Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   Fedora Packaging (http://www.linux-archive.org/fedora-packaging/)
-   -   fedora-usermgmt (http://www.linux-archive.org/fedora-packaging/611780-fedora-usermgmt.html)

Simone Caronni 12-19-2011 04:15 PM

fedora-usermgmt
 
Hello,

I'm currently committing on bacula and I've stepped into a few
problems with fedora-usermgmt.
I think the process is a bit convoluted. It is not even in the
guidelines for packaging, so I'm guessing if I can be removed it from
the package.

According to this page, the yellow box points to another links and
states clearly is not part of the packaging guidelines.

http://fedoraproject.org/wiki/PackageUserCreation

- Packages for RHEL 4/5/6 get a dependency on the EPEL repository,
which many users would like to avoid on production systems.
- Building the package gets a dependency on the EPEL repository for
the fedora-usermgmt-devel package even if it is not used at
installation time; so again the package cannot be built on RHEL
without the EPEL repository.
- "%bcond_without fedora", as suggested by the pages, does not work
with RHEL 4, as the directive is invalid.
- Koji does not accept "--without" arguments even for scratch builds,
so I cannot pass the argument as suggested by the page.
- Even if building only for RHEL 5+ I cannot build the same package on
Koji but need to upload a different package for RHEL.

I also tried setting statically a lot %if / %else and distro tags to
get a static with/without_fedora inside the spec file but I didn't
make any success with it.

After a day of frustration I looked at other packages spec files that
define uid/gid <100, and I saw that many of them don't use
fedora-usermgmt at all (i.e. NetworkManager-openconnect):

fedoraproject.org/wiki/PackageUserRegistry

Basically I will remove all of this stuff:

%if 0%{?fedora} > 0
%define with_fedora 1
%else
%define without_fedora 1
%endif

(or the non-working "%bcond_without fedora")

%global uid 33
%global username bacula

BuildRequires: fedora-usermgmt-devel
%{?FE_USERADD_REQ}

%pre common
%__fe_groupadd %uid -r %username &>/dev/null || :
%__fe_useradd %uid -r -s /sbin/nologin -d /var/spool/bacula -M
-c 'Bacula Backup System' -g %username %username &>/dev/null || :

%postun common
%__fe_userdel %username &>/dev/null || :
%__fe_groupdel %username &>/dev/null || :

With:

Requires(pre): shadow-utils

%pre common
%{_sbindir}/groupadd -g 33 -r bacula &>/dev/null || :
%{_sbindir}/useradd -u 33 -r -s /sbin/nologin -d /var/spool/bacula -M
-c 'Bacula Backup System' -g bacula bacula &>/dev/null || :

%postun common
test "$1" != 0 || %{_sbindir}/userdel bacula &>/dev/null || :
test "$1" != 0 || %{_sbindir}/groupdel bacula &>/dev/null || :

Can I simplify everything removing fedora-usermgmt as a requirement?

Thanks,
--Simone




--
You cannot discover new oceans unless you have the courage to lose
sight of the shore (R. W. Emerson).
--
packaging mailing list
packaging@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/packaging

Kevin Fenzi 12-19-2011 04:23 PM

fedora-usermgmt
 
On Mon, 19 Dec 2011 18:15:40 +0100
Simone Caronni <negativo17@gmail.com> wrote:

> Hello,
>
> I'm currently committing on bacula and I've stepped into a few
> problems with fedora-usermgmt.
> I think the process is a bit convoluted. It is not even in the
> guidelines for packaging, so I'm guessing if I can be removed it from
> the package.

...snip...

> Can I simplify everything removing fedora-usermgmt as a requirement?

I'd personally suggest that. It's not a guideline in any way, and I
think it just causes issues and confusion. The things it purports to
solve can be solved in much simpler ways.

kevin
--
packaging mailing list
packaging@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/packaging

Tom Callaway 12-19-2011 05:03 PM

fedora-usermgmt
 
On 12/19/2011 12:15 PM, Simone Caronni wrote:
> I think the process is a bit convoluted. It is not even in the
> guidelines for packaging, so I'm guessing if I can be removed it from
> the package.

