From e0f8ab7549b0c30394975e0f5aa5b101af8b9a27 Mon Sep 17 00:00:00 2001 From: Simon Deziel Date: Tue, 23 Apr 2024 10:29:54 -0400 Subject: [PATCH 1/3] daemon.start: only cleanup /etc/ovn if interfacing with microovn Signed-off-by: Simon Deziel (cherry picked from commit 7eda2123bbfd92c9af170f42155dac01a15afe7d) --- snapcraft/commands/daemon.start | 27 ++++++++++++++++++--------- 1 file changed, 18 insertions(+), 9 deletions(-) diff --git a/snapcraft/commands/daemon.start b/snapcraft/commands/daemon.start index ac1fa6fd9..57f8e89ae 100755 --- a/snapcraft/commands/daemon.start +++ b/snapcraft/commands/daemon.start @@ -321,27 +321,36 @@ sed \ "${SNAP}/etc/lvm/lvm.conf" > /etc/lvm/lvm.conf # Setup for OVN -echo "==> Cleaning up OVN configuration" -if [ -L /etc/ovn ]; then - echo "=> Removing /etc/ovn symlink" - rm -f /etc/ovn -elif [ -d /etc/ovn ]; then - echo "=> Removing /etc/ovn directory" - rm -rf /etc/ovn -fi - echo "==> Setting up OVN configuration" if [ "${ovn_builtin:-"false"}" = "true" ]; then echo "=> Using builtin OVN" mkdir -p "${SNAP_COMMON}/ovn" ln -s "${SNAP_COMMON}/ovn" /etc/ovn elif [ -d "${SNAP_DATA}/microovn/certificates/pki" ]; then + echo "==> Cleaning up OVN configuration" + if [ -L /etc/ovn ]; then + echo "=> Removing /etc/ovn symlink" + rm -f /etc/ovn + elif [ -d /etc/ovn ]; then + echo "=> Removing /etc/ovn directory" + rm -rf /etc/ovn + fi + echo "=> Detected MicroOVN Content Interface" mkdir -p /etc/ovn ln -s "${SNAP_DATA}/microovn/certificates/pki/client-cert.pem" /etc/ovn/cert_host ln -s "${SNAP_DATA}/microovn/certificates/pki/client-privkey.pem" /etc/ovn/key_host ln -s "${SNAP_DATA}/microovn/certificates/pki/cacert.pem" /etc/ovn/ovn-central.crt elif [ -d /var/snap/microovn/ ]; then + echo "==> Cleaning up OVN configuration" + if [ -L /etc/ovn ]; then + echo "=> Removing /etc/ovn symlink" + rm -f /etc/ovn + elif [ -d /etc/ovn ]; then + echo "=> Removing /etc/ovn directory" + rm -rf /etc/ovn + fi + echo "=> Detected MicroOVN" mkdir -p /etc/ovn ln -s /var/snap/microovn/common/data/pki/client-cert.pem /etc/ovn/cert_host From df9bdbcde965b89552123b8189a8fb413674cde4 Mon Sep 17 00:00:00 2001 From: Simon Deziel Date: Wed, 20 Mar 2024 14:47:17 -0400 Subject: [PATCH 2/3] snapcraft/commands/daemon.activate: set primary group to lxd Without that, the lxd user actually ends up being created like this: ``` lxd:x:999:100::/var/snap/lxd/common/lxd:/bin/false users:x:100: lxd:x:120:ubuntu ``` With this patch, it should instead be: ``` lxd:x:999:120::/var/snap/lxd/common/lxd:/bin/false lxd:x:120:ubuntu ``` Signed-off-by: Simon Deziel (cherry picked from commit c4aba63551d49d814ac0a1642c8c77b99d2bbced) --- snapcraft/commands/daemon.activate | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/snapcraft/commands/daemon.activate b/snapcraft/commands/daemon.activate index d13795fe1..2ea5bcb86 100755 --- a/snapcraft/commands/daemon.activate +++ b/snapcraft/commands/daemon.activate @@ -59,16 +59,6 @@ if echo "${SNAP_MODEL}" | grep -q "^lxd-core"; then exit 0 fi -# Setup the "lxd" user -if ! getent passwd lxd >/dev/null 2>&1; then - echo "==> Creating \"lxd\" user" - if grep -q "^passwd.