From Fedora Project Wiki
< Changes
(announcing the change) |
(adding tracker bug) |
||
| (9 intermediate revisions by 2 users not shown) | |||
| Line 1: | Line 1: | ||
= RPM Support For Systemd Sysusers.d = | = RPM Support For Systemd Sysusers.d = | ||
== Summary == | == Summary == | ||
| Line 17: | Line 15: | ||
== Current status == | == Current status == | ||
[[Category: | [[Category: ChangeAcceptedF42]] | ||
<!-- When your change proposal page is completed and ready for review and announcement --> | <!-- When your change proposal page is completed and ready for review and announcement --> | ||
<!-- remove Category:ChangePageIncomplete and change it to Category:ChangeReadyForWrangler --> | <!-- remove Category:ChangePageIncomplete and change it to Category:ChangeReadyForWrangler --> | ||
| Line 37: | Line 35: | ||
* [https://lists.fedoraproject.org/archives/list/devel-announce@lists.fedoraproject.org/thread/RYQRILDUQ4KTTVOQPFADFMLXYQ4GDORC/ Announced] | * [https://lists.fedoraproject.org/archives/list/devel-announce@lists.fedoraproject.org/thread/RYQRILDUQ4KTTVOQPFADFMLXYQ4GDORC/ Announced] | ||
* [https://discussion.fedoraproject.org/t/f42-change-proposal-rpm-support-for-systemd-sysusers-d-system-wide/140621 Discussion thread] | * [https://discussion.fedoraproject.org/t/f42-change-proposal-rpm-support-for-systemd-sysusers-d-system-wide/140621 Discussion thread] | ||
* FESCo issue: | * FESCo issue: [https://pagure.io/fesco/issue/3318 #3318] | ||
* Tracker bug: | * Tracker bug: [https://bugzilla.redhat.com/show_bug.cgi?id=2337007 #2337007] | ||
* Release notes tracker: <will be assigned by the Wrangler> | * Release notes tracker: <will be assigned by the Wrangler> | ||
| Line 44: | Line 42: | ||
This proposal consists of two parts. The first is to make sure that rpm functionality is fully enabled in Fedora. The second is to update packaging guidelines and raise awareness about the new simpler user creation method for rpm packages. The goal is a fully declarative system user and group management in all RPMs. Over time we should be able to drop all manual `useradd`/`groupadd` invocations or use of `%sysusers_create_compat` macro in rpm scriptlets. | This proposal consists of two parts. The first is to make sure that rpm functionality is fully enabled in Fedora. The second is to update packaging guidelines and raise awareness about the new simpler user creation method for rpm packages. The goal is a fully declarative system user and group management in all RPMs. Over time we should be able to drop all manual `useradd`/`groupadd` invocations or use of `%sysusers_create_compat` macro in rpm scriptlets. | ||
Support for sysusers was added in rpm 4.19.0. Support for group membership (`m` lines) was added in rpm 4.20.0. Support for locked-down users (`u!` lines) was added for rpm | Support for sysusers was added in rpm 4.19.0. Support for group membership (`m` lines) was added in rpm 4.20.0. Support for locked-down users (`u!` lines) was added for next rpm version (release number TBD). The rpm package has patches to disable user/group creation ([https://src.fedoraproject.org/rpms/rpm/blob/rawhide/f/rpm-4.18.92-disable-sysusers.patch rpm-4.18.92-disable-sysusers.patch]) and make user/group dependencies weak ([https://src.fedoraproject.org/rpms/rpm/blob/rawhide/f/rpm-4.19.91-weak-user-group.patch rpm-4.19.91-weak-user-group.patch]). | ||
Some useful introspection commands: | |||
* sysusers metadata on installed packages:<BR>`rpm -q --qf "[%{SYSUSERS}\n]" -a` | |||
* sysusers config known to systemd:<BR>`systemd-sysusers --cat-config`<BR>or<BR>`systemd-sysusers --tldr` | |||
* all sysusers definitions on packages in repos:<BR>`dnf repoquery --provides | rg '^(user|group)\('` | |||
== Feedback == | == Feedback == | ||
| Line 84: | Line 87: | ||
* Create equivalent [https://www.freedesktop.org/software/systemd/man/latest/sysusers.d.html| sysusers.d] configuration file and ship it as part of rpm payload under /usr/lib/sysusers.d/. | * Create equivalent [https://www.freedesktop.org/software/systemd/man/latest/sysusers.d.html| sysusers.d] configuration file and ship it as part of rpm payload under /usr/lib/sysusers.d/. | ||
* Rebuild the package | * Rebuild the package | ||
* Verify that package has been built correctly and it has rpm provides for installed user account and group (e.g. `user(foo) = ABUNCHOFHEXHERE`, `group(bar) = ADIFFERNTBUNCHOFHEXHERE`). Use `rpm - | * Verify that package has been built correctly and it has rpm provides for installed user account and group (e.g. `user(foo) = ABUNCHOFHEXHERE`, `group(bar) = ADIFFERNTBUNCHOFHEXHERE`). Use `rpm -q --qf "[%{SYSUSERS}\n]" $package` and check that the output looks reasonable. | ||
* Verify that you can install the package and installed files have correct ownership. | * Verify that you can install the package and installed files have correct ownership. | ||
* Verify that audit events were logged for user and group creation:<BR>`ausearch --start recent -i -m 'ADD_USER,USER_MGMT,USER_CHAUTHTOK,ROLE_ASSIGN,ROLE_REMOVE,DEL_USER,ADD_GROUP,GRP_MGMT,GRP_CHAUTHTOK,DEL_GROUP'` | |||
== User Experience == | == User Experience == | ||
| Line 104: | Line 108: | ||
== Release Notes == | == Release Notes == | ||
The built-in rpm mechanism to create system users from sysusers.d metadata distributed by packages is now used to create system users, replacing the previous use of custom rpm scriptlets in individual packages. | |||
Latest revision as of 18:41, 10 January 2025
RPM Support For Systemd Sysusers.d
Summary
RPM supports creating users and groups according to configuration provided in sysusers.d snippets shipped in package payload.
