desktop-packages team mailing list archive

Thread
Date
[Bug 1313550] Re: ping does not work as a normal user on trusty tarball cloud images.

To: desktop-packages@xxxxxxxxxxxxxxxxxxx
From: Larry Michel <larry.michel@xxxxxxxxxxxxx>
Date: Wed, 17 Dec 2014 17:20:14 -0000
Reply-to: Bug 1313550 <1313550@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
This was the test case:

1) Update trusty daily root-tgz image with a copy of dcap and cap properties.
2) Sync image to cache
3) Deploy a node with trusty
4) Access deployed node
5) Ensure that cap properties for the new file are preserved on deployed system.

This test passed.

Here are test details:
======================================================================
1) Update image
root@ubuntumaas:/var/lib/maas/boot-resources/cache/root# ls -l usr/bin/dpkgcap
-rwxr-xr-x 1 root root 261840 Dec 17 09:33 usr/bin/dpkgcap
root@ubuntumaas:/var/lib/maas/boot-resources/cache/root# getcap usr/bin/dpkgcap
usr/bin/dpkgcap = cap_net_raw+p
root@ubuntumaas:/var/lib/maas/boot-resources/cache/root# tar --xattrs '--xattrs-include=*' -czf root.tar.gz *
tar: root.tar.gz: file changed as we read it

2) Sync image
root@ubuntumaas:/var/lib/maas/boot-resources/cache/root# ls -l
total 550812
drwxr-xr-x  2 root root      4096 Dec 17 02:54 bin
drwxr-xr-x  3 root root      4096 Dec  8 14:34 boot
drwxr-xr-x  6 root root      4096 Dec  8 14:34 dev
drwxr-xr-x 96 root root      4096 Dec 17 02:56 etc
drwxr-xr-x  2 root root      4096 Apr 10  2014 home
lrwxrwxrwx  1 root root        33 Dec  8 14:33 initrd.img -> boot/initrd.img-3.13.0-40-generic
drwxr-xr-x 22 root root      4096 Dec  8 14:31 lib
drwxr-xr-x  2 root root      4096 Dec  4 18:40 lib64
drwx------  2 root root      4096 Dec  4 18:43 lost+found
drwxr-xr-x  2 root root      4096 Dec  4 18:40 media
drwxr-xr-x  2 root root      4096 Apr 10  2014 mnt
drwxr-xr-x  2 root root      4096 Dec  4 18:40 opt
drwxr-xr-x  2 root root      4096 Apr 10  2014 proc
drwx------  2 root root      4096 Dec 17 02:05 root
-rw-r--r--  1 root root 563942052 Dec 17 09:40 root.tar.gz
drwxr-xr-x  4 root root      4096 Dec  8 14:33 run
drwxr-xr-x  2 root root      4096 Dec 17 02:54 sbin
drwxr-xr-x  2 root root      4096 Dec  4 18:40 srv
drwxr-xr-x  2 root root      4096 Mar 12  2014 sys
drwxrwxrwt  4 root root      4096 Dec 17 02:55 tmp
drwxr-xr-x 10 root root      4096 Dec  4 18:40 usr
drwxr-xr-x 12 root root      4096 Dec  4 18:43 var
lrwxrwxrwx  1 root root        30 Dec  8 14:33 vmlinuz -> boot/vmlinuz-3.13.0-40-generic
root@ubuntumaas:/var/lib/maas/boot-resources/cache/root# ls -l ../root-tgz-3d15bdc99ae5cfe7e0be2e06e084636dc6fd809ec09ca54732ec83c9224376a2 
-rw-r--r-- 1 root root 424884409 Dec 17 03:28 ../root-tgz-3d15bdc99ae5cfe7e0be2e06e084636dc6fd809ec09ca54732ec83c9224376a2
root@ubuntumaas:/var/lib/maas/boot-resources/cache/root# cp root.tar.gz ../root-tgz-3d15bdc99ae5cfe7e0be2e06e084636dc6fd809ec09ca54732ec83c9224376a2 
root@ubuntumaas:/var/lib/maas/boot-resources/cache/root# ls -l ../root-tgz-3d15bdc99ae5cfe7e0be2e06e084636dc6fd809ec09ca54732ec83c9224376a2 
-rw-r--r-- 1 root root 563942052 Dec 17 09:42 ../root-tgz-3d15bdc99ae5cfe7e0be2e06e084636dc6fd809ec09ca54732ec83c9224376a2
root@ubuntumaas:/var/lib/maas/boot-resources/cache/root# service tgt restart
tgt stop/waiting
tgt start/running, process 16692
root@ubuntumaas:/var/lib/maas/boot-resources/cache/root# cp ../root-tgz-3d15bdc99ae5cfe7e0be2e06e084636dc6fd809ec09ca54732ec83c9224376a2 ../../current/ubuntu/amd64/generic/trusty/daily/root-tgz 
root@ubuntumaas:/var/lib/maas/boot-resources/cache/root# sync;sync
root@ubuntumaas:/var/lib/maas/boot-resources/cache/root# exit
logout

