[Bug 1858692] Re: ceph-common postinst does not check for ceph user existing externally

Eric Desrochers eric.desrochers at canonical.com
Thu Jan 9 15:27:44 UTC 2020


Additional note:

landscape-server installation as we speak "Depends" on ceph-common.
ceph-common is no longer needed/used in the landscape context since autopilot code got removed.

I'll propose a MP to Simon to remove the Depend from Landscape server.

Nevertheless, I think ceph-common should be debug a little more (e.g
nsswitch.conf, sssd, ...) to figure out why "getent" can't get
information from external users when it should.

** Changed in: landscape
       Status: New => Confirmed

** Changed in: landscape
     Assignee: (unassigned) => Eric Desrochers (slashd)

** Changed in: landscape
       Status: Confirmed => In Progress

** Description changed:

  If the $SERVER_USER name exists in LDAP outside the server the user will
  not exist in /etc/passwd. This will cause the postinst script to attempt
  to create the user, which will fail. This user creation/modification
  failure then causes the configuration operation to be marked as failed
  and prevent the package from completing installation.
  
  Current workaround is to define $SERVER_USER in /etc/default/ceph or
  otherwise export a custom value for this into the environment, so that
  the postinst script uses a username that does not exist in LDAP, and can
  be created within the local system. Ideally there would be a more robust
  check for the existence of the $SERVER_USER perhaps using the 'id'
  command.
  
  Snippets from /var/lib/dpkg/info/ceph-common.postinst
  
  ---
  [ -f "/etc/default/ceph" ] && . /etc/default/ceph
  
  [ -z "$SERVER_HOME" ] && SERVER_HOME=/var/lib/ceph
  [ -z "$SERVER_USER" ] && SERVER_USER=ceph
  [ -z "$SERVER_NAME" ] && SERVER_NAME="Ceph storage service"
  [ -z "$SERVER_GROUP" ] && SERVER_GROUP=ceph
  [ -z "$SERVER_UID" ] && SERVER_UID=64045  # alloc by Debian base-passwd maintainer
  [ -z "$SERVER_GID" ] && SERVER_GID=$SERVER_UID
  ---
  
  ---
  case "$1" in
-     configure)
-        # create user to avoid running server as root
-        # 1. create group if not existing
-        if ! getent group | grep -q "^$SERVER_GROUP:" ; then
-           addgroup --quiet --system --gid $SERVER_GID \
-               $SERVER_GROUP 2>/dev/null ||true
-        fi
-        # 2. create user if not existing
-        if ! getent passwd | grep -q "^$SERVER_USER:"; then
-          adduser --quiet \
-                  --system \
-                  --no-create-home \
-                  --disabled-password \
-                  --uid $SERVER_UID \
-                  --gid $SERVER_GID \
-                  $SERVER_USER 2>/dev/null || true
-        fi
-        # 3. adjust passwd entry
-        usermod -c "$SERVER_NAME" \
-                -d $SERVER_HOME   \
-                -g $SERVER_GROUP  \
-                $SERVER_USER 2>/dev/null
+     configure)
+        # create user to avoid running server as root
+        # 1. create group if not existing
+        if ! getent group | grep -q "^$SERVER_GROUP:" ; then
+           addgroup --quiet --system --gid $SERVER_GID \
+               $SERVER_GROUP 2>/dev/null ||true
+        fi
+        # 2. create user if not existing
+        if ! getent passwd | grep -q "^$SERVER_USER:"; then
+          adduser --quiet \
+                  --system \
+                  --no-create-home \
+                  --disabled-password \
+                  --uid $SERVER_UID \
+                  --gid $SERVER_GID \
+                  $SERVER_USER 2>/dev/null || true
+        fi
+        # 3. adjust passwd entry
+        usermod -c "$SERVER_NAME" \
+                -d $SERVER_HOME   \
+                -g $SERVER_GROUP  \
+                $SERVER_USER 2>/dev/null
  ---
+ 
+ [Impacted scenario]
+ 
+ * lanscape-server installation when the ceph user/group already exists
+ on the system with non-default UID/GID particularly when the user exists
+ in LDAP outside the local system.

