Re: Towards enabling rpm sysusers integration

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 6/22/23 18:01, Zbigniew Jędrzejewski-Szmek wrote:

On Thu, Jun 22, 2023 at 01:18:27PM +0300, Panu Matilainen wrote:

Hey all,

Now that the initial hurdle of getting rpm 4.19 into rawhide is over, it's
time to start looking towards enabling the sysusers integration:
https://rpm-software-management.github.io/rpm/manual/users_and_groups.html


Cool, let's do this!


That's the spirit :D


We (as in rpm-team) are not pushing for doing all this in Fedora 39, this is
more to start discussion and lay down the necessary steps. In the 4.19
builds so far, the sysusers integration has been entirely disabled because
it needs more coordination than just drop it in. Much of it is between
systemd and rpm, but any package with non-root ownerships will be affected
in the end. At least the following, and not necessarily exactly in this
order:

1. systemd has it's own user/group provides generator which directly
conflicts (both on generated content and file level) with the new native
generator in rpm, and the feature will not work with the provides generated
by systemd.


I merged your PR to disable this, so this first step is done.


Thanks! I'll enable the generator in rpm then.


2. systemd provides users and groups that are actually owned by the setup
package. As rpm is now turning non-root file ownership into dependencies,
systemd could end up pulled in where setup is needed (eg early install
stage) which will not end up well. So systemd will need to stop providing
users it does not actually own.


I was hoping we would be make the dependency on setup optional.
It is a fairly heavyweight package (700+ kb) and with lots of
not-that-useful-on-a-typical-modern-installation stuff (mail alias support,
csh profile, /etc/hosts, nfs exports, etc.). Most of this is tiny, but it
clutters /etc, which ideally would be empty, and also /etc/services is 700 kb.
setup is currently pulled in by dependencies, but e.g. in the initrd we should
be fine without it. (And the same applies for e.g. minimal container
images without login users or a shell.)

Maybe the non-essential stuff could be split out into a new
subpackage, with setup only providing /etc/{passwd,group,shadow,gshadow}
with the base set of users and groups, and all other files moved to setup-clutter.
Oh, "setup" is not special to rpm in any way, I only talk of it because that's where /etc/{passwd,group} traditionally reside. Rpm grabs the user/group provides from those files on encounter, so no rpm-side changes are needed if they get moved to some other package. 


3. The various %sysuser_()* macros in systemd-rpm-macros need to be phased
out. As it'll be a long time before the sysusers feature is in all Fedora
versions, it needs a longer term plan. One simple possibility is do what was
done with all those ldconfig from %post back then: change the %sysusers_()
macros to no-ops in rawhide to let rpm handle it, and only actually bother
updating packages once all relevant versions have the sysusers feature.


+1 to this plan.


4. The sysusers "hook" in rpm needs to be enabled (uncomment
%__systemd_sysusers macro in rpm). It wont do anything at all before 1) and
3) are done though.

6. The user/group dependencies for non-root users need to be turned into
hard requires (initially these are just recommends). I would be suprised if
this doesn't cause some disruption somewhere, although the content that is
not root:root owned is pretty scarce these days.

7. Packages creating or using non-root user/group need to be rebuilt.

7. One day a few years from now, replace
https://docs.fedoraproject.org/en-US/packaging-guidelines/UsersAndGroups/
with "supply a sysusers file for your needs" :P
In reality, it'll need adjusting long before that and for that, it'll need
FPC recommendations and all.

8. Remove all user/group addition related macro and script fubar from specs
for good. The first commit in rpm source tree is from 1995, it'd be a nice
30 year celebration... but I don't expect it to happen quite that soon.
Maybe in 2035 new people will start look at old specs in horror, "What do
you mean they had to deal with all this user/group stuff manually! For 30
years!"

I've begun from 1) now:

	https://src.fedoraproject.org/rpms/systemd/pull-request/109

This is merged now and the package is built. (I guess it's probably in
gating now.)


	https://src.fedoraproject.org/rpms/rpm/pull-request/45

After those have been done, people can start experimenting with the feature.
I don't remember seeing an actual Fedora Change for either file-trigger
enablement or current %sysuser_* macros so I'm not sure it's needed here
either?


https://fedoraproject.org/wiki/Changes/Adopting_sysusers.d_format


Thanks, I've missed that.

Guess it's best to make a Change out of this too then.

	- Panu -

_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux