New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
debian/*.postinst: add adduser as a dependency and specify --home when adduser #55218
Conversation
I'm slightly confused by the whitespace changes, but the substantive changes here look right to me. Thanks for getting to this more quickly than I did! :) |
@mcv21 hi Matthew, thank you for your review. regarding the "the white space changes", please check its commit message. my editor does not use 8 spaces when rendering tab by default, hence i noticed this inconsistency. and since i was editing that file, i fixed it as well. |
|
c7c6c2e
to
7a349a5
Compare
At the risk of opening a can of worms, would it be possible to build-test on Debian too? |
@mcv21 i am building the debian packages using a sid pbuilder env, is this good enough? or you prefer building it in a bookworm pbuilder env? |
sid is probably OK, though I think bookworm is better given that's the release we're targetting; I'd just not seen any Debian in the shaman output you linked. |
FWIW, the latest tree fails to build on sid. i don't think it's related to the change in this PR though. |
jenkins test api |
@mcv21 i am afraid that i don't have enough bandwidth chasing the FTBFS issue. do you think it's a blocker? since ubuntu focal was released back in 2020-04, while bookworm 2023-06, the dependency changes should be safe. what do you think? |
@ljflores hi Laura, could you please help review this change? i am not sure whom i should ping for review, if you are not, would you mind pinging the reviewer(s) who can help on this? |
@tchaikov Sure, will take a look |
Since this is an update to a cephadm package, one of the orch members (or @adk3798) would probably be best to review this. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just reviewing from orch side. Don't know the build stuff very well, especially debian specific build stuff, but seems good to me.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
From the core side of things, I would definitely like to have this go through integration testing. Logistically it makes sense, but I'm wondering if there is there anything specific that was done (or that can be done) to verify this change?
thank you for your review and approval. |
It'll presumably need fixing at some point, but I can't see that it's related to this change (so I don't think it should block it). |
debian/cephadm.postinst
Outdated
--system \ | ||
--disabled-password \ | ||
--home /home/cephadm \ | ||
--gecos 'cephadm user for mgr/cephadm' \ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hey, I am new to ceph, I was trying to install cephamd on Debian bookworm and ran into the problem this PR solves.
I was going through the Debian docs and found that they are going to remove --gecos
option in the next release. Instead, --comment
should be used. I see that for the other postinst script --comment
is already used.
Does it make sense to use the new option for this script too as a part of this PR or should it be solved in a different ticket?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@Sitiritis hi Tymur, thank you for the reminder. since this change is being tested in lab, and i hope that this fix can be backported sooner. also, --gecos
has not been deprecated, so guess we can live with it a little bit longer. but once this change lands, i will create another PR to s/--gecos
/--comment
/ to be more future-proof. so, "in a different ticket" or pull request. in general, we file a ticket so that it can be tracked and the corresponding fixes can be backported. if the --gecos
does not cause any real-world issues yet, we could dispense a ticket on tracker.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@Sitiritis since our CI is still using ubuntu:jammy, and the adduser
shipped along with it does not support --comment
yet, i am not using --comment
and since --gecos
is going to be removed after bookworm, as you point out. i am adding a commit to use usermod
directly. once we have the luxury of dropping the support of release before debian/trixie or ubuntu/mantic. we can start using adduser --comment
. to be more future-proof, i will add a commit in this PR to switch to usermod
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you :)
I just got access to ceph's redmine to create a ticket for this change, but it seems I don't need to do this anymore.