If you do replace it, you should use this approach instead:

https://fedoraproject.org/wiki/Packaging:UsersAndGroups

Do you really need a static UID?

And also, you definitely shouldn't be removing users or groups in
scriptlets.

~tom
--
packaging mailing list
packaging@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/packaging

Toshio Kuratomi 12-19-2011 06:07 PM

fedora-usermgmt
 
On Mon, Dec 19, 2011 at 06:15:40PM +0100, Simone Caronni wrote:
>
> After a day of frustration I looked at other packages spec files that
> define uid/gid <100, and I saw that many of them don't use
> fedora-usermgmt at all (i.e. NetworkManager-openconnect):
>
Also, please do not use a uid/gid below 100.

If you do need a static uid defined in the spec file (but please read the
link spot gave for other ways to achieve most of the same things) we'll
need to talk about what numbers are not used and who you need to talk to to
get it assigned.

-Toshio
--
packaging mailing list
packaging@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/packaging

Simone Caronni 12-20-2011 06:51 AM

fedora-usermgmt
 
Hello,

Bacula package already has a registered user group of 33 in:

http://fedoraproject.org/wiki/PackageUserRegistry

so I will keep on using that; no change. The spec file always
contained that uid/gid in the build.
What I will change is just the way it is created, and the link Tom
sent is exactly the one I was looking at.
I found fedora-usermgmt already in place in the spec file so I thought
it was right to ask.

Thank you very much,
--Simone



On 19 December 2011 20:07, Toshio Kuratomi <a.badger@gmail.com> wrote:
> On Mon, Dec 19, 2011 at 06:15:40PM +0100, Simone Caronni wrote:
>>
>> After a day of frustration I looked at other packages spec files that
>> define uid/gid <100, and I saw that many of them don't use
>> fedora-usermgmt at all (i.e. NetworkManager-openconnect):
>>
> Also, please do not use a uid/gid below 100.
>
> If you do need a static uid defined in the spec file (but please read the
> link spot gave for other ways to achieve most of the same things) *we'll
> need to talk about what numbers are not used and who you need to talk to to
> get it assigned.
>
> -Toshio



--
You cannot discover new oceans unless you have the courage to lose
sight of the shore (R. W. Emerson).
--
packaging mailing list
packaging@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/packaging

Paul Howarth 12-20-2011 08:38 AM

fedora-usermgmt
 
On 12/20/2011 07:51 AM, Simone Caronni wrote:

Hello,

Bacula package already has a registered user group of 33 in:

http://fedoraproject.org/wiki/PackageUserRegistry

so I will keep on using that; no change. The spec file always
contained that uid/gid in the build.
What I will change is just the way it is created, and the link Tom
sent is exactly the one I was looking at.


The link Tom sent provides a way to create and uid/gid for a given
user/group name, not for a specific uid/gid (i.e. you'll end up with a
"bacula" user and group but the uid/gid may be different on each
system). However, bacula does not need the uid/gid to be the same on
multiple systems so that doesn't matter.



I found fedora-usermgmt already in place in the spec file so I thought
it was right to ask.


I never understood why bacula used that in the first place.

Paul.
--
packaging mailing list
packaging@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/packaging

Michael Schwendt 12-20-2011 09:48 AM

fedora-usermgmt
 
On Tue, 20 Dec 2011 08:51:09 +0100, SC (Simone) wrote:

> Hello,
>
> Bacula package already has a registered user group of 33 in:
>
> http://fedoraproject.org/wiki/PackageUserRegistry
>
> so I will keep on using that; no change.

