static uids/gids and (not) using fedora-usermgmt (was: uids for daemons on a spin)

Wed Aug 6 17:23:10 UTC 2008

Hi Martin,

On Tue, Aug 05, 2008 at 05:30:03PM +1200, Martin Langhoff wrote:
> On Mon, Aug 4, 2008 at 10:49 PM, Enrico Scholz
> <enrico.scholz at informatik.tu-chemnitz.de> wrote:
> > Without reading whole thread and participating in yet another flame war
> 
> Apologies, didn't mean to taunt peoplle into another flamefest --
> thanks for your kind reply. I will use a high uid range as the base if
> I do use this.
> 
> However, it seems that my situation is one where I end up with an
> ordering if I try to use your package. Brief description follows
> 
> My project - OLPC's School Server - is a Fedora spin that adds a few
> packages with custom daemons, provides a "xs-config" package that
> makes a mess of /etc (ahem!, applies a custom configuration), and has
> a metapackage to pull it all together.
> 
> Having stable, predictable uids/gids is *extremely* valuable as we
> want maximum consistency between systems -- the target ratio is of a
> small sysadmin team (5 to 12) managing thousands of servers. We could
> hardcode the uid/gids, but we want to work with Fedora to make our
> packages mainstream as much as possible. So we tend to package things
> "vanilla" and do our wonky configuration in a separate package.
> 
> So I would need to have an "config" package that
>  - depends on fedora-usermgmt fedora-usermgmt-shadowutils
>  - is guaranteed to install _before_ any other package that depends on
> fedora-usermgmt
> 
> the "main" xs-config package gets installed late because it overwrites
> configurations, and so it depends on everything.
> 
> Is there a way to force this early-dependency? In case you are
> wondering, this gets installed via anaconda unattended and or via yum
> update. I'm wary of anaconda hacks that a yum install / yum update
> won't obey.
> 
> It's a bit of circular logic. Can I package my own
> "fedora-usermgmt-yesjustdoit" version of the -shadowutils with
> metadata that makes it win over the "-dontreallydoanything" package?

I would strongly recommend against it. IIRC correctly the tool was
even banned from EPEL and if the FPC weren't that tiered about the
flamewars it might have even gotten as far as being banned
altogether. But the result was that the FPC did some serious thinking
on how to manage users/groups and came up with a solution that doesn't
involve fedora-usermgmt. The wiki is currently off-line otherwise I'd
add a pointer to the resp. pages.

I think the right way to do this is to see the different needs between
the general Fedora space and OLPC: Fedora wants to reserve as few as
possible *static* uids/gids (e.g. officially stamped onto every Fedora
system) because this resource is rather sparse.

But if in OLPC there are some applications/situations that need a
static uid, then OLPC should simply reserve them as a donwstream and
ask Fedora (the FPC or Bill) on a static uid mapping.

I would check whether the requirements for static uids are indeed
needed, but lets do that in a separate thread or PM.
-- 
Axel.Thimm at ATrpms.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
Url : http://lists.fedoraproject.org/pipermail/devel/attachments/20080806/dd3b36ad/attachment.bin 