Hello,
I'm currently committing on bacula and I've stepped into a few problems with fedora-usermgmt. I think the process is a bit convoluted. It is not even in the guidelines for packaging, so I'm guessing if I can be removed it from the package.
According to this page, the yellow box points to another links and states clearly is not part of the packaging guidelines.
http://fedoraproject.org/wiki/PackageUserCreation
- Packages for RHEL 4/5/6 get a dependency on the EPEL repository, which many users would like to avoid on production systems. - Building the package gets a dependency on the EPEL repository for the fedora-usermgmt-devel package even if it is not used at installation time; so again the package cannot be built on RHEL without the EPEL repository. - "%bcond_without fedora", as suggested by the pages, does not work with RHEL 4, as the directive is invalid. - Koji does not accept "--without" arguments even for scratch builds, so I cannot pass the argument as suggested by the page. - Even if building only for RHEL 5+ I cannot build the same package on Koji but need to upload a different package for RHEL.
I also tried setting statically a lot %if / %else and distro tags to get a static with/without_fedora inside the spec file but I didn't make any success with it.
After a day of frustration I looked at other packages spec files that define uid/gid <100, and I saw that many of them don't use fedora-usermgmt at all (i.e. NetworkManager-openconnect):
fedoraproject.org/wiki/PackageUserRegistry
Basically I will remove all of this stuff:
%if 0%{?fedora} > 0 %define with_fedora 1 %else %define without_fedora 1 %endif
(or the non-working "%bcond_without fedora")
%global uid 33 %global username bacula
BuildRequires: fedora-usermgmt-devel %{?FE_USERADD_REQ}
%pre common %__fe_groupadd %uid -r %username &>/dev/null || : %__fe_useradd %uid -r -s /sbin/nologin -d /var/spool/bacula -M \ -c 'Bacula Backup System' -g %username %username &>/dev/null || :
%postun common %__fe_userdel %username &>/dev/null || : %__fe_groupdel %username &>/dev/null || :
With:
Requires(pre): shadow-utils
%pre common %{_sbindir}/groupadd -g 33 -r bacula &>/dev/null || : %{_sbindir}/useradd -u 33 -r -s /sbin/nologin -d /var/spool/bacula -M \ -c 'Bacula Backup System' -g bacula bacula &>/dev/null || :
%postun common test "$1" != 0 || %{_sbindir}/userdel bacula &>/dev/null || : test "$1" != 0 || %{_sbindir}/groupdel bacula &>/dev/null || :
Can I simplify everything removing fedora-usermgmt as a requirement?
Thanks, --Simone
On Mon, 19 Dec 2011 18:15:40 +0100 Simone Caronni negativo17@gmail.com wrote:
Hello,
I'm currently committing on bacula and I've stepped into a few problems with fedora-usermgmt. I think the process is a bit convoluted. It is not even in the guidelines for packaging, so I'm guessing if I can be removed it from the package.
...snip...
Can I simplify everything removing fedora-usermgmt as a requirement?
I'd personally suggest that. It's not a guideline in any way, and I think it just causes issues and confusion. The things it purports to solve can be solved in much simpler ways.
kevin
On 12/19/2011 12:15 PM, Simone Caronni wrote:
I think the process is a bit convoluted. It is not even in the guidelines for packaging, so I'm guessing if I can be removed it from the package.
If you do replace it, you should use this approach instead:
https://fedoraproject.org/wiki/Packaging:UsersAndGroups
Do you really need a static UID?
And also, you definitely shouldn't be removing users or groups in scriptlets.
~tom
On Mon, Dec 19, 2011 at 06:15:40PM +0100, Simone Caronni wrote:
After a day of frustration I looked at other packages spec files that define uid/gid <100, and I saw that many of them don't use fedora-usermgmt at all (i.e. NetworkManager-openconnect):
Also, please do not use a uid/gid below 100.
If you do need a static uid defined in the spec file (but please read the link spot gave for other ways to achieve most of the same things) we'll need to talk about what numbers are not used and who you need to talk to to get it assigned.
-Toshio
Hello,
Bacula package already has a registered user group of 33 in:
http://fedoraproject.org/wiki/PackageUserRegistry
so I will keep on using that; no change. The spec file always contained that uid/gid in the build. What I will change is just the way it is created, and the link Tom sent is exactly the one I was looking at. I found fedora-usermgmt already in place in the spec file so I thought it was right to ask.
Thank you very much, --Simone
On 19 December 2011 20:07, Toshio Kuratomi a.badger@gmail.com wrote:
On Mon, Dec 19, 2011 at 06:15:40PM +0100, Simone Caronni wrote:
After a day of frustration I looked at other packages spec files that define uid/gid <100, and I saw that many of them don't use fedora-usermgmt at all (i.e. NetworkManager-openconnect):
Also, please do not use a uid/gid below 100.
