From 3d71626665b1560de9159b3b12c13bd5dc3d091a Mon Sep 17 00:00:00 2001 From: denisonbarbosa Date: Thu, 8 Aug 2024 10:42:28 -0400 Subject: [PATCH 1/3] Fix errno in get_ticket_path() krb5_init_context can change the errno value even if the function succeeded, so we need to set it back to 0 after the call. --- internal/ad/krb5.go | 3 +++ 1 file changed, 3 insertions(+) diff --git a/internal/ad/krb5.go b/internal/ad/krb5.go index 35a8ace1a..3f3eb7a1f 100644 --- a/internal/ad/krb5.go +++ b/internal/ad/krb5.go @@ -15,6 +15,9 @@ char *get_ticket_path() { errno = ret; return NULL; } + // We need to reset the errno to 0, because krb5_init_context() + // can alter it, even if it succeeds. + errno = 0; const char* cc_name = krb5_cc_default_name(context); if (cc_name == NULL) { From a85e6e13a12b23a416ed0eaf0a24735f5aa8d46d Mon Sep 17 00:00:00 2001 From: denisonbarbosa Date: Thu, 8 Aug 2024 10:43:42 -0400 Subject: [PATCH 2/3] Fix polkit values for integration tests daemons As of 24.04, polkit had some changes in its packages and file locations, so we need to update the values used in the mocks to point in the right direction. --- cmd/adsysd/integration_tests/adsys_test.go | 5 ++++- cmd/adsysd/integration_tests/systemdaemons/Dockerfile | 5 +---- cmd/adsysd/integration_tests/systemdaemons/run_daemons | 2 +- debian/control | 1 + 4 files changed, 7 insertions(+), 6 deletions(-) diff --git a/cmd/adsysd/integration_tests/adsys_test.go b/cmd/adsysd/integration_tests/adsys_test.go index 42d8d0dea..257c41f42 100644 --- a/cmd/adsysd/integration_tests/adsys_test.go +++ b/cmd/adsysd/integration_tests/adsys_test.go @@ -412,7 +412,10 @@ func runDaemons() (teardown func()) { go func() { defer wg.Done() - if err := os.MkdirAll(socketDir, 0750); err != nil { + // 24.04 introduced some polkit changes that make the daemon drop root privileges before executing. In order + // to be able to connect to the bus and run polkitd, we need more permissions in the socket directory. + //nolint:gosec + if err := os.MkdirAll(socketDir, 0755); err != nil { log.Fatalf("Setup: can’t create %s socket directory: %v", answer, err) } diff --git a/cmd/adsysd/integration_tests/systemdaemons/Dockerfile b/cmd/adsysd/integration_tests/systemdaemons/Dockerfile index b73cda084..3a55089af 100644 --- a/cmd/adsysd/integration_tests/systemdaemons/Dockerfile +++ b/cmd/adsysd/integration_tests/systemdaemons/Dockerfile @@ -3,10 +3,7 @@ FROM ubuntu ENV DEBIAN_FRONTEND=noninteractive # we need at least dbusmock 0.25 to use systemd template -RUN \ - apt-get update && \ - apt-get install -y policykit-1 dbus libglib2.0-bin python3-pip python3-gi python3-dbus && \ - pip install python-dbusmock +RUN apt update && apt install -y polkitd dbus libglib2.0-bin python3-gi python3-dbus python3-dbusmock COPY cmd/adsysd/integration_tests/systemdaemons/*.py / COPY cmd/adsysd/integration_tests/systemdaemons/run_daemons / diff --git a/cmd/adsysd/integration_tests/systemdaemons/run_daemons b/cmd/adsysd/integration_tests/systemdaemons/run_daemons index fa5b5b2be..d68670837 100755 --- a/cmd/adsysd/integration_tests/systemdaemons/run_daemons +++ b/cmd/adsysd/integration_tests/systemdaemons/run_daemons @@ -14,7 +14,7 @@ from gi.repository import GLib from session_daemons import start_session_bus, run_session_mocks from system_daemons import start_system_bus, run_system_mocks -POLKIT_PATH = "/usr/libexec/polkitd" +POLKIT_PATH = "/usr/lib/polkit-1/polkitd" ADSYS_POLICY_PATH_SRC = "/usr/share/polkit-1/actions.orig/com.ubuntu.adsys.policy" ADSYS_POLICY_PATH_DST = "/usr/share/polkit-1/actions/com.ubuntu.adsys.policy" diff --git a/debian/control b/debian/control index c4cfc948b..dc3658eb6 100644 --- a/debian/control +++ b/debian/control @@ -47,6 +47,7 @@ Recommends: ${misc:Recommends}, Suggests: curlftpfs, ubuntu-proxy-manager, python3-cepces, + polkitd-pkla, Description: ${source:Synopsis} ${source:Extended-Description} From 293224d67481a0dee4f5cd2f874f294cedb83cec Mon Sep 17 00:00:00 2001 From: denisonbarbosa Date: Fri, 9 Aug 2024 10:19:00 -0400 Subject: [PATCH 3/3] Standardize runner across CI ubuntu-latest is still at 22.04 on github (see https://github.com/actions/runner-images). Since we rely on polkit for some policies and there was a big set of changes on the package between 22.04 and 24.04, we need to bump the runners to match the docker container that we use for the integration tests. To do that, it's better to use repo variables to control the runner so that we can switch back to ubuntu-latest once it moves on to 24.04. --- .github/workflows/cla-check.yaml | 2 +- .github/workflows/e2e-build-images.yaml | 4 ++-- .github/workflows/e2e-tests.yaml | 4 ++-- .github/workflows/patch-vendored-samba.yaml | 4 ++-- .github/workflows/policy-builds.yaml | 14 +++++++------- .github/workflows/qa.yaml | 4 ++-- .github/workflows/sync-gh-jira.yaml | 2 +- .github/workflows/tics-report-daily.yaml | 2 +- 8 files changed, 18 insertions(+), 18 deletions(-) diff --git a/.github/workflows/cla-check.yaml b/.github/workflows/cla-check.yaml index 99e20e987..2ee82d3b9 100644 --- a/.github/workflows/cla-check.yaml +++ b/.github/workflows/cla-check.yaml @@ -5,7 +5,7 @@ on: jobs: cla-check: name: Check if CLA is signed - runs-on: ubuntu-latest + runs-on: ${{ vars.RUNNER }} steps: - name: Check if CLA signed uses: canonical/has-signed-canonical-cla@v1 diff --git a/.github/workflows/e2e-build-images.yaml b/.github/workflows/e2e-build-images.yaml index 557a5a605..371659eb7 100644 --- a/.github/workflows/e2e-build-images.yaml +++ b/.github/workflows/e2e-build-images.yaml @@ -17,7 +17,7 @@ on: jobs: supported-releases: name: Build matrix for supported ADSys and Ubuntu releases - runs-on: ubuntu-latest + runs-on: ${{ vars.RUNNER }} outputs: matrix: ${{ steps.set-supported-releases.outputs.matrix }} versions: ${{ steps.set-supported-releases.outputs.versions }} @@ -61,7 +61,7 @@ jobs: build-template: name: Build VM template - runs-on: ubuntu-latest + runs-on: ${{ vars.RUNNER }} concurrency: group: template-build-${{ matrix.codename }} needs: diff --git a/.github/workflows/e2e-tests.yaml b/.github/workflows/e2e-tests.yaml index 8d0593e2a..6790df271 100644 --- a/.github/workflows/e2e-tests.yaml +++ b/.github/workflows/e2e-tests.yaml @@ -25,7 +25,7 @@ on: jobs: supported-releases: name: Build matrix for supported ADSys and Ubuntu releases - runs-on: ubuntu-latest + runs-on: ${{ vars.RUNNER }} outputs: matrix: ${{ steps.set-supported-releases.outputs.matrix }} steps: @@ -77,7 +77,7 @@ jobs: tests: name: Tests - runs-on: ubuntu-latest + runs-on: ${{ vars.RUNNER }} needs: - supported-releases strategy: diff --git a/.github/workflows/patch-vendored-samba.yaml b/.github/workflows/patch-vendored-samba.yaml index 612977131..ad4adf24e 100644 --- a/.github/workflows/patch-vendored-samba.yaml +++ b/.github/workflows/patch-vendored-samba.yaml @@ -14,7 +14,7 @@ env: jobs: check-for-changes: name: Check for changes in vendored code - runs-on: ubuntu-latest + runs-on: ${{ vars.RUNNER }} outputs: changed: ${{ steps.compute-diff.outputs.changed }} samba-ref: ${{ steps.compute-diff.outputs.samba-ref }} @@ -48,7 +48,7 @@ jobs: patch-vendored-code: name: Patch vendored code - runs-on: ubuntu-latest + runs-on: ${{ vars.RUNNER }} needs: check-for-changes if: ${{ needs.check-for-changes.outputs.changed == 'true' }} steps: diff --git a/.github/workflows/policy-builds.yaml b/.github/workflows/policy-builds.yaml index 8ad6be9c5..62c812613 100644 --- a/.github/workflows/policy-builds.yaml +++ b/.github/workflows/policy-builds.yaml @@ -13,7 +13,7 @@ on: jobs: build-admxgen: name: Build admxgen static binary - runs-on: ubuntu-latest + runs-on: ${{ vars.RUNNER }} steps: - uses: actions/checkout@v4 - uses: actions/setup-go@v5 @@ -33,7 +33,7 @@ jobs: supported-releases: name: Build matrix for supported ADSys, Ubuntu, and docker releases - runs-on: ubuntu-latest + runs-on: ${{ vars.RUNNER }} outputs: matrix: ${{ steps.set-supported-releases.outputs.matrix }} needs: build-admxgen @@ -80,7 +80,7 @@ jobs: collect-releases: name: Collect supported keys on each releases - runs-on: ubuntu-latest + runs-on: ${{ vars.RUNNER }} needs: - build-admxgen - supported-releases @@ -119,7 +119,7 @@ jobs: generate-ad: name: Merge keys to generated admx/adml - runs-on: ubuntu-latest + runs-on: ${{ vars.RUNNER }} needs: collect-releases strategy: matrix: @@ -165,7 +165,7 @@ jobs: generate-doc: name: Merge keys to generated documentation - runs-on: ubuntu-latest + runs-on: ${{ vars.RUNNER }} needs: collect-releases steps: - name: Install needed binaries @@ -202,7 +202,7 @@ jobs: integrate: name: Integrate policy changes in current git tree - runs-on: ubuntu-latest + runs-on: ${{ vars.RUNNER }} needs: - generate-ad - generate-doc @@ -243,7 +243,7 @@ jobs: open-issue-on-fail: name: Open issue on failure - runs-on: ubuntu-latest + runs-on: ${{ vars.RUNNER }} needs: integrate if: ${{ failure() }} steps: diff --git a/.github/workflows/qa.yaml b/.github/workflows/qa.yaml index 8435a3b28..7254ea5cc 100644 --- a/.github/workflows/qa.yaml +++ b/.github/workflows/qa.yaml @@ -16,7 +16,7 @@ env: jobs: sanity: name: Code sanity - runs-on: ubuntu-latest + runs-on: ${{ vars.RUNNER }} steps: - name: Install dependencies run: | @@ -43,7 +43,7 @@ jobs: tests: name: Tests - runs-on: ubuntu-latest + runs-on: ${{ vars.RUNNER }} steps: - uses: actions/checkout@v4 - uses: actions/setup-go@v5 diff --git a/.github/workflows/sync-gh-jira.yaml b/.github/workflows/sync-gh-jira.yaml index 834035f1e..2a7c3be4a 100644 --- a/.github/workflows/sync-gh-jira.yaml +++ b/.github/workflows/sync-gh-jira.yaml @@ -4,7 +4,7 @@ on: [issues, issue_comment] jobs: sync-issues: name: Sync issues to Jira - runs-on: ubuntu-latest + runs-on: ${{ vars.RUNNER }} steps: - uses: canonical/sync-issues-github-jira@v1 with: diff --git a/.github/workflows/tics-report-daily.yaml b/.github/workflows/tics-report-daily.yaml index 19abb3cbd..b131673fd 100644 --- a/.github/workflows/tics-report-daily.yaml +++ b/.github/workflows/tics-report-daily.yaml @@ -14,7 +14,7 @@ env: jobs: tics: name: TIOBE TiCS Framework - runs-on: ubuntu-latest + runs-on: ${{ vars.RUNNER }} steps: - uses: actions/checkout@v4 - uses: actions/setup-go@v5