Control: retitle unblock: gitlab/8.13.11+dfsg1-2 On Friday 21 April 2017 01:13 PM, Ansgar Burchardt wrote: > I believe maintainer scripts (and various other parts) should use > `runuser` instead of `su`. It does not open PAM sessions which seems > to sometimes cause problems. > > `/sbin/runuser` is already available in Jessie, so there should be no > issues with using it. > > (Maybe one should add something to Policy about `runuser`?) > > Ansgar > I have now switched to using runuser. I have also switched to using dbconfig-common to fix #859200.
diff -Nru gitlab-8.13.11+dfsg1/debian/changelog gitlab-8.13.11+dfsg1/debian/changelog --- gitlab-8.13.11+dfsg1/debian/changelog 2017-04-20 11:47:49.000000000 +0530 +++ gitlab-8.13.11+dfsg1/debian/changelog 2017-04-21 13:16:43.000000000 +0530 @@ -1,3 +1,12 @@ +gitlab (8.13.11+dfsg1-2) unstable; urgency=medium + + * Integrate dbconfig-common (Closes: #859200) + * Don't set default gitlab user in postinst + * Change template name from purge to purge_data + * Switch to runuser from su (runuser correctly handles PAM sessions) + + -- Pirate Praveen <praveen@debian.org> Fri, 21 Apr 2017 13:16:43 +0530 + gitlab (8.13.11+dfsg1-1) unstable; urgency=medium [ Balasankar C ] diff -Nru gitlab-8.13.11+dfsg1/debian/config gitlab-8.13.11+dfsg1/debian/config --- gitlab-8.13.11+dfsg1/debian/config 2017-04-20 11:47:49.000000000 +0530 +++ gitlab-8.13.11+dfsg1/debian/config 2017-04-21 13:16:43.000000000 +0530 @@ -42,3 +42,16 @@ # Do you want to change gitlab user? db_input high gitlab/user || true db_go +db_get gitlab/user +gitlab_user=$RET + +# source dbconfig-common shell library, and call the hook function +if [ -f /usr/share/dbconfig-common/dpkg/config ]; then + . /usr/share/dbconfig-common/dpkg/config + + dbc_dbtypes="pgsql" + dbc_dbname="gitlab_production" + dbc_dbuser="$gitlab_user" + + dbc_go $gitlab_user "$@" +fi diff -Nru gitlab-8.13.11+dfsg1/debian/control gitlab-8.13.11+dfsg1/debian/control --- gitlab-8.13.11+dfsg1/debian/control 2017-04-20 11:47:49.000000000 +0530 +++ gitlab-8.13.11+dfsg1/debian/control 2017-04-21 13:16:43.000000000 +0530 @@ -22,6 +22,7 @@ rake, bundler, postgresql-client, + dbconfig-pgsql | dbconfig-no-thanks, adduser (>= 3.34~), bc, postgresql-contrib, diff -Nru gitlab-8.13.11+dfsg1/debian/gitlab-check.sh gitlab-8.13.11+dfsg1/debian/gitlab-check.sh --- gitlab-8.13.11+dfsg1/debian/gitlab-check.sh 2017-04-20 11:47:49.000000000 +0530 +++ gitlab-8.13.11+dfsg1/debian/gitlab-check.sh 2017-04-21 13:16:43.000000000 +0530 @@ -10,4 +10,4 @@ # Check gitlab is configured correctly printf "Check if Gitlab is configured correctly...\n" -su ${gitlab_user} -s /bin/sh -c 'bundle exec rake gitlab:check' +runuser -u ${gitlab_user} -- sh -c 'bundle exec rake gitlab:check' diff -Nru gitlab-8.13.11+dfsg1/debian/gitlab.templates gitlab-8.13.11+dfsg1/debian/gitlab.templates --- gitlab-8.13.11+dfsg1/debian/gitlab.templates 2017-04-20 11:47:49.000000000 +0530 +++ gitlab-8.13.11+dfsg1/debian/gitlab.templates 2017-04-21 13:16:43.000000000 +0530 @@ -58,7 +58,7 @@ certificates must be renewed manually after 3 months, when current letsencrypt certificate expire. -Template: gitlab/purge +Template: gitlab/purge_data Type: boolean Default: true _Description: Remove all data? diff -Nru gitlab-8.13.11+dfsg1/debian/grantpriv.sh gitlab-8.13.11+dfsg1/debian/grantpriv.sh --- gitlab-8.13.11+dfsg1/debian/grantpriv.sh 2017-04-20 11:47:49.000000000 +0530 +++ gitlab-8.13.11+dfsg1/debian/grantpriv.sh 1970-01-01 05:30:00.000000000 +0530 @@ -1,25 +0,0 @@ -#!