Package: cloud-init Version: 22.4.2-1 Severity: normal ## Background:
The problem and possible root cause fix are reported on upstream github issue: https://github.com/canonical/cloud-init/issues/4603 ## Issue: I noticed instance generated from Debian bookworm cloud image on linuxcontainer.org had odd GID=1000 for netdev. Since netdev should be a system group, this situation violates Debian policy. Basically, cloud-init has a bug of creating system group starting from GID=1000 if it sees some group name listed in groups-list and missing on the system's /etc/group. ## What am I asking to Debian packagers The root cause fix takes long time in upstream. There should be some least invasive workaround to avoid this issue on most use cases simply by updating debian/cloud.cfg file. I suggest to drop "netdev" from `debian/cloud.cfg` as the least invasive minimal change. This should be done on both on stable (now) and unstable (unless upstream fixes the root cause). ## Technical consideration. This debian/cloud.cfg is installed by override_dh_installinit target in debian/rules . I compaired this against upstream config/cloud.cfg.tmpl. It looks like this has modified upstream generated cloud.cfg which sharies its contents with Ubuntu. I see "[Uu]buntu" swapped with "[Dd]ebian" in cloud.cfg. Besides these cosmetic changes, Debian packaging already made interesting change in it. Let's look at groups in cloud.cfg. upstream: adm, audio, cdrom, dialout, dip, floppy, lxd, netdev, plugdev, sudo, video debian: adm, audio, cdrom, dialout, dip, floppy, netdev, plugdev, sudo, video I don't know how these are chosen mostly for Ubuntu by upstream but Debian packager made decision to drop "lxd" here. Minimal Debian system has its system group defined in base-passwd package. So "adm, audio, cdrom, dialout, dip, floppy, plugdev, sudo, video" are guranteed to exist. Debian package should drop not only "lxd" but also "netdev". I don't think removing `netdev` cause much problem. As you know, `netdev` is for `/dev/wfkill` and wpsupplicant and similar packages. If anyone decides to add these packages to the root image, it get generated properly by postinst. Of course, adding `netdev` group to the primary user account `debian` is needed if the user wishes. That's something to be documented. We must keep Debian system compliant to Debian policy. Debian Policy https://www.debian.org/doc/debian-policy/ch-opersys.html#uid-and-gid-classes 100-999: Dynamically allocated system users and groups. Packages which need a user or group, but can have this user or group allocated dynamically and differently on each system, should use adduser --system to create the group and/or user. adduser will check for the existence of the user or group, and if necessary choose an unused id based on the ranges specified in adduser.conf. -- System Information: Debian Release: 12.2 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 6.5.0-0.deb12.1-amd64 (SMP w/12 CPU threads; PREEMPT) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages cloud-init depends on: ii eject 2.38.1-5+b1 ii fdisk 2.38.1-5+b1 ii gdisk 1.0.9-2.1 ii isc-dhcp-client 4.4.3-P1-2 ii locales 2.36-9+deb12u3 ii lsb-base 11.6 ii lsb-release 12.0-1 ii procps 2:4.0.2-3 ii python3 3.11.2-1+b1 ii python3-configobj 5.0.8-1 ii python3-jinja2 3.1.2-1 ii python3-jsonpatch 1.32-2 ii python3-jsonschema 4.10.3-1 ii python3-netifaces 0.11.0-2+b1 ii python3-oauthlib 3.2.2-1 ii python3-requests 2.28.1+dfsg-1 ii python3-serial 3.5-1.1 ii python3-yaml 6.0-3+b2 ii sysvinit-utils [lsb-base] 3.06-4 ii util-linux 2.38.1-5+b1 Versions of packages cloud-init recommends: ii cloud-guest-utils 0.33-1 ii eatmydata 130-2 ii sudo 1.9.13p3-1+deb12u1 Versions of packages cloud-init suggests: ii btrfs-progs 6.2-1 ii e2fsprogs 1.47.0-2 ii xfsprogs 6.1.0-1 -- no debconf information