← Back to team overview

launchpad-reviewers team mailing list archive

  1. launchpad-reviewers team
  2. Mailing list archive
  3. Message #28301

[Merge] ~cjwatson/launchpad-buildd:robustify-lxd-group-membership into launchpad-buildd:master

  Thread PreviousDate PreviousThread Next 
Colin Watson has proposed merging ~cjwatson/launchpad-buildd:robustify-lxd-group-membership into launchpad-buildd:master.

Commit message:
Ensure that launchpad-buildd runs with lxd as a supplementary group

Requested reviews:
  Launchpad code reviewers (launchpad-reviewers)

For more details, see:
https://code.launchpad.net/~cjwatson/launchpad-buildd/+git/launchpad-buildd/+merge/418611

`bin/sbuild-package` has an unfortunate hack to temporarily remove the buildd user's lxd group membership (see https://bugs.launchpad.net/launchpad-buildd/+bug/1820348).  If a non-virtualized builder crashes for some reason in the middle of an sbuild job, it will come back up without being reset to a clean image (since it's non-virtualized), launchpad-buildd will start without the lxd supplementary group it's supposed to have, and as a result it will be unable to start LXD containers.

To work around all this, tell systemd to add lxd as a supplementary group no matter what, ensuring that launchpad-buildd comes up properly even if the system group database is temporarily wrong.
-- 
Your team Launchpad code reviewers is requested to review the proposed merge of ~cjwatson/launchpad-buildd:robustify-lxd-group-membership into launchpad-buildd:master.

diff --git a/debian/changelog b/debian/changelog
index f75293a..e0f1e30 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+launchpad-buildd (212) UNRELEASED; urgency=medium
+
+  * Ensure that launchpad-buildd runs with lxd as a supplementary group.
+
+ -- Colin Watson <cjwatson@xxxxxxxxxx>  Wed, 06 Apr 2022 12:46:35 +0100
+
 launchpad-buildd (211) focal; urgency=medium
 
   * Use "git checkout" rather than "git clone -b", since that allows
diff --git a/debian/launchpad-buildd@.service b/debian/launchpad-buildd@.service
index 690e0fd..8ebaa58 100644
--- a/debian/launchpad-buildd@.service
+++ b/debian/launchpad-buildd@.service
@@ -13,6 +13,11 @@ Type=simple
 RuntimeDirectory=launchpad-buildd
 LogsDirectory=launchpad-buildd
 User=buildd
+# The buildd user should normally already be a member of this group, but due
+# to the deluser hacks in sbuild-package it's possible for the group
+# membership to be missing if a non-virtualized builder crashes in the
+# middle of an sbuild job.  Make sure of it here.
+SupplementaryGroups=lxd
 EnvironmentFile=-/etc/default/launchpad-buildd
 Environment=BUILDD_CONFIG=/etc/launchpad-buildd/%i
 # When enabled, launchpad-buildd accepts network commands and runs them as
  Thread PreviousDate PreviousThread Next