Hi Holger, hi Wolfgang, On Fr 16 Aug 2019 21:43:05 CEST, Holger Levsen wrote:
Hi Mike,On Fri, Aug 16, 2019 at 05:43:42PM +0000, mike.gabriel@das-netzwerkteam.de wrote:I can do that after the weekend. I have put in in my calendar for Monday morning.great, thank you!
I have put together a buster branch for debian-edu-config. At the end of this mail find a .diff between buster..master.
I wasn't sure about the D-I / entropy related changes between 2.10.65 and 2.10.67 and if they were actually being targetted for the buster-pu or just for stable.
Please let me know, if "those" entropy commits need to get included or not.Once we have agreed on a package version to upload to buster, I will compose the buster srm bug report for it.
Please give feedback. Thanks! Mike ``` [mike@minobo d-e-c (buster)]$ git diff buster..master | cat diff --git a/debian/changelog b/debian/changelog index b78cc1b7..c4c58cf2 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,59 +1,14 @@ -debian-edu-config (2.10.65+deb10u1) UNRELEASED; urgency=medium +debian-edu-config (2.10.67) unstable; urgency=medium [ Wolfgang Schweer ]- * Adjust ltsp-build-client/Debian-custom/001-ltsp-setting. (Closes: #928756) - - Use PXE option 'ipappend 2' for LTSP client boot. This option makes sure
- that all DHCP server information is getting through to LTSP clients. - (LTSP used this option before, but switched to 'ipappend 3' during the - Buster development cycle to ease setups with ProxyDHCP.) - * Adjust share/debian-edu-config/sudo-ldap.conf. (Closes: #929964) - - Fix sudo-ldap configuration. (The LDAP URI is needed on LDAP clients.) - * Set environment variable to deal with Firefox profile. (Closes: #930122)- This is a workaround for bug #930125, preventing firefox-esr startup issues
- if the mozilla profile is on an NFS share).- - Ship share/debian-edu-config/edu-firefox-nfs with NSS_SDB_USE_CACHE="yes"
- as content. Thanks to Mike Gabriel for spotting the issue and providing - this information.- - Add instructions to cf3/cf.workarounds to link the 'edu-firefox-nfs' file
- to appropriate files below '/etc/X11/Xsession.d' and '/etc/profile.d'. - * Adjust cf3/cf.homes: Set correct LTSP chroot path. (Closes: #931680) - - While the reported arch is i686, LTSP uses i386. Set arch accordingly. - * Adjust share/debian-edu-config/tools/kerberos-kdc-init. (Closes: #931366) - - Remove outdated (and now wrong) logging section. - * Fix loss of dynamically allocated v4 IP address. (Closes: #933580) - - Drop etc/network/if-up.d/hostname. This script doesn't work anymore due- to changed behaviour of the ifupdown/dhclient/systemd combination and now - also causes the loss of a dynamically allocated ipv4 IP address after 20
- to 30 minutes after booting. - - Add code to d/debian-edu-config.postinstall to implement the intended - hostname update just after rebooting the system after a change. - - Adjust Makefile. - * Provide Debian Edu RootCA certificate for download. (Closes: #933183)- - Adjust share/debian-edu-config/tools/create-debian-edu-certs to copy the
- rootCA file to the web server directory at certificate generation time. - - Adjust cf3/cf.finalize to care for the rootCA file as well. - - Adjust cf3/cf.workarounds to copy the rootCA file to the web server - directory upon main server upgrade.- * Add LDAP server certificate to the initial LTSP NBD image. (Closes: #932828)
- - etc/ltsp/ltsp-build-client.conf: Don't create the image by default. - - cf3/edu.cf: Define new class 'ltspimages'.- - cf3/cf.finalize: Add code to include the LDAP server certificate for all
- possible use cases, to generate the image and to adjust various rights. - * Changes to debian-edu-config.fetch-ldap-cert from 2.10.67). + * Adjust debian/debian-edu-config.fetch-ldap-cert. (Closes: #934380)- Use independent conditions to make sure that the LDAP server certificate - is only downloaded once for both host and LTSP chroot. (Closes: #934380)
+ is only downloaded once for both host and LTSP chroot. - Add code to validate the LDAP server certificate in case the Debian Edu RootCA certificate is available for download. [ Mike Gabriel ] - * Changes to debian-edu-config.fetch-ldap-cert (from 2.10.66): - - Make the script (and with it Debian Edu buster workstations) work in a- Debian Edu environment where the main server (TJENER) is still on Debian
