backports for the proper workflow.
When filling out the below checklist, you may click boxes directly in the GitHub web UI. When entering or editing the entire PR message in the GitHub web UI editor, you may also select a checklist item by adding an
xbetween the brackets:[x]. Spaces and capitalization matter when checking off items this way.Checklist
Show available Jenkins commands
jenkins retest this pleasejenkins test classic perfjenkins test crimson perfjenkins test signedjenkins test make checkjenkins test make check arm64jenkins test submodulesjenkins test dashboardjenkins test dashboard cephadmjenkins test apijenkins test docsjenkins render docsjenkins test ceph-volume alljenkins test ceph-volume toxjenkins test windowsjenkins test rook e2e