Towards enabling rpm sysusers integration

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hey all,

Now that the initial hurdle of getting rpm 4.19 into rawhide is over, it's time to start looking towards enabling the sysusers integration:
https://rpm-software-management.github.io/rpm/manual/users_and_groups.html

We (as in rpm-team) are not pushing for doing all this in Fedora 39, this is more to start discussion and lay down the necessary steps. In the 4.19 builds so far, the sysusers integration has been entirely disabled because it needs more coordination than just drop it in. Much of it is between systemd and rpm, but any package with non-root ownerships will be affected in the end. At least the following, and not necessarily exactly in this order:

1. systemd has it's own user/group provides generator which directly conflicts (both on generated content and file level) with the new native generator in rpm, and the feature will not work with the provides generated by systemd.

2. systemd provides users and groups that are actually owned by the setup package. As rpm is now turning non-root file ownership into dependencies, systemd could end up pulled in where setup is needed (eg early install stage) which will not end up well. So systemd will need to stop providing users it does not actually own.

3. The various %sysuser_()* macros in systemd-rpm-macros need to be phased out. As it'll be a long time before the sysusers feature is in all Fedora versions, it needs a longer term plan. One simple possibility is do what was done with all those ldconfig from %post back then: change the %sysusers_() macros to no-ops in rawhide to let rpm handle it, and only actually bother updating packages once all relevant versions have the sysusers feature.

4. The sysusers "hook" in rpm needs to be enabled (uncomment %__systemd_sysusers macro in rpm). It wont do anything at all before 1) and 3) are done though.

6. The user/group dependencies for non-root users need to be turned into hard requires (initially these are just recommends). I would be suprised if this doesn't cause some disruption somewhere, although the content that is not root:root owned is pretty scarce these days.

7. Packages creating or using non-root user/group need to be rebuilt.

7. One day a few years from now, replace
https://docs.fedoraproject.org/en-US/packaging-guidelines/UsersAndGroups/ with "supply a sysusers file for your needs" :P In reality, it'll need adjusting long before that and for that, it'll need FPC recommendations and all.

8. Remove all user/group addition related macro and script fubar from specs for good. The first commit in rpm source tree is from 1995, it'd be a nice 30 year celebration... but I don't expect it to happen quite that soon. Maybe in 2035 new people will start look at old specs in horror, "What do you mean they had to deal with all this user/group stuff manually! For 30 years!"

I've begun from 1) now:

	https://src.fedoraproject.org/rpms/systemd/pull-request/109
	https://src.fedoraproject.org/rpms/rpm/pull-request/45

After those have been done, people can start experimenting with the feature. I don't remember seeing an actual Fedora Change for either file-trigger enablement or current %sysuser_* macros so I'm not sure it's needed here either?

Comments, thoughts etc?

	- Panu -
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux