Bug#1055786: GID=1000 for netdev created by cloud-init violates Debian Policy

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#1055786: GID=1000 for netdev created by cloud-init violates Debian Policy
From: Osamu Aoki <osamu@debian.org>
Date: Sat, 11 Nov 2023 21:46:51 +0900
Message-id: <[🔎] 169970681157.143296.18297501284903693914.reportbug@goofy>
Reply-to: Osamu Aoki <osamu@debian.org>, 1055786@bugs.debian.org

Package: cloud-init
Version: 22.4.2-1
Severity: normal

## Background:

The problem and possible root cause fix are reported on upstream github
issue: https://github.com/canonical/cloud-init/issues/4603

## Issue:
I noticed instance generated from Debian bookworm cloud image on
linuxcontainer.org had odd GID=1000 for netdev. Since netdev should be a
system group, this situation violates Debian policy.

Basically, cloud-init has a bug of creating system group starting from
GID=1000 if it sees some group name listed in groups-list and missing on
the system's /etc/group.

## What am I asking to Debian packagers

The root cause fix takes long time in upstream.  There should be some
least invasive workaround to avoid this issue on most use cases simply
by updating debian/cloud.cfg file.

I suggest to drop "netdev" from `debian/cloud.cfg` as the least invasive
minimal change.  This should be done on both on stable (now) and
unstable (unless upstream fixes the root cause).

## Technical consideration.

This debian/cloud.cfg is installed by override_dh_installinit target in
debian/rules .  I compaired this against upstream config/cloud.cfg.tmpl.
It looks like this has modified upstream generated cloud.cfg which
sharies its contents with Ubuntu.  I see "[Uu]buntu" swapped with
"[Dd]ebian" in cloud.cfg. Besides these cosmetic changes, Debian
packaging already made interesting change in it.  Let's look at groups
in cloud.cfg.

upstream: adm, audio, cdrom, dialout, dip, floppy, lxd, netdev, plugdev, sudo, video
debian:   adm, audio, cdrom, dialout, dip, floppy, netdev, plugdev, sudo, video

I don't know how these are chosen mostly for Ubuntu by upstream but
Debian packager made decision to drop "lxd" here.

Minimal Debian system has its system group defined in base-passwd
package.  So "adm, audio, cdrom, dialout, dip, floppy, plugdev, sudo,
video" are guranteed to exist. Debian package should drop not only "lxd"
but also "netdev".

I don't think removing `netdev` cause much problem.

As you know, `netdev` is for `/dev/wfkill` and wpsupplicant and similar
packages.  If anyone decides to add these packages to the root image, it
get generated properly by postinst.  Of course, adding `netdev` group to 
the primary user account `debian` is needed if the user wishes.  That's
something to be documented.  We must keep Debian system compliant to
Debian policy.

Debian Policy
https://www.debian.org/doc/debian-policy/ch-opersys.html#uid-and-gid-classes

  100-999:
  Dynamically allocated system users and groups. Packages which need a
  user or group, but can have this user or group allocated dynamically and
  differently on each system, should use adduser --system to create the
  group and/or user. adduser will check for the existence of the user or
  group, and if necessary choose an unused id based on the ranges
  specified in adduser.conf.


-- System Information:
Debian Release: 12.2
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 6.5.0-0.deb12.1-amd64 (SMP w/12 CPU threads; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages cloud-init depends on:
ii  eject                      2.38.1-5+b1
ii  fdisk                      2.38.1-5+b1
ii  gdisk                      1.0.9-2.1
ii  isc-dhcp-client            4.4.3-P1-2
ii  locales                    2.36-9+deb12u3
ii  lsb-base                   11.6
ii  lsb-release                12.0-1
ii  procps                     2:4.0.2-3
ii  python3                    3.11.2-1+b1
ii  python3-configobj          5.0.8-1
ii  python3-jinja2             3.1.2-1
ii  python3-jsonpatch          1.32-2
ii  python3-jsonschema         4.10.3-1
ii  python3-netifaces          0.11.0-2+b1
ii  python3-oauthlib           3.2.2-1
ii  python3-requests           2.28.1+dfsg-1
ii  python3-serial             3.5-1.1
ii  python3-yaml               6.0-3+b2
ii  sysvinit-utils [lsb-base]  3.06-4
ii  util-linux                 2.38.1-5+b1

Versions of packages cloud-init recommends:
ii  cloud-guest-utils  0.33-1
ii  eatmydata          130-2
ii  sudo               1.9.13p3-1+deb12u1

Versions of packages cloud-init suggests:
ii  btrfs-progs  6.2-1
ii  e2fsprogs    1.47.0-2
ii  xfsprogs     6.1.0-1

-- no debconf information

Reply to:

Follow-Ups:
- Bug#1055786: GID=1000 for netdev created by cloud-init violates Debian Policy
  - From: Ross Vandegrift <rvandegrift@debian.org>

Prev by Date: Next team meeting: 2023-11-08 20:00 UTC
Next by Date: Bug#1055786: GID=1000 for netdev created by cloud-init violates Debian Policy
Previous by thread: Next team meeting: 2023-11-08 20:00 UTC
Next by thread: Bug#1055786: GID=1000 for netdev created by cloud-init violates Debian Policy
Index(es):
- Date
- Thread