[Bug 1858692] Re: ceph-common postinst does not check for ceph user existing externally
Eric Desrochers
eric.desrochers at canonical.com
Thu Jan 9 15:27:44 UTC 2020
Additional note:
landscape-server installation as we speak "Depends" on ceph-common.
ceph-common is no longer needed/used in the landscape context since autopilot code got removed.
I'll propose a MP to Simon to remove the Depend from Landscape server.
Nevertheless, I think ceph-common should be debug a little more (e.g
nsswitch.conf, sssd, ...) to figure out why "getent" can't get
information from external users when it should.
** Changed in: landscape
Status: New => Confirmed
** Changed in: landscape
Assignee: (unassigned) => Eric Desrochers (slashd)
** Changed in: landscape
Status: Confirmed => In Progress
** Description changed:
If the $SERVER_USER name exists in LDAP outside the server the user will
not exist in /etc/passwd. This will cause the postinst script to attempt
to create the user, which will fail. This user creation/modification
failure then causes the configuration operation to be marked as failed
and prevent the package from completing installation.
Current workaround is to define $SERVER_USER in /etc/default/ceph or
otherwise export a custom value for this into the environment, so that
the postinst script uses a username that does not exist in LDAP, and can
be created within the local system. Ideally there would be a more robust
check for the existence of the $SERVER_USER perhaps using the 'id'
command.
Snippets from /var/lib/dpkg/info/ceph-common.postinst
---
[ -f "/etc/default/ceph" ] && . /etc/default/ceph
[ -z "$SERVER_HOME" ] && SERVER_HOME=/var/lib/ceph
[ -z "$SERVER_USER" ] && SERVER_USER=ceph
[ -z "$SERVER_NAME" ] && SERVER_NAME="Ceph storage service"
[ -z "$SERVER_GROUP" ] && SERVER_GROUP=ceph
[ -z "$SERVER_UID" ] && SERVER_UID=64045 # alloc by Debian base-passwd maintainer
[ -z "$SERVER_GID" ] && SERVER_GID=$SERVER_UID
---
---
case "$1" in
- configure)
- # create user to avoid running server as root
- # 1. create group if not existing
- if ! getent group | grep -q "^$SERVER_GROUP:" ; then
- addgroup --quiet --system --gid $SERVER_GID \
- $SERVER_GROUP 2>/dev/null ||true
- fi
- # 2. create user if not existing
- if ! getent passwd | grep -q "^$SERVER_USER:"; then
- adduser --quiet \
- --system \
- --no-create-home \
- --disabled-password \
- --uid $SERVER_UID \
- --gid $SERVER_GID \
- $SERVER_USER 2>/dev/null || true
- fi
- # 3. adjust passwd entry
- usermod -c "$SERVER_NAME" \
- -d $SERVER_HOME \
- -g $SERVER_GROUP \
- $SERVER_USER 2>/dev/null
+ configure)
+ # create user to avoid running server as root
+ # 1. create group if not existing
+ if ! getent group | grep -q "^$SERVER_GROUP:" ; then
+ addgroup --quiet --system --gid $SERVER_GID \
+ $SERVER_GROUP 2>/dev/null ||true
+ fi
+ # 2. create user if not existing
+ if ! getent passwd | grep -q "^$SERVER_USER:"; then
+ adduser --quiet \
+ --system \
+ --no-create-home \
+ --disabled-password \
+ --uid $SERVER_UID \
+ --gid $SERVER_GID \
+ $SERVER_USER 2>/dev/null || true
+ fi
+ # 3. adjust passwd entry
+ usermod -c "$SERVER_NAME" \
+ -d $SERVER_HOME \
+ -g $SERVER_GROUP \
+ $SERVER_USER 2>/dev/null
---
+
+ [Impacted scenario]
+
+ * lanscape-server installation when the ceph user/group already exists
+ on the system with non-default UID/GID particularly when the user exists
+ in LDAP outside the local system.
** Description changed:
If the $SERVER_USER name exists in LDAP outside the server the user will
not exist in /etc/passwd. This will cause the postinst script to attempt
to create the user, which will fail. This user creation/modification
failure then causes the configuration operation to be marked as failed
and prevent the package from completing installation.
Current workaround is to define $SERVER_USER in /etc/default/ceph or
otherwise export a custom value for this into the environment, so that
the postinst script uses a username that does not exist in LDAP, and can
be created within the local system. Ideally there would be a more robust
check for the existence of the $SERVER_USER perhaps using the 'id'
command.
Snippets from /var/lib/dpkg/info/ceph-common.postinst
---
[ -f "/etc/default/ceph" ] && . /etc/default/ceph
[ -z "$SERVER_HOME" ] && SERVER_HOME=/var/lib/ceph
[ -z "$SERVER_USER" ] && SERVER_USER=ceph
[ -z "$SERVER_NAME" ] && SERVER_NAME="Ceph storage service"
[ -z "$SERVER_GROUP" ] && SERVER_GROUP=ceph
[ -z "$SERVER_UID" ] && SERVER_UID=64045 # alloc by Debian base-passwd maintainer
[ -z "$SERVER_GID" ] && SERVER_GID=$SERVER_UID
---
---
case "$1" in
configure)
# create user to avoid running server as root
# 1. create group if not existing
if ! getent group | grep -q "^$SERVER_GROUP:" ; then
addgroup --quiet --system --gid $SERVER_GID \
$SERVER_GROUP 2>/dev/null ||true
fi
# 2. create user if not existing
if ! getent passwd | grep -q "^$SERVER_USER:"; then
adduser --quiet \
--system \
--no-create-home \
--disabled-password \
--uid $SERVER_UID \
--gid $SERVER_GID \
$SERVER_USER 2>/dev/null || true
fi
# 3. adjust passwd entry
usermod -c "$SERVER_NAME" \
-d $SERVER_HOME \
-g $SERVER_GROUP \
$SERVER_USER 2>/dev/null
---
- [Impacted scenario]
+ [Observe impacted scenario]
* lanscape-server installation when the ceph user/group already exists
on the system with non-default UID/GID particularly when the user exists
in LDAP outside the local system.