If you do need a static uid defined in the spec file (but please read the link spot gave for other ways to achieve most of the same things) we'll need to talk about what numbers are not used and who you need to talk to to get it assigned.
-Toshio
On 12/20/2011 07:51 AM, Simone Caronni wrote:
Hello,
Bacula package already has a registered user group of 33 in:
http://fedoraproject.org/wiki/PackageUserRegistry
so I will keep on using that; no change. The spec file always contained that uid/gid in the build. What I will change is just the way it is created, and the link Tom sent is exactly the one I was looking at.
The link Tom sent provides a way to create and uid/gid for a given user/group name, not for a specific uid/gid (i.e. you'll end up with a "bacula" user and group but the uid/gid may be different on each system). However, bacula does not need the uid/gid to be the same on multiple systems so that doesn't matter.
I found fedora-usermgmt already in place in the spec file so I thought it was right to ask.
I never understood why bacula used that in the first place.
Paul.
On Tue, 20 Dec 2011 08:51:09 +0100, SC (Simone) wrote:
Hello,
Bacula package already has a registered user group of 33 in:
http://fedoraproject.org/wiki/PackageUserRegistry
so I will keep on using that; no change.
That would be wrong, because the numbers on that Wiki page are not UIDs but just base numbers which are mapped by fedora-usermgmt using a configurable "baseuid" value.
Hello,
can you please explain that a bit further? I don't think I understand, I see this reference at http://fedoraproject.org/wiki/PackageUserCreation:
"The first is to register a fixed UID and call "/usr/sbin/useradd -r -u <uid> <user>" or assign a random UID by omitting the "-u <uid>" parameter. For fixed UIDs, there are only 100 free slots, which is not enough for the Fedora Project (79 are already used by Fedora Core), and dynamic or random UIDs have problems of their own, as demonstrated here.
Another solution might be semi-static UIDs, which are relative to a system-wide value and unique for the entire Fedora Project. The current (experimental) implementation uses the file /etc/fedora/usermgmt/baseuid to configure the value to which the relative UID would be added. As an example, when /etc/fedora/usermgmt/baseuid contains "30000", the user 'joe', with the semi-static UID 23, will get the final UID 30023 (30000+23)."
The file /etc/fedora/usermgmt/baseuid contains 300, so I'm guessing the correct setup for Bacula would be to set 333 as the uid/gid. Is that correct?
The previous version used fedora-usermgmt (so uid 333) but did not remove the user and directory; that is pointless anyway because you don't remove the directory only if you have it dynamic.
Here is the spec file of the last Koji build; should I change it?
%global uid 33 %global username bacula
%package common Provides: group(%username) = %uid Provides: user(%username) = %uid Requires(pre): shadow-utils Requires(postun): shadow-utils
%pre common getent group %username >/dev/null || groupadd -g %uid -r %username &>/dev/null || : getent passwd %username >/dev/null || useradd -u %uid -r -s /sbin/nologin \ -d /var/spool/bacula -M -c 'Bacula Backup System' -g %username %username &>/dev/null || : exit 0
%postun common test "$1" != 0 || userdel %username &>/dev/null || : test "$1" != 0 || groupdel %username &>/dev/null || : exit 0
Many thanks, --Simone
On 20 December 2011 11:48, Michael Schwendt mschwendt@gmail.com wrote:
On Tue, 20 Dec 2011 08:51:09 +0100, SC (Simone) wrote:
Hello,
Bacula package already has a registered user group of 33 in:
http://fedoraproject.org/wiki/PackageUserRegistry
so I will keep on using that; no change.
That would be wrong, because the numbers on that Wiki page are not UIDs but just base numbers which are mapped by fedora-usermgmt using a configurable "baseuid" value. -- packaging mailing list packaging@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/packaging
On Tue, 20 Dec 2011 12:24:21 +0100, SC (Simone) wrote:
Hello,
can you please explain that a bit further? I don't think I understand, I see this reference at http://fedoraproject.org/wiki/PackageUserCreation:
You've quoted the relevant part. Here:
Another solution might be semi-static UIDs, which are relative to a system-wide value and unique for the entire Fedora Project. The current (experimental) implementation uses the file /etc/fedora/usermgmt/baseuid to configure the value to which the relative UID would be added. As an example, when /etc/fedora/usermgmt/baseuid contains "30000", the user 'joe', with the semi-static UID 23, will get the final UID 30023 (30000+23)."
