-
Notifications
You must be signed in to change notification settings - Fork 354
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
sysusers.d support applies %attr() ownership before creating sysusers #3073
Comments
A far as I know this feature is not enabled in Fedora 40. See https://fedoraproject.org/wiki/Changes/RPM-4.19#Scope rpm-4.18.92-disable-sysusers.patch
So there is some work to do on the Fedora side to make sure the distribution is ready for this. |
Thanks @ffesti ! So I suppose this should be closed upstream, and I'll create a bugzilla instead? |
Add a sysusers config file for our remaining system user. Arch was already using sysusers, replace the packaging specific one with the upstream one. For Debian, run dh_installsysusers (compat level 14 will do that automatically in the future). RPM 4.19 has native support for sysusers in principle [1], but it's not currently enabled/working [2]. Fedora rather wants packages to do an overcomplicated process which keeps a downstream copy of the sysusers file in the packaging dist-git [3], which is error prone and ugly to automate. So keep the tried-and-tested current approach of creating the user directly in the spec's `%pre` script for the time being (which is necessary anyway for CentOS/RHEL 9). [1] https://rpm-software-management.github.io/rpm/manual/users_and_groups.html [2] rpm-software-management/rpm#3073 [3] https://docs.fedoraproject.org/en-US/packaging-guidelines/UsersAndGroups/#_dynamic_allocation
Ah, good point. This needs discussion on the Fedora side. |
Yeah, this probably needs a discussion and Global Change in Fedora and an additional change in the Packaging Guidelines. Those are not topics for upstream. So I am closing this here. But fee free to ping me if you need help on the Fedora side. We will also happily improve the documentation upstream with lessons learned. Also note that there are more improvements coming with the rpm 4.20 release that is expected in Fedora 41 in a few weeks. |
Add a sysusers config file for our remaining system user. Arch was already using sysusers, replace the packaging specific one with the upstream one. For Debian, run dh_installsysusers (compat level 14 will do that automatically in the future). RPM 4.19 has native support for sysusers in principle [1], but it's not currently enabled/working [2]. Fedora rather wants packages to do an overcomplicated process which keeps a downstream copy of the sysusers file in the packaging dist-git [3], which is error prone and ugly to automate. So keep the tried-and-tested current approach of creating the user directly in the spec's `%pre` script for the time being (which is necessary anyway for CentOS/RHEL 9). [1] https://rpm-software-management.github.io/rpm/manual/users_and_groups.html [2] rpm-software-management/rpm#3073 [3] https://docs.fedoraproject.org/en-US/packaging-guidelines/UsersAndGroups/#_dynamic_allocation
Add a sysusers config file for our remaining system user. Arch was already using sysusers, replace the packaging specific one with the upstream one. For Debian, run dh_installsysusers (compat level 14 will do that automatically in the future). RPM 4.19 has native support for sysusers in principle [1], but it's not currently enabled/working [2]. Fedora rather wants packages to do an overcomplicated process which keeps a downstream copy of the sysusers file in the packaging dist-git [3], which is error prone and ugly to automate. So keep the tried-and-tested current approach of creating the user directly in the spec's `%pre` script for the time being (which is necessary anyway for CentOS/RHEL 9). [1] https://rpm-software-management.github.io/rpm/manual/users_and_groups.html [2] rpm-software-management/rpm#3073 [3] https://docs.fedoraproject.org/en-US/packaging-guidelines/UsersAndGroups/#_dynamic_allocation
Add a sysusers config file for our remaining system user. Arch was already using sysusers, replace the packaging specific one with the upstream one. For Debian, run dh_installsysusers (compat level 14 will do that automatically in the future). RPM 4.19 has native support for sysusers in principle [1], but it's not currently enabled/working [2]. Fedora rather wants packages to do an overcomplicated process which keeps a downstream copy of the sysusers file in the packaging dist-git [3], which is error prone and ugly to automate. So keep the tried-and-tested current approach of creating the user directly in the spec's `%pre` script for the time being (which is necessary anyway for CentOS/RHEL 9). [1] https://rpm-software-management.github.io/rpm/manual/users_and_groups.html [2] rpm-software-management/rpm#3073 [3] https://docs.fedoraproject.org/en-US/packaging-guidelines/UsersAndGroups/#_dynamic_allocation
I started a discussion on the Fedora devel list: |
We are currently trying to move our project to systemd-sysusers, away from manual
useradd
calls in the package's%pre
script. The rpm manual claimsI tried that on current Fedora 40 (rpm-4.19.1.1-1.fc40.x86_64), and an initial version with a clean approach just adds
%{_sysusersdir}/cockpit-ws.conf
file to the rpm. The diff doesn't show the existingin the spec which makes use of the dynamic group.
The rpm build does create the "magic" provides:
On install it does create the sysusers, but it tries to apply the
%attr
before creating the users:and after installation, /usr/libexec/cockpit-session has the wrong ownership (group root).
So for the docs to actually work, it needs to create the sysusers before unpacking (i.e. what a
%pre
script would do) from its "magic" provides or other internal .rpm metadata, or defer the%attr()
application after the initial unpacking of the files and sysusers creation.I suppose that is the reason why the Fedora packaging guidelines have a completely different, and very hackish approach -- that suggests to duplicate the sysusers file downstream in the packaging dist-git, and using
%sysusers_create_compat
to basically create someuseradd
shell script out of the sysusers.d file. But this is awkward, error prone, a bit hard to automate for releases. It also feels backwards -- the whole point is to move and standardize all of this upstream.I didn't find any existing upstream or Fedora downstream (bugzilla) bug report, so filing this one.
Thanks!
CC: @travier
The text was updated successfully, but these errors were encountered: