[MIR] nbd-client
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
nbd (Ubuntu) |
Incomplete
|
Undecided
|
Dave Jones |
Bug Description
[ Availability ]
The nbd source package is already in main, but only the nbd-server binary package (produced by nbd) is in main; the nbd-client binary package is in universe. We would like to move the client package into main too. The nbd-client package builds for all relevant architectures.
https:/
[ Rationale ]
We would like to include the nbd-client package in the Ubuntu Raspberry Pi images to support netbooting. Traditionally, netbooting on the Pi has been performed with TFTP+NFS. However, NFS has a number of drawbacks, one of the most significant being that snapd does not work when the root is on NFS. We would like to support a simple means of netbooting with a block device as root, and TFTP+NBD is the simplest way to achieve this. As noted above, the nbd source package is already in main; we simply need the nbd-client binary package (produced by the nbd package) moved into main too.
[ Security ]
Related searches:
https:/
https:/
There are a couple of CVEs related to the nbd package in the last few years, specifically:
CVE-2022-26495 -- integer overflow in nbd-server
CVE-2022-26496 -- stack-based buffer overflow in nbd-server
Related links:
https:/
https:/
https:/
However, I could find none related to the nbd-client package specifically (those related to the nbd-server package have, naturally, been dealt with by the security team already).
* The package does include the /sbin/nbd-client executable, but this is not a suid/sgid binary, and is included in /sbin as it forms part of the boot process when the rootfs is an NBD share
* The package installs no services, timers, or recurring jobs
* The package does not open privileged ports
* The package exposes no external endpoints
* The package is capable of using TLS, but as a client
[ Quality Assurance ]
The package works well after install, and has been tested in several netboot scenarios on the Raspberry Pi (all successfully). Configuration is typically required server-side to ensure that a given Pi boots the right image (associating an OS image with a Pi via its serial number), but no client-side configuration is typically required.
The package has no "important" open bugs, and only one security bug which details that the aforementioned CVEs are currently unpatched in two ESM releases (trusty and xenial), which the security team are aware of and tracking accordingly.
The package does not currently have a DEP-8 test-suite, but does have a comprehensive test suite run as part of the build process (which probably could be run as DEP-8 tests too, though from a brief look the code may need adjusting to run the installed binaries instead of the built ones).
The package does not have a d/watch file, however it is currently maintained in Debian by the primary upstream author. The package defines the correct Maintainer, and does not produce an overly worrying set of lintian warnings (there is one lintian error to do with debconf, but it's a false positive as explained in nbd-client.
The package has no obsolete dependencies and, though it does use debconf, will not bother the default user (the debconf questions are only used by nbd-server, and we're intending to seed nbd-client where the debconf configuration is now vestigial / unused).
The source packaging under debian/ is reasonably simple and modern (uses a fairly recent standards-version, and debhelper-compat version 13), but for one glaring facet: it's in source format 1.0 (an orig tar-ball plus one huge compressed diff file). Changing this would almost certainly require buy-in from the upstream author (and Debian maintainer), and evidently this wasn't sufficient impediment to prevent nbd-server from moving to main already.
[ UI Standards ]
Application is indirectly end-user facing (potentially provides their rootfs although there's little that could really be called a "user interface" as such). Translations are present via standard mechanisms (see debian/po).
[ Dependencies ]
All dependencies are in main (unsurprisingly, given status of the source package).
[ Standards Compliance ]
The package follows Debian Policy, although arguably its use of version 1.0 packaging is not "best practice". However, its standard compliance is fairly recent (4.1.3), its debhelper compatibility is fully up to date, and in most other respects the packaging is nice and simple.
[ Maintenance / Owner ]
The package is already maintained in main by the server team.
[ Background Information ]
Upstream name is simply "nbd". The project was formerly maintained on SourceForge, but has recently moved to GitHub for future releases. The primary author is also the Debian maintainer. Relevant links:
* https:/
* https:/
* https:/
Changed in nbd (Ubuntu): | |
assignee: | nobody → Didier Roche-Tolomelli (didrocks) |
👋 Wouter here.
Some comments:
> However, I could find none related to the nbd-client package specifically (those related to the nbd-server package have, naturally, been dealt with by the security team already).
This is mostly because nbd-client itself is fairly simple. It sets up the connection to the server, performs the handshake, and then hands over to the kernel. The rest of the NBD communication happens in kernel space. This means that the attack surface for nbd-client specifically is obviously very small, because most of the work does not happen there.
> The package does not currently have a DEP-8 test-suite, but does have a comprehensive test suite run as part of the build process (which probably could be run as DEP-8 tests too, though from a brief look the code may need adjusting to run the installed binaries instead of the built ones).
A proper DEP-8 test would at least set up nbd-server, connect an NBD device, write to it and read from it again. Additionally, the initramfs his that are shipped would preferably be tested too, which requires a netboot setup.
This is not trivial to do in a DEP-8 context, and while I have a plan that could work, I have not yet had the time to implement this. If anyone is willing to help with this as a prerequisite to moving this to Ubuntu main, I'm happy to have a chat or something to discuss the details. This is absolutely something I really really really want to do, but the complexity of the problem is significant.
The test suite mainly tests the server, as that is where most things could go wrong. With one exception, none of the tests even use nbd-client, but instead use a specifically written test client which makes some assertions about server behavior. The one exception simply runs 'nbd-client -l', which requests the list of server exports before immediately exiting, making the test extremely superficial.
None the less, running the compile time test suite as a DEP-8 test is achievable and a reasonable way to test the server, which I will look into as a first step.
> The package follows Debian Policy, although arguably its use of version 1.0 packaging is not "best practice".
Migrating to the 3.0 formats has not been high on my priority list, mostly because the first few times I tried converting a package it insisted that I use individual patches, which I find to be too involved (if you want individual patches, use git, that's what it's for). I have since learned about adding single-debian-patch to debian/ source/ local-options, which solves the issue for me and which I've been slowly converting my packages to. I just haven't gotten around to the NBD package yet in this regard. If it helps, I'm happy to prioritize that.