SUSE Linux is moving from using single configuration files to using multiple files. Moreover, some typical configuration files placed at /etc are being moved to /usr/etc, see https://github.com/thkukuk/atomic-updates_and_etc/.
All those changes could make YaST fails. For example, when a YaST module tries to reads/writes a file from /etc but that file is not there anymore.
The main problem for the YaST team is that nobody is noticing in advance when a package configured by YaST changes the location of its configuration files. Simply a new bug is reported to YaST when a YaST module fails because that. This approach would not be a big deal if all that kind of errors are detected by openQA, but we cannot ensure that is the case. Therefore, YaST needs an early defense barrier in order to prevent bug reports from final users as much as possible.
To fix this issue we would need:
- to find out which packages are configured by YaST,
- to detect whether any of that packages are now using /usr/etc,
- to alert YaST team when that change is detected and
- to run this check periodically and automatically.
From the four points mentioned above, the two first ones are the most difficult to accomplish:
This could be very complicated because we need to do an exhaustive research through the code of all YaST modules. This is specially difficult for the code using SCR agents.
For this we could list the files of a rpm (i.e., rpm -ql package-name
) and check whether any of that files is under /usr/etc. Maybe this does not catch all cases, for example when a package creates a config file by means of a post install script, but it would be a good first approach.
A possible solution could be to install all yast*
packages, and also all possible packages installed by YaST at some point. For example, that packages installed by a kind of check_and_install
method when starting a module. For this we need to do a search in the YaST code. All those packages should be taken from the Factory project to ensure we are checking the packages before reaching any release.
Once we have a system with all those packages, then we can check whether any package in the system provides a /usr/etc file. If so, an email would be sent to yast-internal. We also need a kind of white list to filter out the packages we know that YaST does not configure or the packages for which YaST was already adapted. That list would be filled and updated manually by us.
Such a script could be run periodically by Jenkins in a docker container.
For the record (I mentioned this on our daily call):
AppArmor has a "complain" mode where it does not simply block any access to a file or directory, but just records that there was such an access. If we run YaST inside AppArmor in that mode, we could later check what files were accessed.
Then of course we'd need to find out whether or not that access was okay or not.