Bug#858163: unblock: gitlab/8.13.11+dfsg-6

To: Ansgar Burchardt <ansgar@debian.org>, 858163@bugs.debian.org
Subject: Bug#858163: unblock: gitlab/8.13.11+dfsg-6
From: Pirate Praveen <praveen@onenetbeyond.org>
Date: Fri, 21 Apr 2017 15:15:18 +0530
Message-id: <[🔎] 8f7cbf4b-db84-cc5f-232f-cd26a0340e6f@onenetbeyond.org>
Reply-to: Pirate Praveen <praveen@onenetbeyond.org>, 858163@bugs.debian.org
In-reply-to: <[🔎] 1492760620.29786.24.camel@tu-dresden.de>
References: <[🔎] 1492760620.29786.24.camel@tu-dresden.de>

Control: retitle unblock: gitlab/8.13.11+dfsg1-2

On Friday 21 April 2017 01:13 PM, Ansgar Burchardt wrote:
> I believe maintainer scripts (and various other parts) should use
> `runuser` instead of `su`.  It does not open PAM sessions which seems
> to sometimes cause problems.
> 
> `/sbin/runuser` is already available in Jessie, so there should be no
> issues with using it.
> 
> (Maybe one should add something to Policy about `runuser`?)
> 
> Ansgar
> 

I have now switched to using runuser. I have also switched to using
dbconfig-common to fix #859200.

diff -Nru gitlab-8.13.11+dfsg1/debian/changelog gitlab-8.13.11+dfsg1/debian/changelog
--- gitlab-8.13.11+dfsg1/debian/changelog	2017-04-20 11:47:49.000000000 +0530
+++ gitlab-8.13.11+dfsg1/debian/changelog	2017-04-21 13:16:43.000000000 +0530
@@ -1,3 +1,12 @@
+gitlab (8.13.11+dfsg1-2) unstable; urgency=medium
+
+  * Integrate dbconfig-common (Closes: #859200)
+  * Don't set default gitlab user in postinst
+  * Change template name from purge to purge_data
+  * Switch to runuser from su (runuser correctly handles PAM sessions)
+
+ -- Pirate Praveen <praveen@debian.org>  Fri, 21 Apr 2017 13:16:43 +0530
+
 gitlab (8.13.11+dfsg1-1) unstable; urgency=medium
 
   [ Balasankar C ]
diff -Nru gitlab-8.13.11+dfsg1/debian/config gitlab-8.13.11+dfsg1/debian/config
--- gitlab-8.13.11+dfsg1/debian/config	2017-04-20 11:47:49.000000000 +0530
+++ gitlab-8.13.11+dfsg1/debian/config	2017-04-21 13:16:43.000000000 +0530
@@ -42,3 +42,16 @@
 # Do you want to change gitlab user?
 db_input high gitlab/user || true
 db_go
+db_get gitlab/user
+gitlab_user=$RET
+
+# source dbconfig-common shell library, and call the hook function
+if [ -f /usr/share/dbconfig-common/dpkg/config ]; then
+   . /usr/share/dbconfig-common/dpkg/config
+
+   dbc_dbtypes="pgsql"
+   dbc_dbname="gitlab_production"
+   dbc_dbuser="$gitlab_user"
+
+   dbc_go $gitlab_user "$@"
+fi
diff -Nru gitlab-8.13.11+dfsg1/debian/control gitlab-8.13.11+dfsg1/debian/control
--- gitlab-8.13.11+dfsg1/debian/control	2017-04-20 11:47:49.000000000 +0530
+++ gitlab-8.13.11+dfsg1/debian/control	2017-04-21 13:16:43.000000000 +0530
@@ -22,6 +22,7 @@
  rake,
  bundler,
  postgresql-client,
+ dbconfig-pgsql | dbconfig-no-thanks,
  adduser (>= 3.34~),
  bc,
  postgresql-contrib,
diff -Nru gitlab-8.13.11+dfsg1/debian/gitlab-check.sh gitlab-8.13.11+dfsg1/debian/gitlab-check.sh
--- gitlab-8.13.11+dfsg1/debian/gitlab-check.sh	2017-04-20 11:47:49.000000000 +0530
+++ gitlab-8.13.11+dfsg1/debian/gitlab-check.sh	2017-04-21 13:16:43.000000000 +0530
@@ -10,4 +10,4 @@
 
