F42 Change Proposal: RPM Support For Systemd Sysusers.d (system-wide)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Wiki - https://fedoraproject.org/wiki/Changes/RPMSuportForSystemdSysusers
Discussion thread -
https://discussion.fedoraproject.org/t/f42-change-proposal-rpm-support-for-systemd-sysusers-d-system-wide/140621

This is a proposed Change for Fedora Linux.
This document represents a proposed Change. As part of the Changes
process, proposals are publicly announced in order to receive
community feedback. This proposal will only be implemented if approved
by the Fedora Engineering Steering Committee.

== Summary ==
RPM supports creating users and groups according to configuration
provided in sysusers.d snippets shipped in package payload.

The goal of the proposal is to fully integrate this RPM functionality in Fedora.

== Owner ==
* Name: Michal Sekletar, Zbigniew Jędrzejewski-Szmek, Panu Matilainen
* Email: msekleta@xxxxxxxxxx, zbyszek@xxxxxxxxx, pmatilai@xxxxxxxxxx


== Detailed Description ==
This proposal consists of two parts. The first is to make sure that
rpm functionality is fully enabled in Fedora. The second is to update
packaging guidelines and raise awareness about the new simpler user
creation method for rpm packages. The goal is a fully declarative
system user and group management in all RPMs. Over time we should be
able to drop all manual `useradd`/`groupadd` invocations or use of
`%sysusers_create_compat` macro in rpm scriptlets.

Support for sysusers was added in rpm 4.19.0. Support for group
membership (`m` lines) was added in rpm 4.20.0. Support for
locked-down users (`u!` lines) was added for rpm 4.21.0. The rpm
package has patches to disable user/group creation
([https://src.fedoraproject.org/rpms/rpm/blob/rawhide/f/rpm-4.18.92-disable-sysusers.patch
rpm-4.18.92-disable-sysusers.patch]) and make user/group dependencies
weak ([https://src.fedoraproject.org/rpms/rpm/blob/rawhide/f/rpm-4.19.91-weak-user-group.patch
rpm-4.19.91-weak-user-group.patch]).

== Feedback ==
[https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx/thread/IKWECWMBWN2IDKLHK3Q2TZKVSVFTXUNA/#U4BF4ETCFNMMXY6NGRV5Y7ABTZDXQYNY|
Discussion] about idea to submit the proposal on fedora-devel list.

== Benefit to Fedora ==
* Declarative system user and group management by packages
* Potential for spec file simplification, concretely, removal of
relevant part of %pre scripts in some packages.
* Ability to query what user and groups are provided by given package
as well as ability to have dependencies on users/groups from different
packages.
* Make use of native rpm functionality in favor of current
%sysusers_compat_create.

== Scope ==
* Proposal owners:
** Change rpm so that it generates hard dependency between packages A
and B in case B depends on user or group provided by package A. Rpm
currently has downstream patch so that only weak dependencies are
generated.
** Make sure that previous change in rpm doesn't cause package
dependency loops during system installation.
** Work on fix for shadow-utils so that useradd and groupadd work
correctly in chroot on SELinux enabled systems (shadow-utils
[https://github.com/shadow-maint/shadow/issues/940| issue].)
* Other developers:
** We would welcome any help with shadow-utils
[https://github.com/shadow-maint/shadow/issues/940| issue].

* Release engineering:  N/A (not needed for this Change)
* Policies and guidelines: N/A (not needed for this Change)
* Trademark approval: N/A (not needed for this Change)
* Alignment with the Fedora Strategy:


== Upgrade/compatibility impact ==
There is no upgrade/compatibility impact.

== How To Test ==
* Select rpm package that creates system user/group account in %pre
* Remove part of %pre scriptlet that handles user/group creation
* Create equivalent
[https://www.freedesktop.org/software/systemd/man/latest/sysusers.d.html|
sysusers.d] configuration file and ship it as part of rpm payload
under /usr/lib/sysusers.d/.
* Rebuild the package
* Verify that package has been built correctly and it has rpm provides
for installed user account and group (e.g. `user(foo) =
ABUNCHOFHEXHERE`, `group(bar) = ADIFFERNTBUNCHOFHEXHERE`). Use `rpm
-qP $package | awk '/(user|group)\(/ {print $3}' | base64 -d` and
check that the output looks reasonable.
* Verify that you can install the package and installed files have
correct ownership.

== User Experience ==
There shouldn't be any user observable change to previous state.
Potential packaging related benefits are mostly of interest to package
maintainers.

== Dependencies ==
None

== Contingency Plan ==
* Contingency mechanism: If we are not confident by mass-rebuild that
we can deliver the feature we will postpone its delivery to later
Fedora release. There are no explicit rollback/cleanup actions that
need to taken.
* Contingency deadline: Mass Rebuild of RPMs on Wed 2025-01-15.
* Blocks release? No

== Documentation ==
[https://github.com/rpm-software-management/rpm/blob/master/docs/manual/users_and_groups.md#users-and-groups|
sysusers.d support in RPM].

== Release Notes ==
N/A

-- 
Aoife Moloney

Fedora Operations Architect

Fedora Project

Matrix: @amoloney:fedora.im

IRC: amoloney

-- 
_______________________________________________
devel-announce mailing list -- devel-announce@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-announce-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel-announce@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
-- 
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux