Hi,
On Tue, Jun 04, Dusty Mabe wrote:
On 6/3/19 8:27 AM, Neal Gompa wrote:
> Also, in general, it seems we really don't have a good way
to handle
> users and groups. I know that there was a proposal from Stephen and
> Harald[3] that was intended to try to improve this for adding and
> removing them, but it doesn't really address the problem of giving
> people a way to have coherent files to look at the whole state.
>
> My thought here was that we could have an SSSD plugin that combines
> the partial passwd(5), shadow(5), and group(5) files in
> /usr/share/sysconfig and /etc and spits out "full" transient ones in
> /run that people can look at. This makes it easier to support
> stateless systems that are also a mix of local and remote users
> managed through systems like IdM.
I know Jonathan and Colin have mentioned something called systemd-sysusers
a lot when problems around users/groups have come up in Atomic Host/Silverblue/CoreOS
Maybe that is the answer. Someone more familiar would have to comment. See:
https://github.com/projectatomic/rpm-ostree/issues/49
We did evaluate systemd-sysusers already 3 years ago as solution, but
there is one big problem: if files in the RPM are owned by the user,
you need to create the user before you are able to install the RPM.
But systemd-sysuser only runs at the next boot. So we would need a
service, which is running afterwards, to "fix" the ownership of this
files. In some cases, this can lead to a deadlock.
So currently we are using systemd-sysusers config file for new users,
but have a macro, which creates this accounts based on the sysusers
file with help of useradd/groupadd (systemd has far too many dependencies
and thus installed too late during an initial install).
> I know that this is a bit of an FHS-ish discussion, but I'd
like to
> see us get firmer agreements on what we'd like to do between RH/Fedora
> CoreOS and openSUSE MicroOS before we go and propose something to be
> included in the FHS.
>
> We already have the pending /usr/lib/sysimage thing, and I'd like to
> get a location in place for configuration data too.
>
> Anyway, I'd appreciate it if you took a look into it yourself and let
> us know what you think!
I'd be interested in other FCOS community member thoughts here. I'd also
be interested to know what you think are good next steps for this initiative?
From discussions with the openSUSE community: find a location below /usr
for the configuration files. That's the most blocking issue and would
allow immeaditly to move first configuration files.
There should be one location everybody is using, so /usr/share is already
bad, as this means shareable between different hosts, which is not true
for all configuration data. /usr/lib is already overcrowed and with too many
things (bug would be acceptable for me, if we decide on one subdirectory,
where we move everything). /usr/etc is still a directory used most often
today, not only on Linux systems. But quite some people don't like it.
So we need something new, where I like from all proposals /usr/sysconfig
best.
Else, currently it looks like, as if openSUSE will do it if other
distributions join.
Thorsten
--
Thorsten Kukuk, Distinguished Engineer, Senior Architect SLES & MicroOS
SUSE Linux GmbH, Maxfeldstr. 5, 90409 Nuernberg, Germany
GF: Felix Imendoerffer, Mary Higgins, Sri Rasiah, HRB 21284 (AG Nuernberg)