You can also register uids with Debian. Quoting from the Policy Manual[1]: The UID and GID numbers are divided into classes as follows: 0-99: Globally allocated by the Debian project, the same on every Debian system. These ids will appear in the passwd and group files of all Debian systems, new ids in this range being added automatically as the base-passwd package is updated. Packages which need a single statically allocated uid or gid should use one of these; their maintainers should ask the base-passwd maintainer for ids. [1]https://www.debian.org/doc/debian-policy/ch-opersys.html Best, Paulo On Sat, 2014-12-06 at 19:54 +0000, Steven C Timm wrote: > Sage, at least in the Redhat world there are ways to get a pre-assigned uid/gid for a service that is > part of a system service. There's a registered list of services that get fixed uid/gid, you can google for it. > Any service can add an adduser command with a fixed uid/gid but best to cooperate with the various distros. > Sometimes sysadmins will want to use a configuration management package such as puppet to > create the users, that is another way to do it, because then the init scripts can detect the ceph user > is already there. > > Steve Timm > > ________________________________________ > From: ceph-users [ceph-users-bounces@xxxxxxxxxxxxxx] on behalf of Sage Weil [sweil@xxxxxxxxxx] > Sent: Saturday, December 06, 2014 12:43 PM > To: ceph-devel@xxxxxxxxxxxxxxx; ceph-users@xxxxxxxx > Subject: running as non-root > > While we are on the subject of init systems and packaging, I would *love* > to fix things up for hammer to > > - create a ceph user and group > - add various users to ceph group (like qemu or kvm user and > apache/www-data?) > - fix permissions on /var/log/ceph and /var/run/ceph (770?) so that qemu > and rgw can write logs and asok files there > - make daemons run as ceph user instead of root > > The main hangup is with that last one. As I understand it, when packages > create users, they get a semi-random UID assigned. That means that all > the data on a ceph-osd disk would have a semi-random UID. If it were > hot-swapped into another host, the uid would be wrong. Is there a way > use a fixed uid? > > Also on the roadmap is defining proper selinux policies so that these > dameons are confined into the appropriate directories etc., but I imagine > running as non-root is a big help (or even prerequisite?) to making that > happen? > > Suggestions or comments? Or volunteers? We haven't had time to look at > this yet but I think it's important! > > sage > > _______________________________________________ > ceph-users mailing list > ceph-users@xxxxxxxxxxxxxx > http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com > _______________________________________________ > ceph-users mailing list > ceph-users@xxxxxxxxxxxxxx > http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com _______________________________________________ ceph-users mailing list ceph-users@xxxxxxxxxxxxxx http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com