So, if you drop using fedora-usermgmt, you cannot keep the relative (!) uid 33 that has been registered for it. 33 is "amandabackup":
$ rpm -qd setup /usr/share/doc/setup-2.8.36/COPYING /usr/share/doc/setup-2.8.36/uidgid <-- (!)
Package "setup"'s %changelog mentions a lot of activity related to reserving system uids/gids.
The file /etc/fedora/usermgmt/baseuid contains 300, so I'm guessing the correct setup for Bacula would be to set 333 as the uid/gid. Is that correct?
You would first need to have uid 333 registered/reserveed as a fixed uid.
The previous version used fedora-usermgmt (so uid 333) but did not remove the user and directory;
Well, then it isn't following the guidelines, which mention the userdel scriptlets. ;)
that is pointless anyway because you don't remove the directory only if you have it dynamic.
However, if the directory contains files created at run-time, the package should not "rm -rf" those files when uninstalling, so it could remove the empty dir.
On Tue, 2011-12-20 at 12:59 +0100, Michael Schwendt wrote:
On Tue, 20 Dec 2011 12:24:21 +0100, SC (Simone) wrote:
Hello,
can you please explain that a bit further? I don't think I understand, I see this reference at http://fedoraproject.org/wiki/PackageUserCreation:
You've quoted the relevant part. Here:
Another solution might be semi-static UIDs, which are relative to a system-wide value and unique for the entire Fedora Project. The current (experimental) implementation uses the file /etc/fedora/usermgmt/baseuid to configure the value to which the relative UID would be added. As an example, when /etc/fedora/usermgmt/baseuid contains "30000", the user 'joe', with the semi-static UID 23, will get the final UID 30023 (30000+23)."
Yep, and that's what the bacula is working with - Simone mentioned http://fedoraproject.org/wiki/PackageUserRegistry - which was created for this experimental implementation based on baseuid - and 33 is reserved there for bacula user/group . But this reservation is not for 33:33 uidgid pair, but for baseuid+33:baseuid+33 uidgid pair (and fedora-useradd or %fedora_useradd macro should be used for it instead of shadow-utils /usr/sbin/useradd )
So, if you drop using fedora-usermgmt, you cannot keep the relative (!) uid 33 that has been registered for it. 33 is "amandabackup":
$ rpm -qd setup /usr/share/doc/setup-2.8.36/COPYING /usr/share/doc/setup-2.8.36/uidgid <-- (!)
Package "setup"'s %changelog mentions a lot of activity related to reserving system uids/gids.
Yep, that's right, 33 is reserved for amandabackup user ... Please note that threshold of 200 is now used for statically allocated ID's (that's respected in useradd (shadow-utils) - shadow-utils changed its dynamic user creation, so now it goes downwards. This change was done in ~F11 and no issues with it were reported so far.
The file /etc/fedora/usermgmt/baseuid contains 300, so I'm guessing the correct setup for Bacula would be to set 333 as the uid/gid. Is that correct?
You would first need to have uid 333 registered/reserveed as a fixed uid.
I don't think that this is a good idea - you either should have static ID (network/virtual machines facing, storing sensitive data) or dynamic system user creation should be ok for you.
The previous version used fedora-usermgmt (so uid 333) but did not remove the user and directory;
Well, then it isn't following the guidelines, which mention the userdel scriptlets. ;)
that is pointless anyway because you don't remove the directory only if you have it dynamic.
However, if the directory contains files created at run-time, the package should not "rm -rf" those files when uninstalling, so it could remove the empty dir. --
Greetings, Ondrej Vasik
Many thanks for both explanations.
It seems the situation was even worse:
[slaanesh@3zpc0560 ~]$ cat /usr/share/doc/setup-2.8.36/uidgid | grep bacula bacula 133 133 /var/spool/bacula /sbin/nologin bacula
So the situation was as follows: - "fedora-usermgmt" created 333 (300+33) as fixed uid. - No deletion of userdir with fixed uid. - "setup" contains 133 as fixed uid. - EPEL dependency on all packages to have 333 as fixed uid.
So basically I'm just triggering a rebuild of the current package but changing the uid from 33 to 133 in the specfile.
No EPEL dependency, stati uid already allocated in "setup", etc.
