launchpad-reviewers team mailing list archive

Thread
Date

[Merge] ~cjwatson/launchpad-buildd:sbuild-remove-lxd-group into launchpad-buildd:master

To: mp+399216@xxxxxxxxxxxxxxxxxx
From: Colin Watson <cjwatson@xxxxxxxxxxxxx>
Date: Fri, 05 Mar 2021 14:42:22 -0000
Reply-to: mp+399216@xxxxxxxxxxxxxxxxxx
Sender: bounces@xxxxxxxxxxxxx

Colin Watson has proposed merging ~cjwatson/launchpad-buildd:sbuild-remove-lxd-group into launchpad-buildd:master.

Commit message:
sbuild-package: Temporarily remove lxd group membership

Requested reviews:
  Launchpad code reviewers (launchpad-reviewers)
Related bugs:
  Bug #1820348 in launchpad-buildd: "buildd user's lxd group membership causes some package build failures"
  https://bugs.launchpad.net/launchpad-buildd/+bug/1820348

For more details, see:
https://code.launchpad.net/~cjwatson/launchpad-buildd/+git/launchpad-buildd/+merge/399216

This works around some unconfigurable behaviour in schroot that previously caused some build failures because build processes inside the chroot had a supplementary group that wasn't present in the chroot's /etc/group.
-- 
Your team Launchpad code reviewers is requested to review the proposed merge of ~cjwatson/launchpad-buildd:sbuild-remove-lxd-group into launchpad-buildd:master.

diff --git a/bin/sbuild-package b/bin/sbuild-package
index b5fc862..5e3e9f0 100755
--- a/bin/sbuild-package
+++ b/bin/sbuild-package
@@ -51,6 +51,25 @@ getent group sbuild | sudo tee -a chroot-autobuild/etc/group > /dev/null || exit
 getent passwd sbuild | sudo tee -a chroot-autobuild/etc/passwd > /dev/null || exit 2
 sudo chown sbuild:sbuild chroot-autobuild/build || exit 2
 
+# schroot calls initgroups(3) when entering a session, which sets
+# supplementary groups to the target user's groups in the host system's
+# /etc/group.  As a result, additional group memberships of the buildd user
+# (currently just lxd) outside the chroot are also visible inside the
+# chroot, and must exist in /etc/group there as well or else a few package
+# builds will fail, so we temporarily remove the lxd group membership for
+# the duration of this build.  This is all very unfortunate and not very
+# robust; perhaps eventually we should fix this by doing package builds in
+# LXD containers, although that would have its own problems, particularly
+# when bootstrapping new architectures.
+cleanup () {
+    sudo adduser --quiet buildd lxd
+}
+trap cleanup EXIT
+# According to deluser(8):
+#   6   The user does not belong to the specified group.  No action was
+#       performed.
+sudo deluser --quiet buildd lxd || [ $? = 6 ]
+
 hostarch=$(dpkg --print-architecture)
 
 UNAME26=""
diff --git a/debian/changelog b/debian/changelog
index b1916ee..52b6dfe 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+launchpad-buildd (195) UNRELEASED; urgency=medium
+
+  * sbuild-package: Temporarily remove lxd group membership (LP: #1820348).
+
+ -- Colin Watson <cjwatson@xxxxxxxxxx>  Fri, 05 Mar 2021 13:39:19 +0000
+
 launchpad-buildd (194) bionic; urgency=medium
 
   [ Colin Watson ]
diff --git a/debian/postinst b/debian/postinst
index 8d71430..7118bb1 100644
--- a/debian/postinst
+++ b/debian/postinst
@@ -28,6 +28,8 @@ case "$1" in
         adduser --ingroup buildd --disabled-login --gecos 'Buildd user' \
                 --uid $BUILDDUID ${USER}
         adduser --quiet buildd sbuild
+        # Note that any additional group memberships here must currently be
+        # reflected in the deluser hacks in sbuild-package.
         adduser --quiet buildd lxd
 
 	SUDO_VERSION=$(sudo -V | sed -n '/^Sudo version/s/.* //p')