 # Check gitlab is configured correctly
 printf "Check if Gitlab is configured correctly...\n"
-su ${gitlab_user} -s /bin/sh -c 'bundle exec rake gitlab:check'
+runuser -u ${gitlab_user} -- sh -c 'bundle exec rake gitlab:check'
diff -Nru gitlab-8.13.11+dfsg1/debian/gitlab.templates gitlab-8.13.11+dfsg1/debian/gitlab.templates
--- gitlab-8.13.11+dfsg1/debian/gitlab.templates	2017-04-20 11:47:49.000000000 +0530
+++ gitlab-8.13.11+dfsg1/debian/gitlab.templates	2017-04-21 13:16:43.000000000 +0530
@@ -58,7 +58,7 @@
  certificates must be renewed manually after 3 months, when current
  letsencrypt certificate expire.
 
-Template: gitlab/purge
+Template: gitlab/purge_data
 Type: boolean
 Default: true 
 _Description: Remove all data?
diff -Nru gitlab-8.13.11+dfsg1/debian/grantpriv.sh gitlab-8.13.11+dfsg1/debian/grantpriv.sh
--- gitlab-8.13.11+dfsg1/debian/grantpriv.sh	2017-04-20 11:47:49.000000000 +0530
+++ gitlab-8.13.11+dfsg1/debian/grantpriv.sh	1970-01-01 05:30:00.000000000 +0530
@@ -1,25 +0,0 @@
-#!/bin/sh
-set -e
-
-dbname=gitlab_production
-
-# Take gitlab_user from envornment variable or use gitlab
-gitlab_user=${gitlab_user:-gitlab}
-
-# If gitlab user cannot access gitlab_production,
-# then it means the gitlab role does not exist
-if ! su ${gitlab_user} -c 'psql gitlab_production -c ""'
-then
-	echo "Create ${gitlab_user} user with create database privillege..."
-	su postgres -c "psql -c \"CREATE USER ${gitlab_user} CREATEDB;\""
-fi
-
-# By default the gitlab_prodcution is not owned by gitlab user
-echo "Make ${gitlab_user} user owner of $dbname database..."
-su postgres -c "psql -c \"ALTER DATABASE $dbname OWNER to ${gitlab_user};\""
-
-echo "Grant all privileges to ${gitlab_user} user..."
-su postgres -c "psql -c \"GRANT ALL PRIVILEGES ON DATABASE template1 to ${gitlab_user};\""
-
-# enable the pg_trgm extension
-su postgres -c "psql -d $dbname -c \"CREATE EXTENSION IF NOT EXISTS pg_trgm;\""
diff -Nru gitlab-8.13.11+dfsg1/debian/install gitlab-8.13.11+dfsg1/debian/install
--- gitlab-8.13.11+dfsg1/debian/install	2017-04-20 11:47:49.000000000 +0530
+++ gitlab-8.13.11+dfsg1/debian/install	2017-04-21 13:16:43.000000000 +0530
@@ -11,7 +11,6 @@
 debian/conf/nginx.conf.example usr/lib/gitlab/templates
 debian/conf/nginx.ssl.conf.example usr/lib/gitlab/templates
 debian/adduser.sh usr/lib/gitlab/scripts
-debian/grantpriv.sh usr/lib/gitlab/scripts
 debian/rake-tasks.sh usr/lib/gitlab/scripts
 debian/gitlab-check.sh usr/lib/gitlab/scripts
 app usr/share/gitlab
diff -Nru gitlab-8.13.11+dfsg1/debian/postinst gitlab-8.13.11+dfsg1/debian/postinst
--- gitlab-8.13.11+dfsg1/debian/postinst	2017-04-20 11:47:49.000000000 +0530
+++ gitlab-8.13.11+dfsg1/debian/postinst	2017-04-21 13:16:43.000000000 +0530
@@ -20,6 +20,7 @@
 
