Create system users for FreeIPA services during package installation #697
Conversation
|
if I understood the sysusers.d file format correctly, ipa.sysusers.debian.conf would need this line added: m www-data ipaapi as you can see from ipaplatform/debian/constants.py. Actually, why not make just one template file ipa.sysusers.conf.in and utilize ipaplatform to substitute values like for most of the conffiles |
| @@ -0,0 +1 @@ | |||
| ipa.sysusers.base.conf | |||
There was a problem hiding this comment.
The redhat platform is an abstract platform that serves as a base platform for rhel and fedora. I don't think we need a sysuser file for it.
There was a problem hiding this comment.
I created the symbolic links with the same login as platforms in ipaplatform use for inheritance but you're right there's no real platform redhat and we don't need sysusers.conf file for it.
init/systemd/ipa.sysusers.base.conf
Outdated
| u dirsrv - - - | ||
| u pkiuser - - - | ||
| u ipaapi - - - | ||
| m apache ipaapi |
There was a problem hiding this comment.
What @tjaalton said in #697 (comment)
init/systemd/ipa.sysusers.base.conf
Outdated
| @@ -0,0 +1,5 @@ | |||
| u kdcproxy - "IPA KDC Proxy User" - | |||
| u dirsrv - - - | |||
| u pkiuser - - - | |||
There was a problem hiding this comment.
pkiuser has pre-allocated uid 17 and gid 17. Does sysuser.d automatically use pre-allocated uid and gid? Also GECOS is not set to "CS System User".
There was a problem hiding this comment.
The user is created by pki-server, so I would rather just remove the line.
There was a problem hiding this comment.
Please see my answer to previous comment.
init/systemd/ipa.sysusers.base.conf
Outdated
| @@ -0,0 +1,5 @@ | |||
| u kdcproxy - "IPA KDC Proxy User" - | |||
| u dirsrv - - - | |||
There was a problem hiding this comment.
The user is created by 389-ds-base, so I would rather just remove the line.
There was a problem hiding this comment.
@tiran You're right, I omitted the GECOS because create_ds_user didn't set it either.
@HonzaCholasta Doesn't matter if the user is or isn't created by some other package. That's the benefit of sysusers.d, we declare that we need such user and sysusers.d creates it doesn't exist already.
There was a problem hiding this comment.
The only thing we achieve by declaring the user ourselves is supporting broken 389-ds-base installs. I don't think we should do that and rather fail early if the user is missing.
There was a problem hiding this comment.
@dkupka create_system_user() adds GECOS for DS and PKI user.
https://github.com/freeipa/freeipa/pull/697/files#diff-39163021c252126be7c9fbc0c66b1668L452
There was a problem hiding this comment.
+1 for Honza's suggestion. Let 389-ds-base take care of group and user creation.
init/systemd/ipa.sysusers.base.conf
Outdated
| u kdcproxy - "IPA KDC Proxy User" - | ||
| u dirsrv - - - | ||
| u pkiuser - - - | ||
| u ipaapi - - - |
There was a problem hiding this comment.
For completeness, please give the ipaapi user a sensible GECOS, too.
|
Note that systemd-sysusers is not available in RHEL and CentOS. It might be better to use the sssd approach: https://github.com/SSSD/sssd/blob/master/contrib/sssd.spec.in#L1228. |
|
Originally I used a similar approach for the kdcproxy user based on the snippet https://fedoraproject.org/wiki/Packaging:UsersAndGroups#Soft_static_allocation . You changed it in ticket https://pagure.io/freeipa/issue/5314 because the approach violates packaging guidelines. |
|
Ah, right, rpmdiff complained about that. Well, that was 2 years ago, and if it works for sssd it must also work for us, so I guess we should ignore rpmdiff. |
Actually, for any such case I found I filed bugzilla or ticket to get them created during rpm installation.
Please do not use systemd-sysusers, create the group/user entries during rpm installation. |
+1 |
|
Right, we do not have systemd available during Docker image build so some fallback mechanism directly in spec would be great. Otherwise we would have to workaround this in containers and I am not a big fan of that. |
init/systemd/ipa.sysusers.base.conf
Outdated
| @@ -0,0 +1,5 @@ | |||
| u kdcproxy - "IPA KDC Proxy User" - | |||
| u dirsrv - - - | |||
There was a problem hiding this comment.
+1 for Honza's suggestion. Let 389-ds-base take care of group and user creation.
init/systemd/ipa.sysusers.base.conf
Outdated
| @@ -0,0 +1,5 @@ | |||
| u kdcproxy - "IPA KDC Proxy User" - | |||
| u dirsrv - - - | |||
| u pkiuser - - - | |||
|
Travis reports wrong usage of the |
Previously system users needed by FreeIPA server services was created during ipa-server-install. This led to problem when DBus policy was configured during package installation but the user specified in the policy didn't exist yet (and potentionally similar ones). Now the users will be created in package %pre section so all users freeipa-server package needs exist before any installation or configuration begins. Another possibility would be using systemd-sysusers(8) for this purpose but given that systemd is not available during container build the traditional approach is superior. Also dirsrv and pkiuser users are no longer created by FreeIPA instead it depends on 389ds and dogtag to create those users. https://pagure.io/freeipa/issue/6743
freeipa.spec.in
Outdated
| # create users and groups | ||
| # create kdcproxy group and user | ||
| getent group kdcproxy >/dev/null || groupadd -f -r kdcproxy | ||
| useradd -r -g kdcproxy -s /sbin/nologin -d / -c "IPA KDC Proxy User" kdcproxy |
There was a problem hiding this comment.
Please, only add the user if it does not exists.
stlaz
dismissed
tiran’s stale review
The comments were implemented/replaced with a different solution.
| # create users and groups | ||
| # create kdcproxy group and user | ||
| getent group kdcproxy >/dev/null || groupadd -f -r kdcproxy | ||
| getent passwd kdcproxy >/dev/null || useradd -r -g kdcproxy -s /sbin/nologin -d / -c "IPA KDC Proxy User" kdcproxy |
There was a problem hiding this comment.
Please specify uid and gid. Otherwise, when used in containers, one image build can end up with different uid/gid than the other, store data in volume with that uid/gid, and the next image can use different values and not be able to read the data.
There was a problem hiding this comment.
Not now. When (and more importantly if) we get uid and gid assigned I will update the code. Now I don't have any idea what value I could use.
Also looking into related ticket https://pagure.io/packaging-committee/issue/474 (opened by you by the way) it seems that "we run in container and store data to volume" is not enough to allocate static uid and gid.
| getent passwd kdcproxy >/dev/null || useradd -r -g kdcproxy -s /sbin/nologin -d / -c "IPA KDC Proxy User" kdcproxy | ||
| # create ipaapi group and user | ||
| getent group ipaapi >/dev/null || groupadd -f -r ipaapi | ||
| getent passwd ipaapi >/dev/null || useradd -r -g ipaapi -s /sbin/nologin -d / -c "IPA Framework User" ipaapi |
|
While I don't like to omit @adelton comments, this is a test blocker for us. I propose going with @dkupka's comment on adding the GID/UID later when we get it or if someone could make a PR making this a bit better, that would be nice too. |
pvomacka
added
pushed
Previously system users needed by FreeIPA server services was created during
ipa-server-install. This led to problem when DBus policy was configured during
package installation but the user specified in the policy didn't exist yet (and
potentionally similar ones). Now systemd-sysusers service is used to ensure
users freeipa-server package needs exist before any installation or
configuration begins.
https://pagure.io/freeipa/issue/6743