3) Deploy node from maas

4) Access deployed node
lmic@ubuntumaas:/var/lib/maas/boot-resources/cache/root$ ssh 192.168.224.100
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ECDSA key sent by the remote host is
5b:1b:de:c3:ff:d6:e5:64:3c:b7:be:19:55:69:b5:7e.
Please contact your system administrator.
Add correct host key in /home/lmic/.ssh/known_hosts to get rid of this message.
Offending ECDSA key in /home/lmic/.ssh/known_hosts:20
  remove with: ssh-keygen -f "/home/lmic/.ssh/known_hosts" -R 192.168.224.100
ECDSA host key for 192.168.224.100 has changed and you have requested strict checking.
Host key verification failed.
lmic@ubuntumaas:/var/lib/maas/boot-resources/cache/root$  ssh-keygen -f "/home/lmic/.ssh/known_hosts" -R 192.168.224.100
# Host 192.168.224.100 found: line 20 type ECDSA
/home/lmic/.ssh/known_hosts updated.
Original contents retained as /home/lmic/.ssh/known_hosts.old
lmic@ubuntumaas:/var/lib/maas/boot-resources/cache/root$ ssh 192.168.224.100
The authenticity of host '192.168.224.100 (192.168.224.100)' can't be established.
ECDSA key fingerprint is 5b:1b:de:c3:ff:d6:e5:64:3c:b7:be:19:55:69:b5:7e.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.224.100' (ECDSA) to the list of known hosts.
Permission denied (publickey).
lmic@ubuntumaas:/var/lib/maas/boot-resources/cache/root$ ssh ubuntu@192.168.224.100
Enter passphrase for key '/home/lmic/.ssh/id_rsa': 
Welcome to Ubuntu 14.04.1 LTS (GNU/Linux 3.13.0-40-generic x86_64)

 * Documentation:  https://help.ubuntu.com/

  System information as of Wed Dec 17 15:51:42 UTC 2014

  System load: 0.16              Memory usage: 2%   Processes:       55
  Usage of /:  37.9% of 7.75GB   Swap usage:   0%   Users logged in: 0

  Graph this data and manage this system at:
    https://landscape.canonical.com/

  Get cloud support with Ubuntu Advantage Cloud Guest:
    http://www.ubuntu.com/business/services/cloud

21 packages can be updated.
15 updates are security updates.


The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.


5) Check capabilities on Test file
ubuntu@vm:~$ ls /usr/bin/dpkg*
/usr/bin/dpkg     /usr/bin/dpkg-deb     /usr/bin/dpkg-maintscript-helper  /usr/bin/dpkg-split         /usr/bin/dpkg-trigger
/usr/bin/dpkgcap  /usr/bin/dpkg-divert  /usr/bin/dpkg-query               /usr/bin/dpkg-statoverride
ubuntu@vm:~$ getcap /usr/bin/dpkgcap
/usr/bin/dpkgcap = cap_net_raw+p                                                                                 <<< TEST PASSED
ubuntu@vm:~$ 
ubuntu@vm:~$ dpkgcap
dpkg: error: need an action option

Type dpkg --help for help about installing and deinstalling packages [*];
Use 'apt' or 'aptitude' for user-friendly package management;
Type dpkg -Dhelp for a list of dpkg debug flag values;
Type dpkg --force-help for a list of forcing options;
Type dpkg-deb --help for help about manipulating *.deb files;

Options marked [*] produce a lot of output - pipe it through 'less' or 'more' !
ubuntu@vm:~$ 
======================================================================


** Tags removed: verification-needed
** Tags added: verification-done

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to iputils in Ubuntu.
https://bugs.launchpad.net/bugs/1313550

Title:
  ping does not work as a normal user on trusty tarball cloud images.

Status in The curt installer:
  Confirmed
Status in MAAS:
  Confirmed
Status in curtin package in Ubuntu:
  Confirmed
Status in iputils package in Ubuntu:
  Fix Released
Status in lxc package in Ubuntu:
  Confirmed
Status in maas package in Ubuntu:
  Confirmed
Status in tar package in Ubuntu:
  Fix Released
Status in lxc source package in Precise:
  Confirmed
Status in tar source package in Precise:
  Confirmed
Status in curtin source package in Saucy:
  Won't Fix
Status in lxc source package in Saucy:
  Won't Fix
Status in maas source package in Saucy:
  Won't Fix
Status in tar source package in Saucy:
  Won't Fix
Status in curtin source package in Trusty:
  Fix Committed
Status in lxc source package in Trusty:
  Confirmed
Status in maas source package in Trusty:
  Confirmed
Status in tar source package in Trusty:
  Fix Released

Bug description:
  With trusty, /bin/ping relies on having extended attributes and kernel
  capabilities to gain the cap_net_raw+p capability. This allows
  removing the suid bit.

  However, the tarball cloud images do not preserve the extended
  attributes, and thus /bin/ping does not work on a system derived from
  them.

  Summary of problem per package:
   * lxc: ubuntu cloud template needs to extract
   * download template needs to extract with xattr flags
   * server side download creation tools need xattr flags
   * [unconfirmed] tarball caches need creation and extraction with xattr flags
   * tar: need the '--xattr' and '--acl' flags backported
   * maas: uec2roottgz needs to use xattr/acl flags
   * curtin: extraction needs to use xattr/acl flags.
   * cloud-image-build: needs to create -root.tar.gz with xattr/acl flags

  Related Bugs:
   * bug 1382632: horizon insecure key file permissions
   * bug 1386237: tar strange behavior with --acl and xattr
   * bug 1313550: ping broken (xattrs lost in tar extraction)

To manage notifications about this bug go to:
https://bugs.launchpad.net/curtin/+bug/1313550/+subscriptions