Bug#1055786: marked as done (GID=1000 for netdev created by cloud-init violates Debian Policy)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Tue, 17 Sep 2024 16:49:05 +0000
with message-id <E1sqbNx-003vMu-La@fasolo.debian.org>
and subject line Bug#1055786: fixed in cloud-init 24.3.1-1
has caused the Debian Bug report #1055786,
regarding GID=1000 for netdev created by cloud-init violates Debian Policy
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1055786: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1055786
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: GID=1000 for netdev created by cloud-init violates Debian Policy
• From: Osamu Aoki <osamu@debian.org>
• Date: Sat, 11 Nov 2023 21:46:51 +0900
• Message-id: <169970681157.143296.18297501284903693914.reportbug@goofy>

Package: cloud-init
Version: 22.4.2-1
Severity: normal

## Background:

The problem and possible root cause fix are reported on upstream github
issue: https://github.com/canonical/cloud-init/issues/4603

## Issue:
I noticed instance generated from Debian bookworm cloud image on
linuxcontainer.org had odd GID=1000 for netdev. Since netdev should be a
system group, this situation violates Debian policy.

Basically, cloud-init has a bug of creating system group starting from
GID=1000 if it sees some group name listed in groups-list and missing on
the system's /etc/group.

## What am I asking to Debian packagers

The root cause fix takes long time in upstream.  There should be some
least invasive workaround to avoid this issue on most use cases simply
by updating debian/cloud.cfg file.

I suggest to drop "netdev" from `debian/cloud.cfg` as the least invasive
minimal change.  This should be done on both on stable (now) and
unstable (unless upstream fixes the root cause).

## Technical consideration.

This debian/cloud.cfg is installed by override_dh_installinit target in
debian/rules .  I compaired this against upstream config/cloud.cfg.tmpl.
It looks like this has modified upstream generated cloud.cfg which
sharies its contents with Ubuntu.  I see "[Uu]buntu" swapped with
"[Dd]ebian" in cloud.cfg. Besides these cosmetic changes, Debian
packaging already made interesting change in it.  Let's look at groups
in cloud.cfg.

upstream: adm, audio, cdrom, dialout, dip, floppy, lxd, netdev, plugdev, sudo, video
debian:   adm, audio, cdrom, dialout, dip, floppy, netdev, plugdev, sudo, video

I don't know how these are chosen mostly for Ubuntu by upstream but
Debian packager made decision to drop "lxd" here.

Minimal Debian system has its system group defined in base-passwd
package.  So "adm, audio, cdrom, dialout, dip, floppy, plugdev, sudo,
video" are guranteed to exist. Debian package should drop not only "lxd"
but also "netdev".

I don't think removing `netdev` cause much problem.

As you know, `netdev` is for `/dev/wfkill` and wpsupplicant and similar
packages.  If anyone decides to add these packages to the root image, it
get generated properly by postinst.  Of course, adding `netdev` group to 
the primary user account `debian` is needed if the user wishes.  That's
something to be documented.  We must keep Debian system compliant to
Debian policy.

Debian Policy
https://www.debian.org/doc/debian-policy/ch-opersys.html#uid-and-gid-classes

  100-999:
  Dynamically allocated system users and groups. Packages which need a
  user or group, but can have this user or group allocated dynamically and
  differently on each system, should use adduser --system to create the
  group and/or user. adduser will check for the existence of the user or
  group, and if necessary choose an unused id based on the ranges
  specified in adduser.conf.


-- System Information:
Debian Release: 12.2
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 6.5.0-0.deb12.1-amd64 (SMP w/12 CPU threads; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages cloud-init depends on:
ii  eject                      2.38.1-5+b1
ii  fdisk                      2.38.1-5+b1
ii  gdisk                      1.0.9-2.1
ii  isc-dhcp-client            4.4.3-P1-2
ii  locales                    2.36-9+deb12u3
ii  lsb-base                   11.6
ii  lsb-release                12.0-1
ii  procps                     2:4.0.2-3
ii  python3                    3.11.2-1+b1
ii  python3-configobj          5.0.8-1
ii  python3-jinja2             3.1.2-1
ii  python3-jsonpatch          1.32-2
ii  python3-jsonschema         4.10.3-1
ii  python3-netifaces          0.11.0-2+b1
ii  python3-oauthlib           3.2.2-1
ii  python3-requests           2.28.1+dfsg-1
ii  python3-serial             3.5-1.1
ii  python3-yaml               6.0-3+b2
ii  sysvinit-utils [lsb-base]  3.06-4
ii  util-linux                 2.38.1-5+b1

Versions of packages cloud-init recommends:
ii  cloud-guest-utils  0.33-1
ii  eatmydata          130-2
ii  sudo               1.9.13p3-1+deb12u1

Versions of packages cloud-init suggests:
ii  btrfs-progs  6.2-1
ii  e2fsprogs    1.47.0-2
ii  xfsprogs     6.1.0-1

-- no debconf information

--- End Message ---

--- Begin Message ---

• To: 1055786-close@bugs.debian.org
• Subject: Bug#1055786: fixed in cloud-init 24.3.1-1
• From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
• Date: Tue, 17 Sep 2024 16:49:05 +0000
• Message-id: <E1sqbNx-003vMu-La@fasolo.debian.org>
• Reply-to: Noah Meyerhans <noahm@debian.org>