@mcv21 thank you for confirming this. could you please elaborate a little bit on what will need fixing? since this change is being tested in lab. i will create a follow-up change if we need more changes. |
@tchaikov can you please take a look at a few of the following failures? it looks related to the new added adduser |
@NitzanMordhai thank you Nitzan! sure. will take a look this weekend. |
The failure is because the build is being run on Ubuntu 22.04, and adduser there does not support |
I'm afraid I don't really know - it looks like a problem building boost, but evidently boost can be built on Debian sid, so I don't know why it's failing here. [I guess this is the side-effect of so many submodules in the build rather than pulling libraries in from the distro, you end up with what might be entirely unrelated build failures] |
7a349a5
to
f96bba6
Compare
i see. you were referencing the FTBFS i reported in this PR. let's leave it for a rainy weekend maybe. and thank you for looking into the test failure! |
changelog
|
in `debian/ceph-common.postinst` and `debian/cephadm.postinst`, we use `adduser --system` to create the system user when configuring the corresponding package. before this change, the dependency is not listed in the runtime `Depends` section of ceph-common and cephadm. in this change, the dependency is added. this is also suggested by Securing Debian Manual, see https://www.debian.org/doc/manuals/securing-debian-manual/bpp-lower-privs.en.html Signed-off-by: Kefu Chai <tchaikov@gmail.com>
now that adduser allows us to set its home directory, we can do this using adduser instead of using usermod. this change also silences the warning from lintian "maintainer-script-lacks-home-in-adduser". lintian complains if `adduser --system` is called without passing `--home` option. also, take this opportunity to s/-c/--comment/ in the command line of `usermod`, for better readability. Fixes: https://tracker.ceph.com/issues/64069 Signed-off-by: Kefu Chai <tchaikov@gmail.com>
for better readability. Signed-off-by: Kefu Chai <tchaikov@gmail.com>
quote from adduser/NEWS.Debian.gz: > System user home defaults to /nonexistent if --home is not specified. > Packages that call adduser to create system accounts should explicitly > specify a location for /home (see Lintian check > maintainer-script-lacks-home-in-adduser). so let's follow this change in adduser. otherwise "cephadm" would have a $HOME at `/nonexistent`. Fixes: https://tracker.ceph.com/issues/64069 Signed-off-by: Kefu Chai <tchaikov@gmail.com>
for better readability, and to be more consistent with the rest of this file, and other .postinst scripts of this project. Signed-off-by: Kefu Chai <tchaikov@gmail.com>
--gecos option of adduser is deprecated in debian/bookworm, and will be removed in debian/trixie, see https://manpages.debian.org/bookworm/adduser/adduser.8.en.html. so to be future-proof, let's switch to `usermod --comment`. please note, since we still need to support ubuntu/jammy which is used in our CI, and `adduser` shipped by ubuntu/jammy does not support `--comment` yet, so we cannot use this option. Signed-off-by: Kefu Chai <tchaikov@gmail.com>
f96bba6
to
e74ec0b
Compare
test passed at https://pulpito.ceph.com/kchai-2024-02-04_08:45:31-rados-wip-kefu-pr-55218-1-distro-default-smithi/ @ljflores @adk3798 hi Laura and Adam, thank you for your reviews. could you take another look? |
@tchaikov thanks for working on this; are you OK to backport it to reef, please? :) |
I will endeavour to, but can you set the tracker task to state: pending backport please? the |
@mcv21 changed. thanks in advance! |
@tchaikov sorry, the backport tasks are assigned to you, so |
i would like to warn before using hardcoded i filled issue in tracker (https://tracker.ceph.com/issues/64488) but later found issue related to this PR (https://tracker.ceph.com/issues/64069) |
I'd like to bring the Debian packaging in ceph-upstream and ceph-Debian (if you see what I mean) closer together; but I think fixing this bug is not the place to change where ceph-upstream sets the |
NVM, I found the |
@jhrcz-ls hi Jan, thanks for filing this issue. i think we'd need a separate PR to address it. |
in this changeset, we
adduser
as the runtime dependency of ceph-common and cephadm--home
toadduser
in the postinst script to accommodate the recent change in this toolFixes: https://tracker.ceph.com/issues/64069
Contribution Guidelines
To sign and title your commits, please refer to Submitting Patches to Ceph.
If you are submitting a fix for a stable branch (e.g. "quincy"), please refer to Submitting Patches to Ceph - Backports for the proper workflow.
When filling out the below checklist, you may click boxes directly in the GitHub web UI. When entering or editing the entire PR message in the GitHub web UI editor, you may also select a checklist item by adding an
x
between the brackets:[x]
. Spaces and capitalization matter when checking off items this way.Checklist
Show available Jenkins commands
jenkins retest this please
jenkins test classic perf
jenkins test crimson perf
jenkins test signed
jenkins test make check
jenkins test make check arm64
jenkins test submodules
jenkins test dashboard
jenkins test dashboard cephadm
jenkins test api
jenkins test docs
jenkins render docs
jenkins test ceph-volume all
jenkins test ceph-volume tox
jenkins test windows
jenkins test rook e2e