Merge ~cjwatson/launchpad-buildd:robustify-lxd-group-membership into launchpad-buildd:master

Proposed by Colin Watson
Status: Merged
Approved by: Colin Watson
Approved revision: 6283377f2f527948bce778a1f73f4079e8e2cd44
Merge reported by: Otto Co-Pilot
Merged at revision: not available
Proposed branch: ~cjwatson/launchpad-buildd:robustify-lxd-group-membership
Merge into: launchpad-buildd:master
Diff against target: 30 lines (+11/-0)
2 files modified
debian/changelog (+6/-0)
debian/launchpad-buildd@.service (+5/-0)
Reviewer Review Type Date Requested Status
Thomas Bechtold (community) Approve
William Grant code Approve
Review via email: mp+418611@code.launchpad.net

Commit message

Ensure that launchpad-buildd runs with lxd as a supplementary group

Description of the change

`bin/sbuild-package` has an unfortunate hack to temporarily remove the buildd user's lxd group membership (see https://bugs.launchpad.net/launchpad-buildd/+bug/1820348). If a non-virtualized builder crashes for some reason in the middle of an sbuild job, it will come back up without being reset to a clean image (since it's non-virtualized), launchpad-buildd will start without the lxd supplementary group it's supposed to have, and as a result it will be unable to start LXD containers.

To work around all this, tell systemd to add lxd as a supplementary group no matter what, ensuring that launchpad-buildd comes up properly even if the system group database is temporarily wrong.

To post a comment you must log in.
Revision history for this message
William Grant (wgrant) :
review: Approve (code)
Revision history for this message
Thomas Bechtold (toabctl) wrote :

Thanks!

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/debian/changelog b/debian/changelog
2index f75293a..e0f1e30 100644
3--- a/debian/changelog
4+++ b/debian/changelog
5@@ -1,3 +1,9 @@
6+launchpad-buildd (212) UNRELEASED; urgency=medium
7+
8+ * Ensure that launchpad-buildd runs with lxd as a supplementary group.
9+
10+ -- Colin Watson <cjwatson@ubuntu.com> Wed, 06 Apr 2022 12:46:35 +0100
11+
12 launchpad-buildd (211) focal; urgency=medium
13
14 * Use "git checkout" rather than "git clone -b", since that allows
15diff --git a/debian/launchpad-buildd@.service b/debian/launchpad-buildd@.service
16index 690e0fd..8ebaa58 100644
17--- a/debian/launchpad-buildd@.service
18+++ b/debian/launchpad-buildd@.service
19@@ -13,6 +13,11 @@ Type=simple
20 RuntimeDirectory=launchpad-buildd
21 LogsDirectory=launchpad-buildd
22 User=buildd
23+# The buildd user should normally already be a member of this group, but due
24+# to the deluser hacks in sbuild-package it's possible for the group
25+# membership to be missing if a non-virtualized builder crashes in the
26+# middle of an sbuild job. Make sure of it here.
27+SupplementaryGroups=lxd
28 EnvironmentFile=-/etc/default/launchpad-buildd
29 Environment=BUILDD_CONFIG=/etc/launchpad-buildd/%i
30 # When enabled, launchpad-buildd accepts network commands and runs them as

Subscribers

People subscribed via source and target branches