Source: cloud-init
Source-Version: 24.3.1-1
Done: Noah Meyerhans <noahm@debian.org>

We believe that the bug you reported is fixed in the latest version of
cloud-init, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1055786@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Noah Meyerhans <noahm@debian.org> (supplier of updated cloud-init package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 17 Sep 2024 12:18:42 -0400
Source: cloud-init
Architecture: source
Version: 24.3.1-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Cloud Team <debian-cloud@lists.debian.org>
Changed-By: Noah Meyerhans <noahm@debian.org>
Closes: 1055786 1055890 1078180 1080999
Changes:
 cloud-init (24.3.1-1) unstable; urgency=medium
 .
   * New upstream version 24.3.1 (Closes: #1078180)
   * Refresh patches
   * Add no-op /etc/init.d/cloud-init-main to ensure corresponding init scripts
     exist for each systemd unit
   * Ensure cloud-init-main.service conflicts with shutdown.target
   * Update lintian overrides for /lib/systemd -> /usr/lib/systemd change
   * Refresh default cloud.cfg
   * Fix python3 compatibility in postinst (Closes: #1055890)
   * Prefer the dhcpcd DHCP client implementation (Closes: #1080999)
   * Drop netdev from the default user's supplemental groups (Closes: #1055786)
Checksums-Sha1:
 7b160d32e08b9cfbd5f8ce4bdaf5d283a42560b3 2466 cloud-init_24.3.1-1.dsc
 f65dbc1bb45ccd41716f1d1342e375b613f7d8c9 1844924 cloud-init_24.3.1.orig.tar.gz
 b92bfdda20b1849b12633cf156c6634ba2e5d310 28076 cloud-init_24.3.1-1.debian.tar.xz
 55dd038793f6e80ee18bcd8dac74dd2c5ff3c494 7261 cloud-init_24.3.1-1_source.buildinfo
Checksums-Sha256:
 1355195990a504f18badd5006d2bc18bd029c2fc36a445fb4a18852c02d07e1c 2466 cloud-init_24.3.1-1.dsc
 6e123c8adb64f1224b7958464c3e3a5912488f924e5abb480d77e7dfb2970699 1844924 cloud-init_24.3.1.orig.tar.gz
 82efb65498ff31832309f6e78f1b0448859ce6f2c123b3ec3e3497b9c8a655de 28076 cloud-init_24.3.1-1.debian.tar.xz
 9fbe91591dbbd2bfd90d9d2111c5c1abe626a578a4624e53801fa357f6a2cae9 7261 cloud-init_24.3.1-1_source.buildinfo
Files:
 046de561b393d77d1dd024c3a51a576f 2466 admin optional cloud-init_24.3.1-1.dsc
 0df3b7ae09eed8cef0fb8106f5f75490 1844924 admin optional cloud-init_24.3.1.orig.tar.gz
 6fa63d3135d8c2469c440d92390d68b2 28076 admin optional cloud-init_24.3.1-1.debian.tar.xz
 63017093e0bf10b548d85ad677b6bbf0 7261 admin optional cloud-init_24.3.1-1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJFBAEBCgAvFiEE5G+E0xEKhJuZ7RJ34+c1IpshdTUFAmbpsNQRHG5vYWhtQGRl
Ymlhbi5vcmcACgkQ4+c1IpshdTU3LQ/+LKinnawS/tM2LmNdT7Zpduu2QrMdOC1R
jUQCujpFSXYUMAdg9j7Y342QLH+wDSlg4r17F0VguJYIqPz2k9yFcmAxO4hu/Jjb
uEopWxKwiWjuXqxvSWb74llxJDdK2cY2tvZ6EffJshwfbvD0Y0FNsNysVMownWiA
N/EIlQUTzcMG0EjLm5SG49T9dHBETkirjjBAkMuDE1q1PfkYuv40811Dfb6irK3o
O8i5D9eCdPcIeC0tg1FEFW0WFzStIf+BB4sgM0R+uzyFUu+yn9gpz+qPPj7e0Rcv
OSi7NL6JXrJ+7qAYCe61we109vOga7CnOvBHkm2yARqx5+4lTvTc4vyLJsm41sOc
urwwLASbBYSLLOY0VOP9daUib1U0l2V7voiiwMoRbtgPs4KDmD39P2HtWToWX236
ux3wrYs1ZRKjGYhTJV7jZeAplLKPYc2oBCqKTFoX5FTJ8wQFsstoDPVp9TuZv5yB
7Y9ertO7lql4FN7+3S0JGCQZUKC0hxtMh6pMHdhduE3DtwFWIdxntyUzVFQfzh7z
3JPfyV5BqKNOVm5a4ZkCdquxYmPMnWDbZSrHYVYVPyDc6Txo1j12tP43hTiDveqz
bW3+Y8XzhBahU3chMjx7W2mBxIfEHjV0nQY/lPygi8c4Qc5uRmPnEw/srthS6HZH
b2X0UTLUdDI=
=btW4
-----END PGP SIGNATURE-----

Attachment: pgp1hyI91atTY.pgp
Description: PGP signature

--- End Message ---