newgrp produces unexpected behaviour in `prepare-node-script`
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Snap |
Fix Committed
|
Medium
|
Unassigned |
Bug Description
(Reporting on behalf of Dave Torrey Jr.)
From the instructions for "Single-node quickstart" [1]:
```
Sunbeam can generate a script to ensure that the machine has all of the required dependencies installed and is configured correctly for use in MicroStack - you can review this script using:
sunbeam prepare-node-script
or the script can be directly executed in this way:
sunbeam prepare-node-script | bash -x && newgrp snap_daemon
```
The generated script contains a `newgrp` command, despite the instructions also having the user run `newgrp` directly. The instructions imply one may download and run the script by hand, rather than pipe it to bash, but the resulting behavior is different.
Consider this test script:
```
ubuntu@case-1:~$ cat test-script
#!/bin/bash
echo "hello"
newgrp ubuntu
echo "world"
```
When run with the pipe, it works as expected:
```
ubuntu@case-1:~$ cat test-script | bash -x
+ echo hello
hello
+ newgrp ubuntu
world
```
But when executed directly, the `newgrp` command starts a new shell that is not immediately obvious:
```
ubuntu@case-1:~$ bash -x ./test-script
+ echo hello
hello
+ newgrp ubuntu
ubuntu@case-1:~$ exit
exit
+ echo world
world
```
In `prepare-
```
ubuntu@case-1:~$ exit
exit
+ '[' -f /home/ubuntu/
+ cat /home/ubuntu/
++ hostname --all-ip-addresses
+ ssh-keyscan -H 10.1.2.82 10.20.20.1 10.1.229.192
# 10.20.20.1:22 SSH-2.0-
# 10.1.2.82:22 SSH-2.0-
```
Changed in snap-openstack: | |
status: | Triaged → Fix Committed |
Newgrp has a side effect of not only dynamically adding the group to the user but also making it the primary group, which seems wrong to me. All files created during the node-prepare script will be owned by <user>:snap_daemon instead of <user>: <user-group> .
In my installations, I always remove the newgrp command and then at the end of the script I logout and login again. It is an extra step but it seems unavoidable.