Bug#944538: buster-pu: package ganeti-instance-debootstrap/0.16-6.1

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#944538: buster-pu: package ganeti-instance-debootstrap/0.16-6.1
From: Antoine Beaupre <anarcat@debian.org>
Date: Mon, 11 Nov 2019 10:40:58 -0500
Message-id: <[🔎] 157348685887.21748.11114938639502046267.reportbug@curie.anarc.at>
Reply-to: Antoine Beaupre <anarcat@debian.org>, 944538@bugs.debian.org

Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu

ganeti-instance-debootstrap (GID) has a RC bug (grave) affecting
buster (#942114). I uploaded a minimal package to unstable to fix this
problem which has now trickled down into testing and that I think
would be important to include in the next point release.

The attached patch describes the current diff between stable and
testing. All it does is include a patch that changes the `tar` call to
store more information in the cache file so that "special" properties
(like capabilities) are properly stored across installs.

We've been running this patch in production for a few weeks at tor
without any problems.

A.

-- System Information:
Debian Release: 10.1
  APT prefers stable-debug
  APT policy: (500, 'stable-debug'), (500, 'stable'), (1, 'experimental'), (1, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-6-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_CA.UTF-8, LC_CTYPE=fr_CA.UTF-8 (charmap=UTF-8), LANGUAGE=fr_CA.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

diff -Nru ganeti-instance-debootstrap-0.16/debian/changelog ganeti-instance-debootstrap-0.16/debian/changelog
--- ganeti-instance-debootstrap-0.16/debian/changelog	2018-06-20 06:57:18.000000000 -0400
+++ ganeti-instance-debootstrap-0.16/debian/changelog	2019-11-01 19:01:50.000000000 -0400
@@ -1,3 +1,10 @@
+ganeti-instance-debootstrap (0.16-6.1) unstable; urgency=medium
+
+  * Non-maintainer upload
+  * add patch to respect linux caps (Closes: #942114)
+
+ -- Antoine Beaupré <anarcat@debian.org>  Fri, 01 Nov 2019 19:01:50 -0400
+
 ganeti-instance-debootstrap (0.16-6) unstable; urgency=medium
 
   * Bump Standards-Version to 4.1.4; no changes needed
diff -Nru ganeti-instance-debootstrap-0.16/debian/patches/respect-Linux-capabilities-7-in-cache.patch ganeti-instance-debootstrap-0.16/debian/patches/respect-Linux-capabilities-7-in-cache.patch
--- ganeti-instance-debootstrap-0.16/debian/patches/respect-Linux-capabilities-7-in-cache.patch	1969-12-31 19:00:00.000000000 -0500
+++ ganeti-instance-debootstrap-0.16/debian/patches/respect-Linux-capabilities-7-in-cache.patch	2019-11-01 19:01:50.000000000 -0400
@@ -0,0 +1,48 @@
+From cd34bcc48a2af92f484535b81fba2d46dad1dbb6 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Antoine=20Beaupr=C3=A9?= <anarcat@debian.org>
+Date: Thu, 10 Oct 2019 11:07:51 -0400
+Subject: [PATCH] respect Linux capabilities(7) in cache
+
+The default GNU tar configuration does not carry fancy extended
+attributes and that is where, among other things, stuff like Linux
+capabilities(7) are stored. This is kind of important because that's
+how ping(8) works for regular users.
+
+We shove --selinux and --acls in there while we're at it, because why
+not. We never know what the future might bring, and it seems
+silly *not* to create a complete archive.
+
+Note that --xattrs-include='*' is important because, by default, GNU
+tar will not include capabilities /even/ if --xattrs is specified on
+the commandline, see this bug report for details:
+
+https://bugzilla.redhat.com/show_bug.cgi?id=771927
+---
+ create | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/create b/create
+index 607bab2..7526e71 100755
+--- a/create
++++ b/create
+@@ -83,7 +83,7 @@ if [ "$CLEAN_CACHE" -a -d "$CACHE_DIR" ]; then
+ fi
+ 
+ if [ -f "$CACHE_FILE" ]; then
+-  tar xf "$CACHE_FILE" -C $TMPDIR
++  tar --acls --selinux --xattrs --xattrs-include='*' -x -f "$CACHE_FILE" -C $TMPDIR
+ else
+   if [ "$PROXY" ]; then
+     export http_proxy="$PROXY"
+@@ -109,7 +109,7 @@ else
+ 
+   if [ "$GENERATE_CACHE" = "yes" ]; then
+     TMP_CACHE=`mktemp "${CACHE_FILE}.XXXXXX"`
+-    tar cf "$TMP_CACHE" -C $TMPDIR .
++    tar --acls --selinux --xattrs --xattrs-include='*' -c -f "$TMP_CACHE" -C $TMPDIR .
+     mv -f "$TMP_CACHE" "$CACHE_FILE"
+   fi
+ fi
+-- 
+2.20.1
+
diff -Nru ganeti-instance-debootstrap-0.16/debian/patches/series ganeti-instance-debootstrap-0.16/debian/patches/series
--- ganeti-instance-debootstrap-0.16/debian/patches/series	2018-06-20 06:57:18.000000000 -0400
+++ ganeti-instance-debootstrap-0.16/debian/patches/series	2019-11-01 19:01:50.000000000 -0400
@@ -1 +1,2 @@
+respect-Linux-capabilities-7-in-cache.patch
 fix-sfdisk-BLKRRPART.patch

Reply to:

Follow-Ups:
- Bug#944538: buster-pu: package ganeti-instance-debootstrap/0.16-6.1
  - From: Julien Cristau <jcristau@debian.org>

Prev by Date: Bug#944190: release.debian.org: Allow britney to consider installability of dependencies of essential packages
Next by Date: Request: removal of package lilo from testing
Previous by thread: Processed: liquidsoap unblock
Next by thread: Bug#944538: buster-pu: package ganeti-instance-debootstrap/0.16-6.1
Index(es):
- Date
- Thread