 # Show debconf questions
 . /usr/share/debconf/confmodule
+. /usr/share/dbconfig-common/dpkg/postinst
 
 # summary of how this script can be called:
 #        * <postinst> `configure' <most-recently-configured-version>
@@ -64,11 +65,7 @@
 
 # Read gitlab_user from debconf db
 db_get gitlab/user
-gitlab_user=${RET:-gitlab} >/dev/null
-
-if ! grep gitlab_user ${gitlab_debian_conf_private}; then
-  echo "gitlab_user=${gitlab_user}" >> ${gitlab_debian_conf_private}
-fi
+gitlab_user=$RET >/dev/null
 
 # Create gitlab user
 . /usr/lib/gitlab/scripts/adduser.sh
@@ -76,9 +73,10 @@
 #######################################################################
 # update Gemfile.lock, always
 #######################################################################
-su ${gitlab_user} -s /bin/sh -c "truncate -s 0 ${gitlab_data_dir}/Gemfile.lock"
+runuser -u ${gitlab_user} -- sh -c "touch ${gitlab_data_dir}/Gemfile.lock && \
+truncate -s 0 ${gitlab_data_dir}/Gemfile.lock"
 cd ${gitlab_app_root}
-if ! su ${gitlab_user} -s /bin/sh -c 'bundle --local --quiet'; then
+if ! runuser -u ${gitlab_user} -- sh -c 'bundle --local --quiet'; then
   if [ "$1" = "triggered" ]; then
     # probably triggered in the middle of an system upgrade; ignore failure
     # but abort here
@@ -131,8 +129,8 @@
       chown -R ${gitlab_user}: $i
     done
 
-    su ${gitlab_user} -s /bin/sh -c "chmod 700 ${gitlab_uploads_path}"
-    su ${gitlab_user} -s /bin/sh -c 'git config --global core.autocrlf "input"'
+    runuser -u ${gitlab_user} -- sh -c "chmod 700 ${gitlab_uploads_path}"
+    runuser -u ${gitlab_user} -- sh -c 'git config --global core.autocrlf "input"'
 
     # Commands below needs to be run from gitlab_app_root
     cd ${gitlab_app_root}
@@ -310,24 +308,20 @@
         echo "Reloading nginx configuration..."
         invoke-rc.d nginx reload
       fi
+    dbc_go gitlab "$@"
     db_stop
 
-    echo "Create database if not present"
-    if ! su postgres -s /bin/sh -c "psql  gitlab_production -c ''"; then
-      su postgres -c 'createdb -E unicode -T template0 gitlab_production'
-    fi
-
-    # Adjust database privileges
-    . /usr/lib/gitlab/scripts/grantpriv.sh
+    # enable the pg_trgm extension
+    runuser -u postgres -- sh -c "psql -d gitlab_production -c \"CREATE EXTENSION IF NOT EXISTS pg_trgm;\""
 
     # Remove Gemfile.lock if present
     rm -f ${gitlab_data_dir}/Gemfile.lock
 
     # Create Gemfile.lock and .secret in /var/lib/gitlab
-    su ${gitlab_user} -s /bin/sh -c "touch ${gitlab_data_dir}/Gemfile.lock"
+    runuser -u ${gitlab_user} -- sh -c "touch ${gitlab_data_dir}/Gemfile.lock"
 
     echo "Verifying we have all required libraries..."
-    su ${gitlab_user} -s /bin/sh -c 'bundle install --without development test --local'
+    runuser -u ${gitlab_user} -- sh -c 'bundle install --without development test --local'
         
     echo "Running final rake tasks and tweaks..."
     . /usr/lib/gitlab/scripts/rake-tasks.sh
diff -Nru gitlab-8.13.11+dfsg1/debian/postrm gitlab-8.13.11+dfsg1/debian/postrm
--- gitlab-8.13.11+dfsg1/debian/postrm	2017-04-20 11:47:49.000000000 +0530
+++ gitlab-8.13.11+dfsg1/debian/postrm	2017-04-21 13:16:43.000000000 +0530
@@ -52,11 +52,11 @@
       . /usr/share/debconf/confmodule
 