Regards, --Simone
On 20 December 2011 13:23, Ondrej Vasik ovasik@redhat.com wrote:
On Tue, 2011-12-20 at 12:59 +0100, Michael Schwendt wrote:
On Tue, 20 Dec 2011 12:24:21 +0100, SC (Simone) wrote:
Hello,
can you please explain that a bit further? I don't think I understand, I see this reference at http://fedoraproject.org/wiki/PackageUserCreation:
You've quoted the relevant part. Here:
Another solution might be semi-static UIDs, which are relative to a system-wide value and unique for the entire Fedora Project. The current (experimental) implementation uses the file /etc/fedora/usermgmt/baseuid to configure the value to which the relative UID would be added. As an example, when /etc/fedora/usermgmt/baseuid contains "30000", the user 'joe', with the semi-static UID 23, will get the final UID 30023 (30000+23)."
Yep, and that's what the bacula is working with - Simone mentioned http://fedoraproject.org/wiki/PackageUserRegistry - which was created for this experimental implementation based on baseuid - and 33 is reserved there for bacula user/group . But this reservation is not for 33:33 uidgid pair, but for baseuid+33:baseuid+33 uidgid pair (and fedora-useradd or %fedora_useradd macro should be used for it instead of shadow-utils /usr/sbin/useradd )
So, if you drop using fedora-usermgmt, you cannot keep the relative (!) uid 33 that has been registered for it. 33 is "amandabackup":
$ rpm -qd setup /usr/share/doc/setup-2.8.36/COPYING /usr/share/doc/setup-2.8.36/uidgid <-- (!)
Package "setup"'s %changelog mentions a lot of activity related to reserving system uids/gids.
Yep, that's right, 33 is reserved for amandabackup user ... Please note that threshold of 200 is now used for statically allocated ID's (that's respected in useradd (shadow-utils) - shadow-utils changed its dynamic user creation, so now it goes downwards. This change was done in ~F11 and no issues with it were reported so far.
The file /etc/fedora/usermgmt/baseuid contains 300, so I'm guessing the correct setup for Bacula would be to set 333 as the uid/gid. Is that correct?
You would first need to have uid 333 registered/reserveed as a fixed uid.
I don't think that this is a good idea - you either should have static ID (network/virtual machines facing, storing sensitive data) or dynamic system user creation should be ok for you.
The previous version used fedora-usermgmt (so uid 333) but did not remove the user and directory;
Well, then it isn't following the guidelines, which mention the userdel scriptlets. ;)
that is pointless anyway because you don't remove the directory only if you have it dynamic.
However, if the directory contains files created at run-time, the package should not "rm -rf" those files when uninstalling, so it could remove the empty dir. --
Greetings, Ondrej Vasik
-- packaging mailing list packaging@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/packaging
On Tue, 20 Dec 2011 13:23:57 +0100, OV (Ondrej) wrote:
The file /etc/fedora/usermgmt/baseuid contains 300, so I'm guessing the correct setup for Bacula would be to set 333 as the uid/gid. Is that correct?
You would first need to have uid 333 registered/reserveed as a fixed uid.
I don't think that this is a good idea - you either should have static ID (network/virtual machines facing, storing sensitive data) or dynamic system user creation should be ok for you.
But it has been reserved already.
$ grep -i bacu /usr/share/doc/setup-2.8.36/uidgid bacula 133 133 /var/spool/bacula /sbin/nologin bacula
* Tue Jan 12 2010 Ondrej Vasik <ovasik redhat com> 2.8.14-1 - reserve uidgid pair 133:133 for bacula(#554705)
That ticket cannot be displayed, unfortunately, so I can't learn about the details why 133 has been chosen.
That's it, thanks, I already changed that in rawhide as per previous mail.
Regards, --Simone
On 20 December 2011 14:05, Michael Schwendt mschwendt@gmail.com wrote:
On Tue, 20 Dec 2011 13:23:57 +0100, OV (Ondrej) wrote:
The file /etc/fedora/usermgmt/baseuid contains 300, so I'm guessing the correct setup for Bacula would be to set 333 as the uid/gid. Is that correct?
You would first need to have uid 333 registered/reserveed as a fixed uid.
I don't think that this is a good idea - you either should have static ID (network/virtual machines facing, storing sensitive data) or dynamic system user creation should be ok for you.
But it has been reserved already.
$ grep -i bacu /usr/share/doc/setup-2.8.36/uidgid bacula 133 133 /var/spool/bacula /sbin/nologin bacula
- Tue Jan 12 2010 Ondrej Vasik <ovasik redhat com> 2.8.14-1
- reserve uidgid pair 133:133 for bacula(#554705)
That ticket cannot be displayed, unfortunately, so I can't learn about the details why 133 has been chosen. -- packaging mailing list packaging@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/packaging
packaging@lists.fedoraproject.org
-
Kevin Fenzi -
Michael Schwendt -
Ondřej Vašík -
Paul Howarth -
Simone Caronni -
Tom Callaway -
Toshio Kuratomi