*extrausers" /var/lib/snapd/hostfs/etc/nsswitch.conf; then - nsenter -t 1 -m useradd --system -M -N --home "${SNAP_COMMON}/lxd" --shell /bin/false --extrausers lxd || true - else - nsenter -t 1 -m useradd --system -M -N --home "${SNAP_COMMON}/lxd" --shell /bin/false lxd || true - fi -fi - # Setup the "lxd" group if [ "${daemon_group}" = "lxd" ] && ! getent group lxd >/dev/null 2>&1; then echo "==> Creating \"lxd\" group" @@ -79,6 +69,16 @@ if [ "${daemon_group}" = "lxd" ] && ! getent group lxd >/dev/null 2>&1; then fi fi +# Setup the "lxd" user +if ! getent passwd lxd >/dev/null 2>&1; then + echo "==> Creating \"lxd\" user" + if grep -q "^passwd.*extrausers" /var/lib/snapd/hostfs/etc/nsswitch.conf; then + nsenter -t 1 -m useradd --system -M -N --home "${SNAP_COMMON}/lxd" --shell /bin/false --gid lxd --extrausers lxd || true + else + nsenter -t 1 -m useradd --system -M -N --home "${SNAP_COMMON}/lxd" --shell /bin/false --gid lxd lxd || true + fi +fi + # Set socket ownership if getent group "${daemon_group}" >/dev/null 2>&1; then if [ -e "${SNAP_COMMON}/lxd/unix.socket" ]; then From 6cba91382caeeea0e4307d669cac4fd32904198e Mon Sep 17 00:00:00 2001 From: Simon Deziel Date: Tue, 23 Apr 2024 11:04:06 -0400 Subject: [PATCH 3/3] snapcraft/commands/daemon.start: set primary group to lxd By creating the group first, the user creation can use `--gid lxd` to have the right primary group. Signed-off-by: Simon Deziel (cherry picked from commit cd1a18d67df30be4e316d09c9c151276572c8110) --- snapcraft/commands/daemon.start | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/snapcraft/commands/daemon.start b/snapcraft/commands/daemon.start index 57f8e89ae..8f1cc2b28 100755 --- a/snapcraft/commands/daemon.start +++ b/snapcraft/commands/daemon.start @@ -274,16 +274,6 @@ for entry in dev proc sys; do mount -o bind "/${entry}" "/var/lib/snapd/hostfs/${entry}" done -# Setup the "lxd" user -if ! getent passwd lxd >/dev/null 2>&1; then - echo "==> Creating \"lxd\" user" - if grep -q "^passwd.*extrausers" /var/lib/snapd/hostfs/etc/nsswitch.conf; then - nsenter -t 1 -m useradd --system -M -N --home "${SNAP_COMMON}/lxd" --shell /bin/false --extrausers lxd || true - else - nsenter -t 1 -m useradd --system -M -N --home "${SNAP_COMMON}/lxd" --shell /bin/false lxd || true - fi -fi - # Setup the "lxd" group if [ "${daemon_group}" = "lxd" ] && ! getent group lxd >/dev/null 2>&1; then echo "==> Creating \"lxd\" group" @@ -294,6 +284,16 @@ if [ "${daemon_group}" = "lxd" ] && ! getent group lxd >/dev/null 2>&1; then fi fi +# Setup the "lxd" user +if ! getent passwd lxd >/dev/null 2>&1; then + echo "==> Creating \"lxd\" user" + if grep -q "^passwd.*extrausers" /var/lib/snapd/hostfs/etc/nsswitch.conf; then + nsenter -t 1 -m useradd --system -M -N --home "${SNAP_COMMON}/lxd" --shell /bin/false --gid lxd --extrausers lxd || true + else + nsenter -t 1 -m useradd --system -M -N --home "${SNAP_COMMON}/lxd" --shell /bin/false --gid lxd lxd || true + fi +fi + # Setup for ceph echo "==> Setting up ceph configuration" if [ "${ceph_builtin:-"false"}" = "true" ]; then