internal/exec/util: handle existing group in EnsureGroup#2158
internal/exec/util: handle existing group in EnsureGroup#2158prestist merged 5 commits intocoreos:mainfrom
Conversation
There was a problem hiding this comment.
Code Review
This pull request makes EnsureGroup idempotent by handling the exit code from groupadd when a group already exists. While the change prevents a crash, it introduces a more subtle issue. If a group exists, any configuration changes for that group (like GID or password) will be silently ignored, leading to potential configuration drift. My review comment details this problem and suggests a more robust implementation that uses groupmod for existing groups, similar to how EnsureUser is implemented. This would ensure that group configurations are correctly applied whether the group is being created or modified.
internal/exec/util/passwd.go
Outdated
| if err != nil && exitCode == 9 { | ||
| return nil | ||
| } |
There was a problem hiding this comment.
While this change correctly makes EnsureGroup idempotent for group creation and prevents a crash, it introduces a potential issue of silent configuration drift. If a group already exists, this change will cause the function to return success without applying any specified modifications like Gid or PasswordHash. This can lead to the system being in an incorrect state without any warning.
To address this properly, EnsureGroup should be updated to handle existing groups by modifying them, similar to how EnsureUser uses usermod. I recommend the following approach:
- Use the
existsvariable (which is already available) to differentiate between creating and modifying a group. - If the group exists, use
groupmodto apply any changes to GID or password hash. This will require adding aGroupmodCmdtointernal/distro/distro.go. - If the group does not exist, use
groupaddas is currently done.
This will make EnsureGroup robust and ensure the system state matches the desired configuration.
There was a problem hiding this comment.
This is actually the SAME design limitation that EnsureUser has, and is documented in config/doc/ignition.yaml
- name: system
desc: "whether or not the group should be a system group. This only has an effect if the group doesn't exist yet."
There was a problem hiding this comment.
You are right. That is a limitation of groupmod and usermod. I opted to maintain consistency. Do you think that should be handled differently?
There was a problem hiding this comment.
Nah, I am pretty sure keeping it as it has been is correct. Its been documented as a limitation for a while. I wanted to just comment on it so there is a trail in-case we ever need to ask why it was done this way.
ecdf347 to
1b3a2d2
Compare
|
Looks like I forgot to update release notes, should I revise the PR? Edit: updated. |
There was a problem hiding this comment.
Great find, thank you for the fix, the changes make sense and LGTM
edit: sorry
One request, would you mind adding blackbox tests that follow the ensureUser example but for ensureGroup. as there are no create/addition tests that I can see.
You can find the user tests and group tests mixed in => ignition/tests/positive/passwd/users.go
It looks like we can expand the group coverage for creation and modification now, you might need to expand the stubs in => ignition/tests/stubs/groupdel-stub/main.go
Add groupadd-stub and groupmod-stub test helpers to test the groupadd and groupmod commands. Add test cases for group creation and group idempotency to verify EnsureGroup uses groupmod when a group already exists.
|
I think the only thing we should do is re-base rather then the merges from main, its not terrible but it does add noise to the git history. Otherwise lgtm. |
When a group already exists, modify it using groupmod instead of attempting to create it with groupadd. This makes EnsureGroup idempotent and prevents failure when the group already exists (exit code 9).
c3a467c to
7572fa8
Compare
|
Does this look better? |
|
@onurhanak perfect! thank you. |
|
@onurhanak unfortunately looks like the blackbox tests are failing You can test them locally by
so if you want to test groups.add_3.6.0-experimental it would look like:
|
|
@prestist Theblackbox tests pass locally on my end, any idea why they are failing here? This is from the Jenkins log:
I cannot see any reference to group1 in the codebase when I look through the tests. Also, when I check |
Thats soo weird, at first glance no, but looking into it currently. |
|
@onurhanak Ah, its a kola test this time. No longer blackbox tests Our kola tests are mostly in fedora-coreos-config here is an example of one for passwd on users https://github.com/coreos/fedora-coreos-config/blob/c20db91bd5780a3da22204677b251048cf91b8d7/tests/kola/security/passwd/test.sh I cant seem to find the one that is failing but its likely in this repo, still investigating. Ah this kola test is in coreos-asembler's repo https://github.com/coreos/coreos-assembler/blob/bf8b944d6fd211cb3f9071820934db65138b80b6/mantle/kola/tests/ignition/passwd.go#L144 Looks like the testgroup section is not passing due to the changes here. The * makes me think about the else you removed from passwd.. but not sure. |
|
@prestist Thanks. I think the error is caused by the EnsureGroup function in internal/exec/util/passwd.go . Specifically these lines: if util.NotEmpty(g.PasswordHash) {
args = append(args, "--password", *g.PasswordHash)
}I see that other functions in the file default to "*" when password is nil. The tests seem to expect this behavior. I can implement that, but groupadd man page specifies that it defaults to "!" when password is not supplied: How do you think we should proceed? |
|
Hmm, it makes my hands itch to give the final verdict. Let me reach out to a more knowledgeable party => @travier for their view. So from my perspective, we should probably maintain what has been true in the past and what has been enforced by the kola test. Mostly to avoid unintentional configuration drift. I.e bring back the default of * when not specified. |
|
@travier what do you think? |
|
This PR adds
For the
So I think we should update our kola test to accept both. |
|
I have not looked too closely to the tests but the code change looks OK from a quick look. Thanks |
ddbc66e to
87da603
Compare
You are right. My mistake, should be fixed now. @prestist What are the next steps? I think the kola tests are in another repository right? Should I make a PR there too? |
|
@onurhanak yeah the kola tests that are being effected are here. And yeah we would want to create a PR which accepts both * and !. If you would like @onurhanak I can make those changes? |
|
@prestist Sure, if you do not mind, please go ahead and make the changes. |
|
@onurhanak Thank you for working on this, just landed it! |
|
@prestist That's great news, thanks for the help along the way. |
When groupadd is called with a group name that already exists, it returns exit code 9. This causes ignition to fail. This change catches exit code 9 and treats it as success to make EnsureGroup idempotent.