Merge ~danilogondolfo/ubuntu/+source/netplan.io:jammy_generator_postinst into ubuntu/+source/netplan.io:ubuntu/jammy-devel

Proposed by Danilo Egea Gondolfo
Status: Work in progress
Proposed branch: ~danilogondolfo/ubuntu/+source/netplan.io:jammy_generator_postinst
Merge into: ubuntu/+source/netplan.io:ubuntu/jammy-devel
Diff against target: 34 lines (+13/-1)
2 files modified
debian/changelog (+8/-0)
debian/netplan.io.postinst (+5/-1)
Reviewer Review Type Date Requested Status
git-ubuntu import Pending
Review via email: mp+468419@code.launchpad.net
To post a comment you must log in.
Revision history for this message
Łukasz Zemczak (sil2100) wrote :

Looks sane to me, tested the conditional snipped locally and it seems to do what expected.

Revision history for this message
Pavel Zakharov (pzakha) wrote :

That's reasonable to me, that said it wouldn't fix the issue where a netplan configuration file is present, which could be the case on some systems.

I think it's a valid workaround while Netplan maintainers fix the root issue (which is: "generate" shouldn't put anything in /run/systemd/system when systemd is not running).

Revision history for this message
Danilo Egea Gondolfo (danilogondolfo) wrote (last edit ):

Hi Pavel, yes, you're right.

I changed the logic here: the only reason we want to call the generator is to fix the permissions of networkd files. There is no reason to run it if these files don't exist.

So now it will look for this: ".*-netplan.*\.\(network\|netdev\)"

Only .network and .netdev files generated by netplan. If none exist we don't run the generator.

What do you think?

Revision history for this message
Danilo Egea Gondolfo (danilogondolfo) wrote :
Revision history for this message
Danilo Egea Gondolfo (danilogondolfo) wrote :

The important point is: if these files already exist, /run/systemd/system also exists. Netplan creates both of them.

Revision history for this message
Łukasz Zemczak (sil2100) wrote :

As discussed, this solution feels even better!

Revision history for this message
Pavel Zakharov (pzakha) wrote :

I'm not super familiar with netplan logic, but the idea makes sense to me.

I'm assuming `netplan generate` is called on boot anyway, so this logic is only for the case where:
1. There is an existing netplan configuration
2. The system is currently booted and running
3. netplan package is upgraded, and we want to regenerate the live network config as that fixes some security issues.

Is this correct?

Revision history for this message
Danilo Egea Gondolfo (danilogondolfo) wrote :

That is mostly correct.

Even if you have netplan YAMLs in any of /etc/netplan, /lib/netplan and /run/netplan but "netplan generate" was never executed before, /run/system/system and /run/system/network were never created by netplan. So it will not run on upgrade/installation.

But yes, the generator will run on boot when systemd is activated.

Revision history for this message
Danilo Egea Gondolfo (danilogondolfo) wrote :

Here is a test case with docker build:

With netplan.io from the archive is will break when systemctl is called:

root@jammy-deleteme:~/bad# cat Dockerfile
FROM ubuntu:22.04

RUN apt-get update && apt-get install --yes --no-install-recommends \
    systemd \
    openssh-server \
    gpg-agent \
    software-properties-common

RUN apt -y install netplan.io

RUN systemctl enable ssh

$ docker build .
....
Processing triggers for libc-bin (2.35-0ubuntu3.8) ...
Processing triggers for dbus (1.12.20-2ubuntu4.1) ...
Removing intermediate container ebec928c841c
 ---> ea85468aaaea
Step 4/4 : RUN systemctl enable ssh
 ---> Running in c87ef22af667
Synchronizing state of ssh.service with SysV service script with /lib/systemd/systemd-sysv-install.
Executing: /lib/systemd/systemd-sysv-install enable ssh
Failed to connect to bus: No such file or directory
Failed to connect to bus: No such file or directory
Failed to connect to bus: No such file or directory
The command '/bin/sh -c systemctl enable ssh' returned a non-zero code: 1

