OpenStack Snap

newgrp produces unexpected behaviour in `prepare-node-script`

Bug #2052340 reported by Peter Mattingly
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Snap
Fix Committed
Medium
Unassigned

Bug Description

(Reporting on behalf of Dave Torrey Jr.)

From the instructions for "Single-node quickstart" [1]:

```
Sunbeam can generate a script to ensure that the machine has all of the required dependencies installed and is configured correctly for use in MicroStack - you can review this script using:

sunbeam prepare-node-script

or the script can be directly executed in this way:

sunbeam prepare-node-script | bash -x && newgrp snap_daemon
```

The generated script contains a `newgrp` command, despite the instructions also having the user run `newgrp` directly. The instructions imply one may download and run the script by hand, rather than pipe it to bash, but the resulting behavior is different.

Consider this test script:

```
ubuntu@case-1:~$ cat test-script
#!/bin/bash

echo "hello"
newgrp ubuntu
echo "world"
```

When run with the pipe, it works as expected:

```
ubuntu@case-1:~$ cat test-script | bash -x
+ echo hello
hello
+ newgrp ubuntu
world
```

But when executed directly, the `newgrp` command starts a new shell that is not immediately obvious:

```
ubuntu@case-1:~$ bash -x ./test-script
+ echo hello
hello
+ newgrp ubuntu
ubuntu@case-1:~$ exit
exit
+ echo world
world
```

In `prepare-node-script`, this results in the steps after the `newgrp` command not being completed. There is no obvious indication in the output, as there is no error shown. Only when exiting the shell are additional messages shown, as the script finishes execution:

```
ubuntu@case-1:~$ exit
exit
+ '[' -f /home/ubuntu/.ssh/id_rsa ']'
+ cat /home/ubuntu/.ssh/id_rsa.pub
++ hostname --all-ip-addresses
+ ssh-keyscan -H 10.1.2.82 10.20.20.1 10.1.229.192
# 10.20.20.1:22 SSH-2.0-OpenSSH_8.9p1 Ubuntu-3ubuntu0.6
# 10.1.2.82:22 SSH-2.0-OpenSSH_8.9p1 Ubuntu-3ubuntu0.6
```

[1] https://microstack.run/docs/single-node

Revision history for this message
Andre Ruiz (andre-ruiz) wrote :

Newgrp has a side effect of not only dynamically adding the group to the user but also making it the primary group, which seems wrong to me. All files created during the node-prepare script will be owned by <user>:snap_daemon instead of <user>:<user-group>.

In my installations, I always remove the newgrp command and then at the end of the script I logout and login again. It is an extra step but it seems unavoidable.

Revision history for this message
James Page (james-page) wrote :

Feels like we should drop the newgrp call in the prepare-node script code at a minimum.

Changed in snap-openstack:
status: New → Triaged
importance: Undecided → Medium
Revision history for this message
James Page (james-page) wrote :

https://github.com/canonical/snap-openstack/pull/155

Revision history for this message
David Torrey (dotj) wrote :

FWIW, the difference between script calls above (direct execution vs. the pipe to `bash -x`) does appear to have the desired effect. Expanding on my test script:

$ cat > test.sh << EOF
#!/bin/bash

touch "hello"
newgrp microk8s
touch "world"
EOF

$ cat test.sh | bash -x
+ touch hello
+ newgrp microk8s

$ ls -l
total 4
-rw-r--r-- 1 tj users 0 Mar 6 14:17 hello
-rwxr-xr-x 1 tj users 58 Mar 6 14:16 test.sh*
-rw-r--r-- 1 tj microk8s 0 Mar 6 14:17 world

Something about the way `-x` works seems to have the desired effect, despite the run above not showing a line for "+ touch world" after the newgrp call.

James Page (james-page)
Changed in snap-openstack:
status: Triaged → Fix Committed
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.