/var/lib/tftpboot directory permissions destroyed
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Cobbler |
New
|
Undecided
|
Unassigned | ||
cobbler (Ubuntu) |
Fix Released
|
Critical
|
Andres Rodriguez | ||
Precise |
Fix Released
|
Critical
|
Unassigned | ||
Quantal |
Fix Released
|
Critical
|
Unassigned |
Bug Description
Every so often -- in fact whenever a new debian-installer is released for Precise -- we re-import the distro. In the process, the TFTP boot files are regenerated.
Somehow this changes /var/lib/tftpboot permissions on subdirectories and files. The result is NOT guaranteed to be bad, and it is NOT guaranteed to affect the same directories and files in the same way.
For example, the last occurence (today) shows only this change:
55,56c55,56
< drwxr-xr-x 2 root root 4096 2012-03-22 23:13 precise-i386
< drwxr-xr-x 2 root root 4096 2012-03-22 23:13 precise-x86_64
---
> d-w---x--- 2 root root 4096 2012-03-28 04:31 precise-i386
> d-w---x--- 2 root root 4096 2012-03-28 04:31 precise-x86_64
Notice the completely hosed permissions on the new directories.
As a result PXE booting may fail (in this case DID fail).
This is a serious issue, impacting automated testing.
WORKAROUND:
find /var/lib/tftpboot -type d -exec sudo chmod 755 {} \;
find /var/lib/tftpboot -type f -exec sudo chmod 644 {} \;
but this is rather ridiculous ;-)
ProblemType: BugDistroRelease: Ubuntu 11.10
Package: cobbler 2.1.0+git201106
ProcVersionSign
Uname: Linux 3.0.0-12-server x86_64
ApportVersion: 1.23-0ubuntu4
Architecture: amd64
Date: Wed Mar 28 21:52:56 2012Installatio
PackageArchitec
SRU Justifications
[IMPACT]
This bug causes the TFTP boot directories to be unreadable by PXE or TFTP. The change replaces wrong calls to os.umask() by direct open/close calls, with specific permissions. As a result, the program's default umask is not cobblered.
There is no visible impact on applying this fix elsewhere in the code.
[TESTCASE]
1. On an unpatched running Cobbler, set a script to run 'sudo cobbler sync' every half hour or so; let it run for a few hours/days
2. meanwhile check /var/lib/tftpboot (or whatever directory the PXE boot files are written to) for changes in the permissions: find /var/lib/tftpboot ! -perm -444
3. If the 'find' on (3) shows any files -- you reproduced the bug. Follow up to 4. below; otherwise, go back to 2. and try again
4. recover the /var/lib/tftpboot:
find /var/lib/tftpboot -type d -exec sudo chmod 755 {} \;
find /var/lib/tftpboot -type f -exec sudo chmod 644 {} \
5. apply the update
6. re-run the script/command 'sudo clobbler sync' every half hour or so; let it run for a few days.
7. repeat step 2. above every so often; you should see *no* files without read permission being listed.
8. wait the few days.
repeat step 2. once more -- no files should be listed.
9. DONE.
[REGRESSION POTENTIAL]
No regression potentials have been identified.
description: | updated |
Changed in cobbler (Ubuntu Precise): | |
assignee: | nobody → C de-Avillez (hggdh2) |
status: | New → In Progress |
Changed in cobbler (Ubuntu Quantal): | |
assignee: | nobody → C de-Avillez (hggdh2) |
status: | New → Triaged |
description: | updated |
Changed in cobbler (Ubuntu): | |
assignee: | nobody → Andres Rodriguez (andreserl) |
Changed in cobbler (Ubuntu): | |
status: | Confirmed → Fix Committed |
Changed in cobbler (Ubuntu Precise): | |
status: | In Progress → Confirmed |
status: | Confirmed → New |
Changed in cobbler (Ubuntu Quantal): | |
status: | Triaged → New |
Changed in cobbler (Ubuntu Precise): | |
importance: | Undecided → Critical |
Changed in cobbler (Ubuntu Quantal): | |
importance: | Undecided → Critical |
Changed in cobbler (Ubuntu): | |
importance: | Undecided → Critical |
Changed in cobbler (Ubuntu Precise): | |
assignee: | C de-Avillez (hggdh2) → nobody |
Changed in cobbler (Ubuntu Quantal): | |
assignee: | C de-Avillez (hggdh2) → nobody |
I have seen a simliar issue, also on Oneiric:
XXXXX@XXXXX: /var/lib/ tftpboot/ pxelinux. cfg$ ls -l XX-XX-XX- XX XX-XX-XX- XX XX-XX-XX- XX XX-XX-XX- XX
total 20
-rw-r--r-- 1 root root 398 2012-03-27 11:47 01-00-XX-
--w------- 1 root root 386 2012-03-27 11:56 01-XX-XX-
--w------- 1 root root 386 2012-03-27 11:56 01-XX-XX-
--w------- 1 root root 386 2012-03-27 11:56 01-XX-XX-
-rw-r--r-- 1 root root 215 2012-03-27 11:56 default
Restarting cobbler seemed to get it creating files correctly again. I suspect that it was triggered in my case by calling cobbler concurrently (though for separate profiles and systems).