- Edu 8 or 9. (Closes: #926933) - - Retrieve TJENER's PKI server certificate only once per host to improve- security. This re-introduces the behaviour of fetch-ldap-cert in stretch
- and earlier. (Closes: #931413). - * Changes to debian-edu-config.fetch-ldap-cert (from 2.10.67): + * Code review debian-edu-config.fetch-ldap-cert: - White-space-only change: Fix broken and inconsistent indentations. - Fully inline-document fetch-ldap-cert script. - Add "-f" option to all curl calls that don't have it set so far.@@ -80,7 +35,64 @@ debian-edu-config (2.10.65+deb10u1) UNRELEASED; urgency=medium
- Do a simple validity check if a directory under /opt/ltsp really is a chroot (and e.g. not the SquashFS images' directory). - -- Petter Reinholdtsen <pere@debian.org> Sat, 20 Apr 2019 07:53:26 +0200 + -- Holger Levsen <holger@debian.org> Thu, 15 Aug 2019 16:20:50 +0200 + +debian-edu-config (2.10.66) unstable; urgency=medium + + [ Wolfgang Schweer ]+ * Adjust ltsp-build-client/Debian-custom/001-ltsp-setting. (Closes: #928756) + - Use PXE option 'ipappend 2' for LTSP client boot. This option makes sure
+ that all DHCP server information is getting through to LTSP clients. + (LTSP used this option before, but switched to 'ipappend 3' during the + Buster development cycle to ease setups with ProxyDHCP.) + * Adjust share/debian-edu-config/sudo-ldap.conf. (Closes: #929964) + - Fix sudo-ldap configuration. (The LDAP URI is needed on LDAP clients.) + * Set environment variable to deal with Firefox profile. (Closes: #930122)+ This is a workaround for bug #930125, preventing firefox-esr startup issues
+ if the mozilla profile is on an NFS share).+ - Ship share/debian-edu-config/edu-firefox-nfs with NSS_SDB_USE_CACHE="yes"
+ as content. Thanks to Mike Gabriel for spotting the issue and providing + this information.+ - Add instructions to cf3/cf.workarounds to link the 'edu-firefox-nfs' file
+ to appropriate files below '/etc/X11/Xsession.d' and '/etc/profile.d'. + * Adjust cf3/cf.homes: Set correct LTSP chroot path. (Closes: #931680) + - While the reported arch is i686, LTSP uses i386. Set arch accordingly. + * Adjust share/debian-edu-config/tools/kerberos-kdc-init. (Closes: #931366) + - Remove outdated (and now wrong) logging section.+ * Add LDAP server certificate to the initial LTSP NBD image. (Closes: #932828)
+ - etc/ltsp/ltsp-build-client.conf: Don't create the image by default. + - cf3/edu.cf: Define new class 'ltspimages'.+ - cf3/cf.finalize: Add code to include the LDAP server certificate for all
+ possible use cases, to generate the image and to adjust various rights. + * Provide Debian Edu RootCA certificate for download. (Closes: #933183)+ - Adjust share/debian-edu-config/tools/create-debian-edu-certs to copy the
+ rootCA file to the web server directory at certificate generation time. + - Adjust cf3/cf.finalize to care for the rootCA file as well. + - Adjust cf3/cf.workarounds to copy the rootCA file to the web server + directory upon main server upgrade. + * Fix loss of dynamically allocated v4 IP address. (Closes: #933580) + - Drop etc/network/if-up.d/hostname. This script doesn't work anymore due+ to changed behaviour of the ifupdown/dhclient/systemd combination and now + also causes the loss of a dynamically allocated ipv4 IP address after 20
+ to 30 minutes after booting. + - Add code to d/debian-edu-config.postinstall to implement the intended + hostname update just after rebooting the system after a change. + - Adjust Makefile. + + [ Mike Gabriel ] + * debian/debian-edu-config.fetch-ldap-cert: Make the script (and with it + Debian Edu buster workstations) work in a Debian Edu environment where + the main server (TJENER) is still on Debian Edu 8 or 9. (Closes: #926933) + * debian/debian-edu-config.fetch-ldap-cert: Retrieve TJENER's PKI server + certificate only once per host to improve security. This re-introduces+ the behaviour of fetch-ldap-cert in stretch and earlier. (Closes: #931413).
