Package: ganeti-instance-debootstrap Version: 0.16-6 Severity: grave It seems that ganeti-instance-deboostrap fails to properly cache the filesystem after the first creation. This leads to stuff like `/usr/bin/ping` having the wrong permissions. On a healthy system, installed without caching, it looks like this:
root@test01:~# getcap /usr/bin/ping /usr/bin/ping = cap_net_raw+ep root@test01:~# But if that instance is removed and recreated, it then looks like this: root@test01:~# getcap /usr/bin/ping root@test01:~# This is "grave" because capabilities are a serious issue. There could be suid files that are restricted by capabilities (or the opposite). We just don't quite know and this looks really wrong. At best it makes ping unusable by regular users, and that's still a serious issue. Inspection of the cache file confirms the capabilities are not stored correctly: root@fsn-node-02:~# tar fx /var/cache/ganeti-instance-debootstrap/cache-buster-amd64.tar ./usr/bin/ping root@fsn-node-02:~# getcap ./usr/bin/ping root@fsn-node-02:~# A. -- System Information: Debian Release: 10.1 APT prefers stable-debug APT policy: (500, 'stable-debug'), (500, 'stable'), (1, 'experimental'), (1, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 4.19.0-6-amd64 (SMP w/4 CPU cores) Locale: LANG=fr_CA.UTF-8, LC_CTYPE=fr_CA.UTF-8 (charmap=UTF-8), LANGUAGE=fr_CA.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages ganeti-instance-debootstrap depends on: ii debootstrap 1.0.114 ii dump 0.4b46-5 ii e2fsprogs 1.44.5-1+deb10u2 ii fdisk 2.33.1-0.1 ii kpartx 0.7.9-3 ii util-linux 2.33.1-0.1 ganeti-instance-debootstrap recommends no packages. ganeti-instance-debootstrap suggests no packages. -- debconf-show failed