Skip to content

fix(orchestrator): harden provision.sh with chattr fallback and APT time fix#2227

Closed
tomassrnka wants to merge 1 commit intomainfrom
fix/provision-hardening
Closed

fix(orchestrator): harden provision.sh with chattr fallback and APT time fix#2227
tomassrnka wants to merge 1 commit intomainfrom
fix/provision-hardening

Conversation

@tomassrnka
Copy link
Copy Markdown
Member

@tomassrnka tomassrnka commented Mar 25, 2026

Cherrypicked fix from #1875 as separate PR

@claude
fix(orchestrator): harden provision.sh with chattr fallback and APT d…
720ceee 
…ate bypass

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@tomassrnka
Copy link
Copy Markdown
Member Author

tomassrnka commented Mar 25, 2026

bugbot run

@cursor
Copy link
Copy Markdown

cursor bot commented Mar 25, 2026
edited
Loading

PR Summary

Medium Risk
Medium risk because it changes base image provisioning behavior and disables APT date checks, which could mask repo metadata freshness issues if mirrors are misconfigured or compromised.

Overview
Makes provision.sh resilient when chattr isn’t available by detecting support before setting/unsetting immutability on /etc/resolv.conf, and adjusts APT commands to disable date/valid-until checks so package install/update can succeed when Firecracker VMs boot with an epoch clock.

Written by Cursor Bugbot for commit 720ceee. This will update automatically on new commits. Configure here.

cursor[bot]
cursor bot reviewed Mar 25, 2026
View reviewed changes
Copy link
Copy Markdown

@cursor cursor bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

✅ Bugbot reviewed your changes and found no new issues!

Comment @cursor review or bugbot run to trigger another review on this PR

arkamar
arkamar reviewed Mar 26, 2026
View reviewed changes
packages/orchestrator/pkg/template/build/phases/base/provision.sh
Comment on lines +12 to +13
elif command -v chattr >/dev/null 2>&1 && chattr +i /etc/resolv.conf 2>/dev/null; then
CHATTR_AVAILABLE=1
Copy link
Copy Markdown
Contributor

@arkamar arkamar Mar 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this fallback really necessary? What I mean is that busybox should be always available, right? Therefore if $BUSYBOX chattr +i fail the chattr +i will fail as well. Or am I missing something?

@tomassrnka tomassrnka closed this Mar 26, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@arkamar arkamar arkamar left review comments

@cursor cursor[bot] cursor[bot] left review comments

@ValentaTomas ValentaTomas Awaiting requested review from ValentaTomas ValentaTomas will be requested when the pull request is marked ready for review ValentaTomas is a code owner

@jakubno jakubno Awaiting requested review from jakubno jakubno will be requested when the pull request is marked ready for review jakubno is a code owner

@dobrac dobrac Awaiting requested review from dobrac dobrac will be requested when the pull request is marked ready for review dobrac is a code owner

Assignees

@jakubno jakubno

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@tomassrnka @arkamar @jakubno