       # Do you want to remove all data?
-      db_input high gitlab/purge || true
+      db_input high gitlab/purge_data || true
       db_go
       
       # Check if we should remove data?
-      db_get gitlab/purge
+      db_get gitlab/purge_data
       if [ "${RET}" = "true" ]; then
         if [ -d ${gitlab_data_dir} ]; then
           for i in shared public db repositories secrets.yml Gemfile.lock; do
@@ -71,7 +71,7 @@
             # Do only if gitlab_user is set
             if command -v dropdb >/dev/null; then
                 echo "Removing Database: gitlab_production"
-                if su ${gitlab_user} -c 'psql gitlab_production -c ""' ; then su postgres -c "dropdb gitlab_production"; fi
+                if runuser -u ${gitlab_user} -- sh -c 'psql gitlab_production -c ""' ; then su postgres -c "dropdb gitlab_production"; fi
             else
                 echo "dropdb command not found. Hence not removing database."
            fi
diff -Nru gitlab-8.13.11+dfsg1/debian/rake-tasks.sh gitlab-8.13.11+dfsg1/debian/rake-tasks.sh
--- gitlab-8.13.11+dfsg1/debian/rake-tasks.sh	2017-04-20 11:47:49.000000000 +0530
+++ gitlab-8.13.11+dfsg1/debian/rake-tasks.sh	2017-04-21 13:16:43.000000000 +0530
@@ -9,21 +9,21 @@
 cd /usr/share/gitlab
 
 # Check if the db is already present
-if [ "$(LANG=C su postgres -c "psql gitlab_production -c \"\d\"")" = \
+if [ "$(LANG=C runuser -u postgres -- sh -c "psql gitlab_production -c \"\d\"")" = \
 "No relations found." ]; then
   echo "Initializing database..."
   test -f ${gitlab_home}/db/schema.rb || \
-  su ${gitlab_user} -s /bin/sh -c\
+  runuser -u ${gitlab_user} -- sh -c \
   "cp ${gitlab_data_dir}/db/schema.rb.template ${gitlab_data_dir}/db/schema.rb"
-  su ${gitlab_user} -s /bin/sh -c 'bundle exec rake db:schema:load'
-  su ${gitlab_user} -s /bin/sh -c 'bundle exec rake db:seed_fu'
+  runuser -u ${gitlab_user} -- sh -c 'bundle exec rake db:schema:load'
+  runuser -u ${gitlab_user} -- sh -c 'bundle exec rake db:seed_fu'
 else
   echo "gitlab_production database is not empty, skipping gitlab setup"
-  su ${gitlab_user} -s /bin/sh -c 'bundle exec rake db:migrate'
+  runuser -u ${gitlab_user} -- sh -c 'bundle exec rake db:migrate'
 fi
 
 # Restrict permissions for secret files
 chmod 0700 ${gitlab_data_dir}/.gitlab_shell_secret
 
 echo "Precompiling assets..."
-su ${gitlab_user} -s /bin/sh -c 'bundle exec rake tmp:cache:clear assets:precompile'
+runuser -u ${gitlab_user} -- sh -c 'bundle exec rake tmp:cache:clear assets:precompile'

Attachment: signature.asc
Description: OpenPGP digital signature

Reply to:

References:
- Bug#858163: unblock: gitlab/8.13.11+dfsg-6
  - From: Ansgar Burchardt <ansgar@debian.org>

Prev by Date: NEW changes in stable-new
Next by Date: Processed: unblock: gitlab/8.13.11+dfsg1-2
Previous by thread: Bug#858163: unblock: gitlab/8.13.11+dfsg-6
Next by thread: Bug#860346: unblock: oce/0.17.2-2
Index(es):
- Date
- Thread