** Description changed:

  If the $SERVER_USER name exists in LDAP outside the server the user will
  not exist in /etc/passwd. This will cause the postinst script to attempt
  to create the user, which will fail. This user creation/modification
  failure then causes the configuration operation to be marked as failed
  and prevent the package from completing installation.
  
  Current workaround is to define $SERVER_USER in /etc/default/ceph or
  otherwise export a custom value for this into the environment, so that
  the postinst script uses a username that does not exist in LDAP, and can
  be created within the local system. Ideally there would be a more robust
  check for the existence of the $SERVER_USER perhaps using the 'id'
  command.
  
  Snippets from /var/lib/dpkg/info/ceph-common.postinst
  
  ---
  [ -f "/etc/default/ceph" ] && . /etc/default/ceph
  
  [ -z "$SERVER_HOME" ] && SERVER_HOME=/var/lib/ceph
  [ -z "$SERVER_USER" ] && SERVER_USER=ceph
  [ -z "$SERVER_NAME" ] && SERVER_NAME="Ceph storage service"
  [ -z "$SERVER_GROUP" ] && SERVER_GROUP=ceph
  [ -z "$SERVER_UID" ] && SERVER_UID=64045  # alloc by Debian base-passwd maintainer
  [ -z "$SERVER_GID" ] && SERVER_GID=$SERVER_UID
  ---
  
  ---
  case "$1" in
      configure)
         # create user to avoid running server as root
         # 1. create group if not existing
         if ! getent group | grep -q "^$SERVER_GROUP:" ; then
            addgroup --quiet --system --gid $SERVER_GID \
                $SERVER_GROUP 2>/dev/null ||true
         fi
         # 2. create user if not existing
         if ! getent passwd | grep -q "^$SERVER_USER:"; then
           adduser --quiet \
                   --system \
                   --no-create-home \
                   --disabled-password \
                   --uid $SERVER_UID \
                   --gid $SERVER_GID \
                   $SERVER_USER 2>/dev/null || true
         fi
         # 3. adjust passwd entry
         usermod -c "$SERVER_NAME" \
                 -d $SERVER_HOME   \
                 -g $SERVER_GROUP  \
                 $SERVER_USER 2>/dev/null
  ---
  
- [Impacted scenario]
+ [Observe impacted scenario]
  
  * lanscape-server installation when the ceph user/group already exists
  on the system with non-default UID/GID particularly when the user exists
  in LDAP outside the local system.

** Description changed:

  If the $SERVER_USER name exists in LDAP outside the server the user will
  not exist in /etc/passwd. This will cause the postinst script to attempt
  to create the user, which will fail. This user creation/modification
  failure then causes the configuration operation to be marked as failed
  and prevent the package from completing installation.
  
  Current workaround is to define $SERVER_USER in /etc/default/ceph or
  otherwise export a custom value for this into the environment, so that
  the postinst script uses a username that does not exist in LDAP, and can
  be created within the local system. Ideally there would be a more robust
  check for the existence of the $SERVER_USER perhaps using the 'id'
  command.
  
  Snippets from /var/lib/dpkg/info/ceph-common.postinst
  
  ---
  [ -f "/etc/default/ceph" ] && . /etc/default/ceph
  
  [ -z "$SERVER_HOME" ] && SERVER_HOME=/var/lib/ceph
  [ -z "$SERVER_USER" ] && SERVER_USER=ceph
  [ -z "$SERVER_NAME" ] && SERVER_NAME="Ceph storage service"
  [ -z "$SERVER_GROUP" ] && SERVER_GROUP=ceph
  [ -z "$SERVER_UID" ] && SERVER_UID=64045  # alloc by Debian base-passwd maintainer
  [ -z "$SERVER_GID" ] && SERVER_GID=$SERVER_UID
  ---
  