This is the test with the PPA I prepared:

root@jammy-deleteme:~/good# cat Dockerfile
FROM ubuntu:22.04

RUN apt-get update && apt-get install --yes --no-install-recommends \
    systemd \
    openssh-server \
    gpg-agent \
    software-properties-common

RUN add-apt-repository -y ppa:danilogondolfo/bugfixes && apt update && apt -y install netplan.io

RUN systemctl enable ssh

docker build .
...
Get:1 https://ppa.launchpadcontent.net/danilogondolfo/bugfixes/ubuntu jammy/main amd64 libnetplan0 amd64 0.106.1-7ubuntu0.22.04.4~ppa1 [118 kB]
Get:2 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 libbpf0 amd64 1:0.5.0-1ubuntu22.04.1 [140 kB]
Get:3 https://ppa.launchpadcontent.net/danilogondolfo/bugfixes/ubuntu jammy/main amd64 netplan.io amd64 0.106.1-7ubuntu0.22.04.4~ppa1 [119 kB]
Get:4 http://archive.ubuntu.com/ubuntu jammy/main amd64 libmnl0 amd64 1.0.4-3build2 [13.2 kB]
...
Processing triggers for libc-bin (2.35-0ubuntu3.8) ...
Processing triggers for dbus (1.12.20-2ubuntu4.1) ...
Removing intermediate container 94e96b1bf653
 ---> 805aff23f66d
Step 4/4 : RUN systemctl enable ssh
 ---> Running in 82689e8adf50
Synchronizing state of ssh.service with SysV service script with /lib/systemd/systemd-sysv-install.
Executing: /lib/systemd/systemd-sysv-install enable ssh
Removing intermediate container 82689e8adf50
 ---> 0600d6d6439e
Successfully built 0600d6d6439e

Unmerged commits

3465504... by Danilo Egea Gondolfo

Changelog

5c7be62... by Danilo Egea Gondolfo

debian/netplan.io.postinst

Don't call the generator if no netplan configuration file exists.
(LP: #2071333)

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/debian/changelog b/debian/changelog
2index 5be3a01..612765f 100644
3--- a/debian/changelog
4+++ b/debian/changelog
5@@ -1,3 +1,11 @@
6+netplan.io (0.106.1-7ubuntu0.22.04.4) jammy; urgency=medium
7+
8+ * debian/netplan.io.postinst:
9+ Don't call the generator if no networkd configuration file exists.
10+ (LP: #2071333)
11+
12+ -- Danilo Egea Gondolfo <danilo.egea.gondolfo@canonical.com> Fri, 28 Jun 2024 10:28:18 +0100
13+
14 netplan.io (0.106.1-7ubuntu0.22.04.3) jammy-security; urgency=medium
15
16 * SECURITY UPDATE: weak permissions on secret files, command injection
17diff --git a/debian/netplan.io.postinst b/debian/netplan.io.postinst
18index 1758dff..f805c24 100644
19--- a/debian/netplan.io.postinst
20+++ b/debian/netplan.io.postinst
21@@ -3,8 +3,12 @@
22 set -e
23
24 # Calling the generator after installation to mitigate CVE-2022-4968
25+# We avoid calling the generator if the system doesn't have networkd files to be fixed (LP: #2071333)
26 if [ "$1" = configure ]; then
27- /usr/libexec/netplan/generate 2>/dev/null || echo "WARNING: Netplan could not re-generate network configuration. Please run 'netplan generate' to see details."
28+ FILES=$(find /run/systemd/network/ -type f -regex ".*-netplan.*\.\(network\|netdev\)" 2>/dev/null || true)
29+ if [ -n "${FILES}" ]; then
30+ /usr/libexec/netplan/generate 2>/dev/null || echo "WARNING: Netplan could not re-generate network configuration. Please run 'netplan generate' to see details."
31+ fi
32 fi
33
34 #DEBHELPER#

Subscribers

People subscribed via source and target branches