The goal of the proposal is to fully integrate this RPM functionality in Fedora.
Owner
- Name: Michal Sekletar, Zbigniew Jędrzejewski-Szmek, Panu Matilainen
- Email: msekleta@redhat.com, zbyszek@in.waw.pl, pmatilai@redhat.com
Current status
- Targeted release: Fedora Linux 42
- Last updated: 2025-01-10
- Announced
- Discussion thread
- FESCo issue: #3318
- Tracker bug: #2337007
- Release notes tracker: <will be assigned by the Wrangler>
Detailed Description
This proposal consists of two parts. The first is to make sure that rpm functionality is fully enabled in Fedora. The second is to update packaging guidelines and raise awareness about the new simpler user creation method for rpm packages. The goal is a fully declarative system user and group management in all RPMs. Over time we should be able to drop all manual useradd/groupadd invocations or use of %sysusers_create_compat macro in rpm scriptlets.
Support for sysusers was added in rpm 4.19.0. Support for group membership (m lines) was added in rpm 4.20.0. Support for locked-down users (u! lines) was added for next rpm version (release number TBD). The rpm package has patches to disable user/group creation (rpm-4.18.92-disable-sysusers.patch) and make user/group dependencies weak (rpm-4.19.91-weak-user-group.patch).
Some useful introspection commands:
- sysusers metadata on installed packages:
rpm -q --qf "[%{SYSUSERS}\n]" -a - sysusers config known to systemd:
systemd-sysusers --cat-config
orsystemd-sysusers --tldr - all sysusers definitions on packages in repos:
dnf repoquery --provides | rg '^(user|group)\('
Feedback
Discussion about idea to submit the proposal on fedora-devel list.
Benefit to Fedora
- Declarative system user and group management by packages
- Potential for spec file simplification, concretely, removal of relevant part of %pre scripts in some packages.
- Ability to query what user and groups are provided by given package as well as ability to have dependencies on users/groups from different packages.
- Make use of native rpm functionality in favor of current %sysusers_compat_create.
Scope
- Proposal owners:
- Change rpm so that it generates hard dependency between packages A and B in case B depends on user or group provided by package A. Rpm currently has downstream patch so that only weak dependencies are generated.
- Make sure that previous change in rpm doesn't cause package dependency loops during system installation.
- Work on fix for shadow-utils so that useradd and groupadd work correctly in chroot on SELinux enabled systems (shadow-utils issue.)
- Other developers:
- We would welcome any help with shadow-utils issue.
- Release engineering: N/A (not needed for this Change)
- Policies and guidelines: N/A (not needed for this Change)
- Trademark approval: N/A (not needed for this Change)
- Alignment with the Fedora Strategy:
Upgrade/compatibility impact
There is no upgrade/compatibility impact.
How To Test
- Select rpm package that creates system user/group account in %pre
- Remove part of %pre scriptlet that handles user/group creation
- Create equivalent sysusers.d configuration file and ship it as part of rpm payload under /usr/lib/sysusers.d/.
- Rebuild the package
- Verify that package has been built correctly and it has rpm provides for installed user account and group (e.g.
user(foo) = ABUNCHOFHEXHERE,group(bar) = ADIFFERNTBUNCHOFHEXHERE). Userpm -q --qf "[%{SYSUSERS}\n]" $packageand check that the output looks reasonable. - Verify that you can install the package and installed files have correct ownership.
- Verify that audit events were logged for user and group creation:
ausearch --start recent -i -m 'ADD_USER,USER_MGMT,USER_CHAUTHTOK,ROLE_ASSIGN,ROLE_REMOVE,DEL_USER,ADD_GROUP,GRP_MGMT,GRP_CHAUTHTOK,DEL_GROUP'
User Experience
There shouldn't be any user observable change to previous state. Potential packaging related benefits are mostly of interest to package maintainers.
Dependencies
None
Contingency Plan
- Contingency mechanism: If we are not confident by mass-rebuild that we can deliver the feature we will postpone its delivery to later Fedora release. There are no explicit rollback/cleanup actions that need to taken.
- Contingency deadline: Mass Rebuild of RPMs on Wed 2025-01-15.
- Blocks release? No
Documentation
Release Notes
The built-in rpm mechanism to create system users from sysusers.d metadata distributed by packages is now used to create system users, replacing the previous use of custom rpm scriptlets in individual packages.