  ---
  case "$1" in
      configure)
         # create user to avoid running server as root
         # 1. create group if not existing
         if ! getent group | grep -q "^$SERVER_GROUP:" ; then
            addgroup --quiet --system --gid $SERVER_GID \
                $SERVER_GROUP 2>/dev/null ||true
         fi
         # 2. create user if not existing
         if ! getent passwd | grep -q "^$SERVER_USER:"; then
           adduser --quiet \
                   --system \
                   --no-create-home \
                   --disabled-password \
                   --uid $SERVER_UID \
                   --gid $SERVER_GID \
                   $SERVER_USER 2>/dev/null || true
         fi
         # 3. adjust passwd entry
         usermod -c "$SERVER_NAME" \
                 -d $SERVER_HOME   \
                 -g $SERVER_GROUP  \
                 $SERVER_USER 2>/dev/null
  ---
  
  [Observe impacted scenario]
  
- * lanscape-server installation when the ceph user/group already exists
- on the system with non-default UID/GID particularly when the user exists
- in LDAP outside the local system.
+ * lanscape-server installation may fail when the ceph user/group already
+ exists on the system with non-default UID/GID particularly when the user
+ exists in LDAP outside the local system.

-- 
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to ceph in Ubuntu.
https://bugs.launchpad.net/bugs/1858692

Title:
  ceph-common postinst does not check for ceph user existing externally

Status in Landscape Server:
  In Progress
Status in ceph package in Ubuntu:
  Incomplete

Bug description:
  If the $SERVER_USER name exists in LDAP outside the server the user
  will not exist in /etc/passwd. This will cause the postinst script to
  attempt to create the user, which will fail. This user
  creation/modification failure then causes the configuration operation
  to be marked as failed and prevent the package from completing
  installation.

  Current workaround is to define $SERVER_USER in /etc/default/ceph or
  otherwise export a custom value for this into the environment, so that
  the postinst script uses a username that does not exist in LDAP, and
  can be created within the local system. Ideally there would be a more
  robust check for the existence of the $SERVER_USER perhaps using the
  'id' command.

  Snippets from /var/lib/dpkg/info/ceph-common.postinst

  ---
  [ -f "/etc/default/ceph" ] && . /etc/default/ceph

  [ -z "$SERVER_HOME" ] && SERVER_HOME=/var/lib/ceph
  [ -z "$SERVER_USER" ] && SERVER_USER=ceph
  [ -z "$SERVER_NAME" ] && SERVER_NAME="Ceph storage service"
  [ -z "$SERVER_GROUP" ] && SERVER_GROUP=ceph
  [ -z "$SERVER_UID" ] && SERVER_UID=64045  # alloc by Debian base-passwd maintainer
  [ -z "$SERVER_GID" ] && SERVER_GID=$SERVER_UID
  ---

  ---
  case "$1" in
      configure)
         # create user to avoid running server as root
         # 1. create group if not existing
         if ! getent group | grep -q "^$SERVER_GROUP:" ; then
            addgroup --quiet --system --gid $SERVER_GID \
                $SERVER_GROUP 2>/dev/null ||true
         fi
         # 2. create user if not existing
         if ! getent passwd | grep -q "^$SERVER_USER:"; then
           adduser --quiet \
                   --system \
                   --no-create-home \
                   --disabled-password \
                   --uid $SERVER_UID \
                   --gid $SERVER_GID \
                   $SERVER_USER 2>/dev/null || true
         fi
         # 3. adjust passwd entry
         usermod -c "$SERVER_NAME" \
                 -d $SERVER_HOME   \
                 -g $SERVER_GROUP  \
                 $SERVER_USER 2>/dev/null
  ---

  [Observe impacted scenario]

  * lanscape-server installation may fail when the ceph user/group
  already exists on the system with non-default UID/GID particularly
  when the user exists in LDAP outside the local system.

To manage notifications about this bug go to:
https://bugs.launchpad.net/landscape/+bug/1858692/+subscriptions



More information about the Ubuntu-openstack-bugs mailing list