New Fedora 22 Change proposal: systemd-sysusers
Lennart Poettering
mzerqung at 0pointer.de
Wed Jul 9 16:48:42 UTC 2014
On Wed, 09.07.14 06:19, Colin Walters (walters at verbum.org) wrote:
> Hi, for Atomic I'd like to investigate the new systemd-sysusers, so I
> wrote up a Change:
>
> https://fedoraproject.org/wiki/Changes/SystemdSysusers
>
> Note: for Fedora 22.
>
> The main motivation for me is it would allow Atomic to not be a Remix
> due to the not-in-Fedora shadow-utils patch[1] Further, it would
> potentially allow us to migrate away from /usr/lib/passwd and
> nss-altfiles which would be really nice. Though I'm still exploring
> that.
>
> [1] https://bugzilla.redhat.com/show_bug.cgi?id=1098304
Ah, interesting. A week ago I filed this:
https://fedorahosted.org/fpc/ticket/442
In order to get the process started to get this through FPC first. In
that ticket I actually promised to bring this up on fedora-devel, but it
appears that you beat me to it.
The reason I haven't brought this up yet is because I wanted a
nice way how we can make use of this from RPM scriptlets, so that
packages can just stick to this declarative scheme, and be
done. However, that's actually not that trivial:
Some packages (notably polkit) rely on files owned by a system user that
is not root. This means we need to do the user registration in %pre how
it was always done. But if we do the user registration declaratively
from files we ship in the RPM, then we could only run that from %post,
which of course means that the files cannot be owned properly.
Fortunately it's only a handful of packages which appear to require that
though (but I didn't spend to much time to figure out the details). Our
current way of thinking is to simply introduce a second syntax for the
sysusers RPM macro: the few packages which need that would then be able
to embedd the declaration of the user into %pre, while most users would
be created via %post. The few packages which need that would contain the
user definition at two places though: once in the file system in a
drop-in file shipped in the RPM, and a second time, inline, in the %pre
scriptlet. Not pretty... Not sure though what other options there are,
that would be better...
Anyway, I do like to see this feature implemented in Fedora. I think
it's really crucial to get this done.
Lennart
--
Lennart Poettering, Red Hat
More information about the devel
mailing list