Ubuntu
cobbler package

/var/lib/tftpboot directory permissions destroyed

Bug #967815 reported by C de-Avillez
18
This bug affects 3 people
Affects Status Importance Assigned to Milestone
Cobbler
New
Undecided
Unassigned
cobbler (Ubuntu)
Fix Released
Critical
Andres Rodriguez
Precise
Fix Released
Critical
Unassigned
Quantal
Fix Released
Critical
Unassigned

Bug Description

Every so often -- in fact whenever a new debian-installer is released for Precise -- we re-import the distro. In the process, the TFTP boot files are regenerated.

Somehow this changes /var/lib/tftpboot permissions on subdirectories and files. The result is NOT guaranteed to be bad, and it is NOT guaranteed to affect the same directories and files in the same way.

For example, the last occurence (today) shows only this change:

55,56c55,56
< drwxr-xr-x 2 root root 4096 2012-03-22 23:13 precise-i386
< drwxr-xr-x 2 root root 4096 2012-03-22 23:13 precise-x86_64
---
> d-w---x--- 2 root root 4096 2012-03-28 04:31 precise-i386
> d-w---x--- 2 root root 4096 2012-03-28 04:31 precise-x86_64

Notice the completely hosed permissions on the new directories.

As a result PXE booting may fail (in this case DID fail).

This is a serious issue, impacting automated testing.

WORKAROUND:

find /var/lib/tftpboot -type d -exec sudo chmod 755 {} \;
find /var/lib/tftpboot -type f -exec sudo chmod 644 {} \;

but this is rather ridiculous ;-)

ProblemType: BugDistroRelease: Ubuntu 11.10
Package: cobbler 2.1.0+git20110602-0ubuntu26.2
ProcVersionSignature: Ubuntu 3.0.0-12.20-server 3.0.4
Uname: Linux 3.0.0-12-server x86_64
ApportVersion: 1.23-0ubuntu4
Architecture: amd64
Date: Wed Mar 28 21:52:56 2012InstallationMedia: Ubuntu-Server 11.04 "Natty Narwhal" - Release amd64 (20110426)
PackageArchitecture: allSourcePackage: cobblerUpgradeStatus: Upgraded to oneiric on 2011-11-16 (133 days ago)

SRU Justifications

[IMPACT]

This bug causes the TFTP boot directories to be unreadable by PXE or TFTP. The change replaces wrong calls to os.umask() by direct open/close calls, with specific permissions. As a result, the program's default umask is not cobblered.

There is no visible impact on applying this fix elsewhere in the code.

[TESTCASE]

1. On an unpatched running Cobbler, set a script to run 'sudo cobbler sync' every half hour or so; let it run for a few hours/days
2. meanwhile check /var/lib/tftpboot (or whatever directory the PXE boot files are written to) for changes in the permissions: find /var/lib/tftpboot ! -perm -444
3. If the 'find' on (3) shows any files -- you reproduced the bug. Follow up to 4. below; otherwise, go back to 2. and try again

4. recover the /var/lib/tftpboot:
  find /var/lib/tftpboot -type d -exec sudo chmod 755 {} \;
  find /var/lib/tftpboot -type f -exec sudo chmod 644 {} \
5. apply the update
6. re-run the script/command 'sudo clobbler sync' every half hour or so; let it run for a few days.
7. repeat step 2. above every so often; you should see *no* files without read permission being listed.
8. wait the few days.
repeat step 2. once more -- no files should be listed.
9. DONE.

[REGRESSION POTENTIAL]

No regression potentials have been identified.

See original description
Revision history for this message
C de-Avillez (hggdh2) wrote :
Revision history for this message
C de-Avillez (hggdh2) wrote :
Revision history for this message
C de-Avillez (hggdh2) wrote :
description: updated
Revision history for this message
Robie Basak (racb) wrote :

I have seen a simliar issue, also on Oneiric:

XXXXX@XXXXX:/var/lib/tftpboot/pxelinux.cfg$ ls -l
total 20
-rw-r--r-- 1 root root 398 2012-03-27 11:47 01-00-XX-XX-XX-XX-XX
--w------- 1 root root 386 2012-03-27 11:56 01-XX-XX-XX-XX-XX-XX
--w------- 1 root root 386 2012-03-27 11:56 01-XX-XX-XX-XX-XX-XX
--w------- 1 root root 386 2012-03-27 11:56 01-XX-XX-XX-XX-XX-XX
-rw-r--r-- 1 root root 215 2012-03-27 11:56 default

Restarting cobbler seemed to get it creating files correctly again. I suspect that it was triggered in my case by calling cobbler concurrently (though for separate profiles and systems).

