feat(24.04): add iptables, sudo and add mutation script for pam-auth-update #306
Conversation
|
Diff of dependencies: slices/libpam-runtime.yaml@@ -1,4 +0,0 @@
-cdebconf
-debconf
-debconf-2.0
-libpam-modules |
Meulengracht
force-pushed
the
slices/iptables
branch
from
208baa2 to
43d744c
Compare
Meulengracht
force-pushed
the
slices/iptables
branch
from
43d744c to
785b4eb
Compare
Meulengracht
force-pushed
the
slices/iptables
branch
2 times, most recently
from
e6fa58c to
1f3198b
Compare
|
@Meulengracht following up on this - it'd be nice to try these tests with LXD as well, once we get sort out why you're having those issues in #318 |
Meulengracht
force-pushed
the
slices/iptables
branch
2 times, most recently
from
f8a92f6 to
01961a9
Compare
It passes on the LXD backend locally, I removed the caps and restored the tests |
|
@cjdcordeiro @rebornplusplus this is ready for review |
Meulengracht
force-pushed
the
slices/iptables
branch
from
29dbbc6 to
899c46a
Compare
… modify the pam-defaults to actually deliver working files instead
Meulengracht
force-pushed
the
slices/iptables
branch
from
899c46a to
0280ed7
Compare
Co-authored-by: Rafid Bin Mostofa <[email protected]>
There was a problem hiding this comment.
Looks nice. Just checked the output of the pam-auth-update from a fresh container, and we have a set of diverged pam configs. The reason is that pam-auth-update reads the values from *-Initial for the first pam config of each kind.
320 # return the lines for a given config name, type, and position in the stack
321 sub lines_for_module_and_type
322 {
323 my ($profiles, $mod, $type, $modpos) = @_;
324 if ($modpos == 0 && $profiles->{$mod}{$type . '-Initial'}) {
325 return $profiles->{$mod}{$type . '-Initial'};
326 }
327 return $profiles->{$mod}{$type};
328 } 
Co-authored-by: zhijie-yang <[email protected]>
Add -Initial suffix to mutation scritps
There was a problem hiding this comment.
Some minor changes are required for the linting and tests. @cjdcordeiro
Co-authored-by: zhijie-yang <[email protected]>
There was a problem hiding this comment.
I think this is in a good state now. It would be nice to also have a final pass from @clay-lake
There was a problem hiding this comment.
Approved! :) I'm a little concerned with the mutation script due its complexity. The current output seems consistent with what I expect in a fresh noble container, and the script should work in a fresh rootfs. Not now, but we might want to consider refactoring it if we need to adapt it in the future. Maybe something like this? I made some changes while reviewing the script.
|
thanks @clay-lake |
…update (canonical#306) --------- Co-authored-by: Cristovao Cordeiro <[email protected]> Co-authored-by: Rafid Bin Mostofa <[email protected]> Co-authored-by: zhijie-yang <[email protected]> feat(24.04): add slices for gearman-job-server and dependencies feat(24.04): add slices for gearman-job-server and dependencies Added bins and services slice for gearman-job-server feat(24.04): add slices for gearman-job-server and dependencies Update format to match codebase feat(24.04): add slices for gearman-tools and dependencies feat(24.04): add slices for Gearman and dependencies
Proposed changes
Iptables is something we include in Ubuntu Core. Unfortunately to test iptables I need both sudo (which I then figured wasn't working due to bad libpam support), which resulted in a large mutation script that emulates what pam-auth-update does.
There are dedicated integration tests for the libpam generation and sudo, and the test for iptables currently is pretty shallow since it needs kernel modules loaded that aren't available.
Checklist