That would be wrong, because the numbers on that Wiki page are not UIDs
but just base numbers which are mapped by fedora-usermgmt using a
configurable "baseuid" value.
--
packaging mailing list
packaging@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/packaging

Simone Caronni 12-20-2011 10:24 AM

fedora-usermgmt
 
Hello,

can you please explain that a bit further? I don't think I understand,
I see this reference at
http://fedoraproject.org/wiki/PackageUserCreation:

"The first is to register a fixed UID and call "/usr/sbin/useradd -r
-u <uid> <user>" or assign a random UID by omitting the "-u <uid>"
parameter. For fixed UIDs, there are only 100 free slots, which is not
enough for the Fedora Project (79 are already used by Fedora Core),
and dynamic or random UIDs have problems of their own, as demonstrated
here.

Another solution might be semi-static UIDs, which are relative to a
system-wide value and unique for the entire Fedora Project. The
current (experimental) implementation uses the file
/etc/fedora/usermgmt/baseuid to configure the value to which the
relative UID would be added. As an example, when
/etc/fedora/usermgmt/baseuid contains "30000", the user 'joe', with
the semi-static UID 23, will get the final UID 30023 (30000+23)."

The file /etc/fedora/usermgmt/baseuid contains 300, so I'm guessing
the correct setup for Bacula would be to set 333 as the uid/gid. Is
that correct?

The previous version used fedora-usermgmt (so uid 333) but did not
remove the user and directory; that is pointless anyway because you
don't remove the directory only if you have it dynamic.

Here is the spec file of the last Koji build; should I change it?

%global uid 33
%global username bacula

%package common
Provides: group(%username) = %uid
Provides: user(%username) = %uid
Requires(pre): shadow-utils
Requires(postun): shadow-utils

%pre common
getent group %username >/dev/null || groupadd -g %uid -r %username
&>/dev/null || :
getent passwd %username >/dev/null || useradd -u %uid -r -s /sbin/nologin
-d /var/spool/bacula -M -c 'Bacula Backup System' -g %username
%username &>/dev/null || :
exit 0

%postun common
test "$1" != 0 || userdel %username &>/dev/null || :
test "$1" != 0 || groupdel %username &>/dev/null || :
exit 0

Many thanks,
--Simone



On 20 December 2011 11:48, Michael Schwendt <mschwendt@gmail.com> wrote:
> On Tue, 20 Dec 2011 08:51:09 +0100, SC (Simone) wrote:
>
>> Hello,
>>
>> Bacula package already has a registered user group of 33 in:
>>
>> http://fedoraproject.org/wiki/PackageUserRegistry
>>
>> so I will keep on using that; no change.
>
> That would be wrong, because the numbers on that Wiki page are not UIDs
> but just base numbers which are mapped by fedora-usermgmt using a
> configurable "baseuid" value.
> --
> packaging mailing list
> packaging@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/packaging



--
You cannot discover new oceans unless you have the courage to lose
sight of the shore (R. W. Emerson).
--
packaging mailing list
packaging@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/packaging

Michael Schwendt 12-20-2011 10:59 AM

fedora-usermgmt
 
On Tue, 20 Dec 2011 12:24:21 +0100, SC (Simone) wrote:

> Hello,
>
> can you please explain that a bit further? I don't think I understand,
> I see this reference at
> http://fedoraproject.org/wiki/PackageUserCreation:

You've quoted the relevant part. Here:

> Another solution might be semi-static UIDs, which are relative to a
> system-wide value and unique for the entire Fedora Project. The
> current (experimental) implementation uses the file
> /etc/fedora/usermgmt/baseuid to configure the value to which the
> relative UID would be added. As an example, when
> /etc/fedora/usermgmt/baseuid contains "30000", the user 'joe', with
> the semi-static UID 23, will get the final UID 30023 (30000+23)."

So, if you drop using fedora-usermgmt, you cannot keep the relative (!)
uid 33 that has been registered for it. 33 is "amandabackup":

$ rpm -qd setup
/usr/share/doc/setup-2.8.36/COPYING
/usr/share/doc/setup-2.8.36/uidgid <-- (!)