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in cobbler (Ubuntu):
status: New → Confirmed
Revision history for this message
C de-Avillez (hggdh2) wrote :

Opened https://github.com/cobbler/cobbler/issues/117 upstream.

Revision history for this message
Serge van Ginderachter (svg) wrote :

Upstream issues a patch, can this be deployed in Ubuntu?

Revision history for this message
C de-Avillez (hggdh2) wrote :

@Serge: I have just packaged a Cobbler for it (currently building in my PPA, for Precise), and will deploy in a few. There were some doubts about applicability, but some manual tests I ran with the weird os.umask() values in the code resulted in files/directories with the same permissions I see on prod.

The PPA is at https://launchpad.net/~hggdh2/+archive/ppa

C de-Avillez (hggdh2)
description: updated
C de-Avillez (hggdh2)
Changed in cobbler (Ubuntu Precise):
assignee: nobody → C de-Avillez (hggdh2)
status: New → In Progress
Changed in cobbler (Ubuntu Quantal):
assignee: nobody → C de-Avillez (hggdh2)
status: New → Triaged
description: updated
Andres Rodriguez (andreserl)
Changed in cobbler (Ubuntu):
assignee: nobody → Andres Rodriguez (andreserl)
Andres Rodriguez (andreserl)
Changed in cobbler (Ubuntu):
status: Confirmed → Fix Committed
Changed in cobbler (Ubuntu Precise):
status: In Progress → Confirmed
status: Confirmed → New
Changed in cobbler (Ubuntu Quantal):
status: Triaged → New
Changed in cobbler (Ubuntu Precise):
importance: Undecided → Critical
Changed in cobbler (Ubuntu Quantal):
importance: Undecided → Critical
Changed in cobbler (Ubuntu):
importance: Undecided → Critical
Changed in cobbler (Ubuntu Precise):
assignee: C de-Avillez (hggdh2) → nobody
Changed in cobbler (Ubuntu Quantal):
assignee: C de-Avillez (hggdh2) → nobody
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package cobbler - 2.2.2-0ubuntu37

---------------
cobbler (2.2.2-0ubuntu37) raring; urgency=low

  * debian/patches/72-BUGFIX-issue-117-incorrect-permissions-on-files-in-v.patch:
    correct wrong usage of os.umask() on cobbler/api.py, cobbler/cobblerd.py, and
    cobbler/serializer.py. Imported from Upstream. (LP: #967815)
 -- C de-Avillez <email address hidden> Sun, 09 Sep 2012 11:17:13 -0500

Changed in cobbler (Ubuntu):
status: Fix Committed → Fix Released
Revision history for this message
Dave Walker (davewalker) wrote : Please test proposed package

Hello C, or anyone else affected,

Accepted into quantal-proposed. The package will build now and be available in a few hours in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please change the bug tag from verification-needed to verification-done. If it does not, change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in cobbler (Ubuntu Quantal):
status: New → Fix Committed
tags: added: verification-needed
Changed in cobbler (Ubuntu Precise):
status: New → Fix Committed
tags: added: verification-needed-precise verification-needed-quantal
removed: verification-needed
Revision history for this message
Andres Rodriguez (andreserl) wrote :

Marking verification done as it has already been verified.

tags: added: verification-done verification-done-precise verification-done-quantal
removed: verification-needed-precise verification-needed-quantal
Revision history for this message
Colin Watson (cjwatson) wrote : Update Released

The verification of this Stable Release Update has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regresssions.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package cobbler - 2.2.2-0ubuntu33.1

---------------
cobbler (2.2.2-0ubuntu33.1) precise-proposed; urgency=low

  * debian/patches/72-BUGFIX-issue-117-incorrect-permissions-on-files-in-v.patch:
    correct wrong usage of os.umask() on cobbler/api.py, cobbler/cobblerd.py, and
    cobbler/serializer.py. Imported from Upstream. (LP: #967815)
 -- C de-Avillez <email address hidden> Sun, 09 Sep 2012 11:17:13 -0500

Changed in cobbler (Ubuntu Precise):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package cobbler - 2.2.2-0ubuntu36.1

---------------
cobbler (2.2.2-0ubuntu36.1) quantal-proposed; urgency=low

  * debian/patches/72-BUGFIX-issue-117-incorrect-permissions-on-files-in-v.patch:
    correct wrong usage of os.umask() on cobbler/api.py, cobbler/cobblerd.py, and
    cobbler/serializer.py. Imported from Upstream. (LP: #967815)
 -- C de-Avillez <email address hidden> Sun, 09 Sep 2012 11:17:13 -0500

Changed in cobbler (Ubuntu Quantal):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.