Re: Proposal for new restriction: "nosession"
On 2023-03-25 19:32, Christian Kastner wrote:
> When the testbed has the 'root-on-testbed' capability, autopkgtest
> insists on running tests through `su root` [1]. This seems redundant,
> but is explained in the comment:
>
>> this ensures that we have a PAM/logind session for root tests as
>> well; with some interfaces like ttyS1 or lxc_attach we don't log
>> in to the testbed
>
> The problem with this is that it breaks rootless podman containers where
> files/devices are passed in with group ownership. The host user's groups
> can be kept with podman's --group-add=keep-groups feature, but this
> feature is lost by su's setgroups() call.
>
> Workarounds are to either run the containers as root, or modify
> /etc/setgid as needed. However, those workarounds require privileges to
> set up.
This is the workaround I implemented for my use case. I've documented
the solution here [1].
I'd still be interested in a built-in solution for autopkgtest (thus
avoiding the need for privileges) and I'd be happy to propose an MR, but
looking at this, I found a few other edge cases that users might run
into even with this option. For example, a user might still 'su' oder
'sudo' within a test, with the same negative effects.
> It would seem simpler to just add a new restriction, call it "nosession"
> or whatever, so that tests can explicitly declare that they don't need a
> session, be it for the above reason, or any other.
>
> If you think this idea has merit, should I prepare a proposed update to
> code + docs in an MR?
[1] https://salsa.debian.org/rocm-team/community/team-project/-/blob/master/doc/rocm-autopkgtests-in-containers.md
Reply to: