[pve-devel] [PATCH zfsonlinux 1/2] buildsys: make libpam-zfs a separate package
Stoiko Ivanov
s.ivanov at proxmox.com
Tue Feb 9 19:41:43 CET 2021
ZFS includes (since 2.0.0) a pam-module, which takes the login
credentials of an user to unlock their home-dataset.
Enabling it in its current state can cause some side-effects like
prompting for a password when running `su` as root (see [0]).
Our update to ZFS 2.0.0 shipped the pam config in zfsutils-linux,
whereas debian-upstream split it out into its own optional package
This commit adopts this change.
based on debian-upstream [1] commit
cad2f3d24aa44cfdce1e2eae8b6ba027efaba2d6
The issue becomes apparent by installing the current zfsutils-linux
package and running `pam-auth-update --package` (e.g. by installing
an upgraded libpam-runtime package).
[0] https://github.com/openzfs/zfs/issues/11222
[1] https://salsa.debian.org/zfsonlinux-team/zfs/
Reported-by: Fabian Grünbichler <f.gruenbichler at proxmox.com>
Originally-by: Antonio Russo <aerusso at aerusso.net>
Signed-off-by: Stoiko Ivanov <s.ivanov at proxmox.com>
---
debian/control | 14 ++++++++++++++
debian/libpam-zfs.install | 2 ++
debian/libpam-zfs.postinst | 6 ++++++
debian/libpam-zfs.prerm | 8 ++++++++
debian/zfsutils-linux.install | 2 --
5 files changed, 30 insertions(+), 2 deletions(-)
create mode 100644 debian/libpam-zfs.install
create mode 100644 debian/libpam-zfs.postinst
create mode 100644 debian/libpam-zfs.prerm
diff --git a/debian/control b/debian/control
index cda525a8..096d4afe 100644
--- a/debian/control
+++ b/debian/control
@@ -5,6 +5,8 @@ Maintainer: Proxmox Support Team <support at proxmox.com>
Build-Depends: debhelper (>= 10~),
dh-python,
libblkid-dev,
+ libelf-dev,
+ libpam0g-dev,
libssl-dev | libssl1.0-dev,
libtool,
lsb-release,
@@ -30,6 +32,18 @@ Description: Solaris name-value library for Linux
transporting data across process boundaries, transporting between
kernel and userland, and possibly saving onto disk files.
+Package: libpam-zfs
+Section: contrib/admin
+Architecture: linux-any
+Depends: libpam-runtime, ${misc:Depends}, ${shlibs:Depends}
+Description: PAM module for managing encryption keys for ZFS
+ OpenZFS is a storage platform that encompasses the functionality of
+ traditional filesystems and volume managers. It supports data checksums,
+ compression, encryption, snapshots, and more.
+ .
+ This provides a Pluggable Authentication Module (PAM) that automatically
+ unlocks encrypted ZFS datasets upon login.
+
Package: libuutil2linux
Section: contrib/libs
Architecture: linux-any
diff --git a/debian/libpam-zfs.install b/debian/libpam-zfs.install
new file mode 100644
index 00000000..c33123f6
--- /dev/null
+++ b/debian/libpam-zfs.install
@@ -0,0 +1,2 @@
+lib/*/security/pam_zfs_key.so
+usr/share/pam-configs/zfs_key
diff --git a/debian/libpam-zfs.postinst b/debian/libpam-zfs.postinst
new file mode 100644
index 00000000..2db86744
--- /dev/null
+++ b/debian/libpam-zfs.postinst
@@ -0,0 +1,6 @@
+#!/bin/sh
+set -e
+
+pam-auth-update --package
+
+#DEBHELPER#
diff --git a/debian/libpam-zfs.prerm b/debian/libpam-zfs.prerm
new file mode 100644
index 00000000..21e82700
--- /dev/null
+++ b/debian/libpam-zfs.prerm
@@ -0,0 +1,8 @@
+#!/bin/sh
+set -e
+
+if [ "$1" = remove ] ; then
+ pam-auth-update --package --remove zfs_key
+fi
+
+#DEBHELPER#
diff --git a/debian/zfsutils-linux.install b/debian/zfsutils-linux.install
index ccb1f169..4f93aa70 100644
--- a/debian/zfsutils-linux.install
+++ b/debian/zfsutils-linux.install
@@ -2,7 +2,6 @@
etc/default/zfs
etc/zfs/zfs-functions
etc/zfs/zpool.d/
-lib/*/security/pam_zfs_key.so
lib/systemd/system-preset/
lib/systemd/system/zfs-import-cache.service
lib/systemd/system/zfs-import-scan.service
@@ -119,4 +118,3 @@ usr/share/man/man8/zpoolconcepts.8
usr/share/man/man8/zpoolprops.8
usr/share/man/man8/zstream.8
usr/share/man/man8/zstreamdump.8
-usr/share/pam-configs/zfs_key
--
2.20.1
More information about the pve-devel
mailing list