** Description changed:
If the $SERVER_USER name exists in LDAP outside the server the user will
not exist in /etc/passwd. This will cause the postinst script to attempt
to create the user, which will fail. This user creation/modification
failure then causes the configuration operation to be marked as failed
and prevent the package from completing installation.
Current workaround is to define $SERVER_USER in /etc/default/ceph or
otherwise export a custom value for this into the environment, so that
the postinst script uses a username that does not exist in LDAP, and can
be created within the local system. Ideally there would be a more robust
check for the existence of the $SERVER_USER perhaps using the 'id'
command.
Snippets from /var/lib/dpkg/info/ceph-common.postinst
---
[ -f "/etc/default/ceph" ] && . /etc/default/ceph
[ -z "$SERVER_HOME" ] && SERVER_HOME=/var/lib/ceph
[ -z "$SERVER_USER" ] && SERVER_USER=ceph
[ -z "$SERVER_NAME" ] && SERVER_NAME="Ceph storage service"
[ -z "$SERVER_GROUP" ] && SERVER_GROUP=ceph
[ -z "$SERVER_UID" ] && SERVER_UID=64045 # alloc by Debian base-passwd maintainer
[ -z "$SERVER_GID" ] && SERVER_GID=$SERVER_UID
---
---
case "$1" in
configure)
# create user to avoid running server as root
# 1. create group if not existing
if ! getent group | grep -q "^$SERVER_GROUP:" ; then
addgroup --quiet --system --gid $SERVER_GID \
$SERVER_GROUP 2>/dev/null ||true
fi
# 2. create user if not existing
if ! getent passwd | grep -q "^$SERVER_USER:"; then
adduser --quiet \
--system \
--no-create-home \
--disabled-password \
--uid $SERVER_UID \
--gid $SERVER_GID \
$SERVER_USER 2>/dev/null || true
fi
# 3. adjust passwd entry
usermod -c "$SERVER_NAME" \
-d $SERVER_HOME \
-g $SERVER_GROUP \
$SERVER_USER 2>/dev/null
---
[Observe impacted scenario]
- * lanscape-server installation when the ceph user/group already exists
- on the system with non-default UID/GID particularly when the user exists
- in LDAP outside the local system.
+ * lanscape-server installation may fail when the ceph user/group already
+ exists on the system with non-default UID/GID particularly when the user
+ exists in LDAP outside the local system.
--
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to ceph in Ubuntu.
https://bugs.launchpad.net/bugs/1858692
Title:
ceph-common postinst does not check for ceph user existing externally
Status in Landscape Server:
In Progress
Status in ceph package in Ubuntu:
Incomplete
Bug description:
If the $SERVER_USER name exists in LDAP outside the server the user
will not exist in /etc/passwd. This will cause the postinst script to
attempt to create the user, which will fail. This user
creation/modification failure then causes the configuration operation
to be marked as failed and prevent the package from completing
installation.
Current workaround is to define $SERVER_USER in /etc/default/ceph or
otherwise export a custom value for this into the environment, so that
the postinst script uses a username that does not exist in LDAP, and
can be created within the local system. Ideally there would be a more
robust check for the existence of the $SERVER_USER perhaps using the
'id' command.
Snippets from /var/lib/dpkg/info/ceph-common.postinst
---
[ -f "/etc/default/ceph" ] && . /etc/default/ceph
[ -z "$SERVER_HOME" ] && SERVER_HOME=/var/lib/ceph
[ -z "$SERVER_USER" ] && SERVER_USER=ceph
[ -z "$SERVER_NAME" ] && SERVER_NAME="Ceph storage service"
[ -z "$SERVER_GROUP" ] && SERVER_GROUP=ceph
[ -z "$SERVER_UID" ] && SERVER_UID=64045 # alloc by Debian base-passwd maintainer
[ -z "$SERVER_GID" ] && SERVER_GID=$SERVER_UID
---
---
case "$1" in
configure)
# create user to avoid running server as root
# 1. create group if not existing
if ! getent group | grep -q "^$SERVER_GROUP:" ; then
addgroup --quiet --system --gid $SERVER_GID \
$SERVER_GROUP 2>/dev/null ||true
fi
# 2. create user if not existing
if ! getent passwd | grep -q "^$SERVER_USER:"; then
adduser --quiet \
--system \
--no-create-home \
--disabled-password \
--uid $SERVER_UID \
--gid $SERVER_GID \
$SERVER_USER 2>/dev/null || true
fi
# 3. adjust passwd entry
usermod -c "$SERVER_NAME" \
-d $SERVER_HOME \
-g $SERVER_GROUP \
$SERVER_USER 2>/dev/null
---
[Observe impacted scenario]
* lanscape-server installation may fail when the ceph user/group
already exists on the system with non-default UID/GID particularly
when the user exists in LDAP outside the local system.
To manage notifications about this bug go to:
https://bugs.launchpad.net/landscape/+bug/1858692/+subscriptions
More information about the Ubuntu-openstack-bugs
mailing list