+ + [ Holger Levsen ] + * Drop obsolete code in d-i/finish-install now that d-i uses haveged (via a + newly introduced udeb) or a hardware RNG. (See #923675). + * Bump standards version to 4.4.0, no changes needed. + + -- Holger Levsen <holger@debian.org> Sat, 10 Aug 2019 11:41:47 +0200 debian-edu-config (2.10.65) unstable; urgency=medium diff --git a/debian/control b/debian/control index d1e88c94..1ec1999b 100644 --- a/debian/control +++ b/debian/control @@ -7,7 +7,7 @@ Uploaders: Petter Reinholdtsen <pere@debian.org>, Mike Gabriel <sunweaver@debian.org>, Wolfgang Schweer <wschweer@arcor.de>, Dominik George <natureshadow@debian.org>, -Standards-Version: 4.3.0 +Standards-Version: 4.4.0 Rules-Requires-Root: no Build-Depends: debhelper-compat (= 11) Build-Depends-Indep: po-debconf,diff --git a/share/debian-edu-config/d-i/finish-install b/share/debian-edu-config/d-i/finish-install
index 3422ecdd..973c3dc3 100644 --- a/share/debian-edu-config/d-i/finish-install +++ b/share/debian-edu-config/d-i/finish-install @@ -37,30 +37,6 @@ PROFILE="$RET" # easier to track our changes edu-etcvcs commit -# Try to add entropy when running low -( - cd / - while true ; do - entropy="$(cat /proc/sys/kernel/random/entropy_avail)" - if [ 130 -gt "$entropy" ] ; then - log "low on entropy, pool is $entropy. trying to add more" - # Disk IO add entropy to the kernel. Flush cache to ensure - # find and touch/rm causes disk IO. - sync - echo 3 > /proc/sys/vm/drop_caches - find /target > /dev/null || true - touch /target/var/tmp/foo - sync - rm /target/var/tmp/foo - sync - entropy="$(cat /proc/sys/kernel/random/entropy_avail)" - log "entropy pool is $entropy after trying to add" - fi - sleep 20 - done -) < /dev/null 2>&1 3>/dev/null 4>&3 5>&3 6>&3 | logger -t edu-entropy-add & -epid=$! - # Make the installation look more like a finished system, to make sure # debconf-get-selections --installer work. . /usr/lib/finish-install.d/94save-logs @@ -110,13 +86,6 @@ db_set debian-edu-config/kdc-password '' || true db_set debian-edu-config/kdc-password-again '' || true log "info: Ensuring KDC and LDAP passwords are cleared from debconf database" -# Ignore errors in case the entropy gathering is no longer running -if kill $epid ; then - : -else - log "error: killing the entropy gathering job failed - exited?" -fi - echo "info: processes using mount point below /target"mountpoints="$(grep " /target" /proc/mounts | cut -d" " -f2 | sed s%/target%%g)"
LANG=C chroot /target fuser -mv $mountpoints 2>&1 | sed 's/^/info: /' ``` -- DAS-NETZWERKTEAM c\o Technik- und Ökologiezentrum Eckernförde Mike Gabriel, Marienthaler str. 17, 24340 Eckernförde mobile: +49 (1520) 1976 148 landline: +49 (4351) 850 8940 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de
Attachment:
pgpZEblgoCg4Y.pgp
Description: Digitale PGP-Signatur