Package "setup"'s %changelog mentions a lot of activity related to reserving
system uids/gids.

> The file /etc/fedora/usermgmt/baseuid contains 300, so I'm guessing
> the correct setup for Bacula would be to set 333 as the uid/gid. Is
> that correct?

You would first need to have uid 333 registered/reserveed as a fixed uid.

> The previous version used fedora-usermgmt (so uid 333) but did not
> remove the user and directory;

Well, then it isn't following the guidelines, which mention the userdel
scriptlets. ;)

> that is pointless anyway because you
> don't remove the directory only if you have it dynamic.

However, if the directory contains files created at run-time, the package
should not "rm -rf" those files when uninstalling, so it could remove the
empty dir.
--
packaging mailing list
packaging@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/packaging

Ondrej Vasik 12-20-2011 11:23 AM

fedora-usermgmt
 
On Tue, 2011-12-20 at 12:59 +0100, Michael Schwendt wrote:
> On Tue, 20 Dec 2011 12:24:21 +0100, SC (Simone) wrote:
>
> > Hello,
> >
> > can you please explain that a bit further? I don't think I understand,
> > I see this reference at
> > http://fedoraproject.org/wiki/PackageUserCreation:
>
> You've quoted the relevant part. Here:
>
> > Another solution might be semi-static UIDs, which are relative to a
> > system-wide value and unique for the entire Fedora Project. The
> > current (experimental) implementation uses the file
> > /etc/fedora/usermgmt/baseuid to configure the value to which the
> > relative UID would be added. As an example, when
> > /etc/fedora/usermgmt/baseuid contains "30000", the user 'joe', with
> > the semi-static UID 23, will get the final UID 30023 (30000+23)."

Yep, and that's what the bacula is working with - Simone mentioned
http://fedoraproject.org/wiki/PackageUserRegistry - which was created
for this experimental implementation based on baseuid - and 33 is
reserved there for bacula user/group . But this reservation is not for
33:33 uidgid pair, but for baseuid+33:baseuid+33 uidgid pair (and
fedora-useradd or %fedora_useradd macro should be used for it instead of
shadow-utils /usr/sbin/useradd )

> So, if you drop using fedora-usermgmt, you cannot keep the relative (!)
> uid 33 that has been registered for it. 33 is "amandabackup":
>
> $ rpm -qd setup
> /usr/share/doc/setup-2.8.36/COPYING
> /usr/share/doc/setup-2.8.36/uidgid <-- (!)
>
> Package "setup"'s %changelog mentions a lot of activity related to reserving
> system uids/gids.

Yep, that's right, 33 is reserved for amandabackup user ...
Please note that threshold of 200 is now used for statically allocated
ID's (that's respected in useradd (shadow-utils) - shadow-utils changed
its dynamic user creation, so now it goes downwards. This change was
done in ~F11 and no issues with it were reported so far.

> > The file /etc/fedora/usermgmt/baseuid contains 300, so I'm guessing
> > the correct setup for Bacula would be to set 333 as the uid/gid. Is
> > that correct?
>
> You would first need to have uid 333 registered/reserveed as a fixed uid.

I don't think that this is a good idea - you either should have static
ID (network/virtual machines facing, storing sensitive data) or dynamic
system user creation should be ok for you.

> > The previous version used fedora-usermgmt (so uid 333) but did not
> > remove the user and directory;
>
> Well, then it isn't following the guidelines, which mention the userdel
> scriptlets. ;)
>
> > that is pointless anyway because you
> > don't remove the directory only if you have it dynamic.
>
> However, if the directory contains files created at run-time, the package
> should not "rm -rf" those files when uninstalling, so it could remove the
> empty dir.
> --

Greetings,
Ondrej Vasik

--
packaging mailing list
packaging@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/packaging


All times are GMT. The time now is 08:13 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.