/bin/sh -set -e - -dbname=gitlab_production - -# Take gitlab_user from envornment variable or use gitlab -gitlab_user=${gitlab_user:-gitlab} - -# If gitlab user cannot access gitlab_production, -# then it means the gitlab role does not exist -if ! su ${gitlab_user} -c 'psql gitlab_production -c ""' -then - echo "Create ${gitlab_user} user with create database privillege..." - su postgres -c "psql -c \"CREATE USER ${gitlab_user} CREATEDB;\"" -fi - -# By default the gitlab_prodcution is not owned by gitlab user -echo "Make ${gitlab_user} user owner of $dbname database..." -su postgres -c "psql -c \"ALTER DATABASE $dbname OWNER to ${gitlab_user};\"" - -echo "Grant all privileges to ${gitlab_user} user..." -su postgres -c "psql -c \"GRANT ALL PRIVILEGES ON DATABASE template1 to ${gitlab_user};\"" - -# enable the pg_trgm extension -su postgres -c "psql -d $dbname -c \"CREATE EXTENSION IF NOT EXISTS pg_trgm;\"" diff -Nru gitlab-8.13.11+dfsg1/debian/install gitlab-8.13.11+dfsg1/debian/install --- gitlab-8.13.11+dfsg1/debian/install 2017-04-20 11:47:49.000000000 +0530 +++ gitlab-8.13.11+dfsg1/debian/install 2017-04-21 13:16:43.000000000 +0530 @@ -11,7 +11,6 @@ debian/conf/nginx.conf.example usr/lib/gitlab/templates debian/conf/nginx.ssl.conf.example usr/lib/gitlab/templates debian/adduser.sh usr/lib/gitlab/scripts -debian/grantpriv.sh usr/lib/gitlab/scripts debian/rake-tasks.sh usr/lib/gitlab/scripts debian/gitlab-check.sh usr/lib/gitlab/scripts app usr/share/gitlab diff -Nru gitlab-8.13.11+dfsg1/debian/postinst gitlab-8.13.11+dfsg1/debian/postinst --- gitlab-8.13.11+dfsg1/debian/postinst 2017-04-20 11:47:49.000000000 +0530 +++ gitlab-8.13.11+dfsg1/debian/postinst 2017-04-21 13:16:43.000000000 +0530 @@ -20,6 +20,7 @@ # Show debconf questions . /usr/share/debconf/confmodule +. /usr/share/dbconfig-common/dpkg/postinst # summary of how this script can be called: # * <postinst> `configure' <most-recently-configured-version> @@ -64,11 +65,7 @@ # Read gitlab_user from debconf db db_get gitlab/user -gitlab_user=${RET:-gitlab} >/dev/null - -if ! grep gitlab_user ${gitlab_debian_conf_private}; then - echo "gitlab_user=${gitlab_user}" >> ${gitlab_debian_conf_private} -fi +gitlab_user=$RET >/dev/null # Create gitlab user . /usr/lib/gitlab/scripts/adduser.sh @@ -76,9 +73,10 @@ ####################################################################### # update Gemfile.lock, always ####################################################################### -su ${gitlab_user} -s /bin/sh -c "truncate -s 0 ${gitlab_data_dir}/Gemfile.lock" +runuser -u ${gitlab_user} -- sh -c "touch ${gitlab_data_dir}/Gemfile.lock && \ +truncate -s 0 ${gitlab_data_dir}/Gemfile.lock" cd ${gitlab_app_root} -if ! su ${gitlab_user} -s /bin/sh -c 'bundle --local --quiet'; then +if ! runuser -u ${gitlab_user} -- sh -c 'bundle --local --quiet'; then if [ "$1" = "triggered" ]; then # probably triggered in the middle of an system upgrade; ignore failure # but abort here @@ -131,8 +129,8 @@ chown -R ${gitlab_user}: $i done - su ${gitlab_user} -s /bin/sh -c "chmod 700 ${gitlab_uploads_path}" - su ${gitlab_user} -s /bin/sh -c 'git config --global core.autocrlf "input"' + runuser -u ${gitlab_user} -- sh -c "chmod 700 ${gitlab_uploads_path}" + runuser -u ${gitlab_user} -- sh -c 'git config --global core.autocrlf "input"' # Commands below needs to be run from gitlab_app_root cd ${gitlab_app_root} @@ -310,24 +308,20 @@ echo "Reloading nginx configuration..." invoke-rc.d nginx reload fi + dbc_go gitlab "$@" db_stop - echo "Create database if not present" - if ! su postgres -s /bin/sh -c "psql gitlab_production -c ''"; then - su postgres -c 'createdb -E unicode -T template0 gitlab_production' - fi - - # Adjust database privileges - . /usr/lib/gitlab/scripts/grantpriv.sh + # enable the pg_trgm extension + runuser -u postgres -- sh -c "psql -d gitlab_production -c \"CREATE EXTENSION IF NOT EXISTS pg_trgm;\"" # Remove Gemfile.lock if present rm -f ${gitlab_data_dir}/Gemfile.lock # Create Gemfile.lock and .secret in /var/lib/gitlab - su ${gitlab_user} -s /bin/sh -c "touch ${gitlab_data_dir}/Gemfile.lock" + runuser -u ${gitlab_user} -- sh -c "touch ${gitlab_data_dir}/Gemfile.lock" echo "Verifying we have all required libraries..." - su ${gitlab_user} -s /bin/sh -c 'bundle install --without development test --local' + runuser -u ${gitlab_user} -- sh -c 'bundle install --without development test --local' echo "Running final rake tasks and tweaks..." . /usr/lib/gitlab/scripts/rake-tasks.sh diff -Nru gitlab-8.13.11+dfsg1/debian/postrm gitlab-8.13.11+dfsg1/debian/postrm --- gitlab-8.13.11+dfsg1/debian/postrm 2017-04-20 11:47:49.000000000 +0530 +++ gitlab-8.13.11+dfsg1/debian/postrm 2017-04-21 13:16:43.000000000 +0530 @@ -52,11 +52,11 @@ . /usr/share/debconf/confmodule # Do you want to remove all data? - db_input high gitlab/purge || true + db_input high gitlab/purge_data || true db_go # Check if we should remove data? - db_get gitlab/purge + db_get gitlab/purge_data if [ "${RET}" = "true" ]; then if [ -d ${gitlab_data_dir} ]; then for i in shared public db repositories secrets.yml Gemfile.lock; do @@ -71,7 +71,7 @@ # Do only if gitlab_user is set if command -v dropdb >/dev/null; then echo "Removing Database: gitlab_production" - if su ${gitlab_user} -c 'psql gitlab_production -c ""' ; then su postgres -c "dropdb gitlab_production"; fi + if runuser -u ${gitlab_user} -- sh -c 'psql gitlab_production -c ""' ; then su postgres -c "dropdb gitlab_production"; fi else echo "dropdb command not found. Hence not removing database." fi diff -Nru gitlab-8.13.11+dfsg1/debian/rake-tasks.sh gitlab-8.13.11+dfsg1/debian/rake-tasks.sh --- gitlab-8.13.11+dfsg1/debian/rake-tasks.sh 2017-04-20 11:47:49.000000000 +0530 +++ gitlab-8.13.11+dfsg1/debian/rake-tasks.sh 2017-04-21 13:16:43.000000000 +0530 @@ -9,21 +9,21 @@ cd /usr/share/gitlab # Check if the db is already present -if [ "$(LANG=C su postgres -c "psql gitlab_production -c \"\d\"")" = \ +if [ "$(LANG=C runuser -u postgres -- sh -c "psql gitlab_production -c \"\d\"")" = \ "No relations found." ]; then echo "Initializing database..." test -f ${gitlab_home}/db/schema.rb || \ - su ${gitlab_user} -s /bin/sh -c\ + runuser -u ${gitlab_user} -- sh -c \ "cp ${gitlab_data_dir}/db/schema.rb.template ${gitlab_data_dir}/db/schema.rb" - su ${gitlab_user} -s /bin/sh -c 'bundle exec rake db:schema:load' - su ${gitlab_user} -s /bin/sh -c 'bundle exec rake db:seed_fu' + runuser -u ${gitlab_user} -- sh -c 'bundle exec rake db:schema:load' + runuser -u ${gitlab_user} -- sh -c 'bundle exec rake db:seed_fu' else echo "gitlab_production database is not empty, skipping gitlab setup" - su ${gitlab_user} -s /bin/sh -c 'bundle exec rake db:migrate' + runuser -u ${gitlab_user} -- sh -c 'bundle exec rake db:migrate' fi # Restrict permissions for secret files chmod 0700 ${gitlab_data_dir}/.gitlab_shell_secret echo "Precompiling assets..." -su ${gitlab_user} -s /bin/sh -c 'bundle exec rake tmp:cache:clear assets:precompile' +runuser -u ${gitlab_user} -- sh -c 'bundle exec rake tmp:cache:clear assets:precompile'
Attachment:
signature.asc
Description: OpenPGP digital signature