Re: Fedora 32 System-Wide Change proposal: Adopting sysusers.d format

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, Jan 2, 2020 at 10:14 AM Ben Cotton <bcotton@xxxxxxxxxx> wrote:
>
> https://fedoraproject.org/wiki/Changes/Adopting_sysusers.d_format
>
> == Summary ==
> Files in sysusers.d format will be used to declare systems users so it
> will be possible to introspect system users. Users will still be
> created using old-style useradd calls.
>
> == Owner ==
> * Name: [[User:zbyszek| Zbigniew Jędrzejewski-Szmek]]
> * Email: zbyszek at in waw pl
>
> == Detailed Description ==
>
> Many packages define their own user. Right now, those users are
> created in %pre by calling getent, useradd, and groupadd
> ([https://docs.fedoraproject.org/en-US/packaging-guidelines/UsersAndGroups/#_dynamic_allocation
> guidelines]). This will be changed to define users in the
> [https://www.freedesktop.org/software/systemd/man/sysusers.d.html
> sysusers.d format]. A macro will be provided to generate a %pre
> scriptlet that will call useradd and groupadd similarly to the
> scriptlets that are currently required by the packaging guidelines.
>
> In this proposal, systemd-sysusers will not be used to create the
> user. Using the sysusers.d format makes it easy to switch to
> systemd-sysusers as the implementation, and to experiment with
> different way to actually create the users based on the declarative
> syntax.
>
> This approach is heavily based on OpenSUSE's
> ([https://en.opensuse.org/openSUSE:Packaging_guidelines#Users_and_Groups
> guidelines]), but does not use separate rpm packages. I think using a
> %pre macro is good enough.
>
> == Benefit to Fedora ==
>
> System users are declared by packages using a uniform syntax.
>
> The scriptlet part is standardized. Current implementation of creating
> users and groups is not changed, but may be switched easily in the
> future. For example, for container images, the macro may be replaced
> by a noop implementation, and the users created externally without
> installing the user creation tools in the container.
>
> Admins may easily introspect the system user list and which packages
> require users.
>
> Admins may easily override definitions of system users by providing
> appropriate sysusers.d files with higher priority.
>
> The difference between Fedora and other distros like OpenSUSE is reduced.
>

While this *is* incrementally better than before, there *is* a reason
for using separate RPM packages as openSUSE does. There are many cases
where a user+group is actually shared across multiple packages, and
having the user+group definition broken out into a subpackage means
that it's easy for multiple packages to depend on it without having to
depend on the program package.

For example, in openSUSE, there is a wwwrun user paired with the www
group (there's also a wwwrun group, but it doesn't matter quite that
much). This user+group combination is used by *all* webservers. It
also has a static ID, so that it's consistent across installs. Having
this be a package instead of being a scriptlet run by each of the
webservers means that it's easy for the webserver packages to depend
on them. Moreover, the *definition* of the user+group is centralized,
making it easier to audit and adjust over time. Also importantly,
there's a dependency generator that generates user() and group()
Provides for this, so that packages can just declare they need that
user+group combo to exist first before the package can be installed.

I would like us to be able to do that in Fedora too, as it would
drastically simplify some of the odd issues we have with managing
shared users and groups across multiple packages (web servers,
language runtime environments, git services, etc.).

For us, since we don't have the SUSE patches that make PreReq do
things, the way we'd declare this with upstream RPM features would be:

Requires: user(wwwrun)
OrderWithRequires: user(wwwrun)

That way, it's always installed before the package in question is.


--
真実はいつも一つ!/ Always, there's only one truth!
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux