[Fedora-packaging] Static UIDs and GIDs

Ondrej Vasik ovasik at redhat.com
Fri Apr 12 07:24:09 UTC 2013 

On Thu, 2013-04-11 at 11:57 -0700, Toshio Kuratomi wrote:
> The FPC has recently been looking at a draft revision of the UID and Group
> handling: https://fedorahosted.org/fpc/ticket/269
> 
> https://fedoraproject.org/wiki/User:Mitr/UsersAndGroups
> 
> This is an "interesting" draft on several fronts.
> 
> Historically:
> 
> * UID/GID allocation was one of the first major controversial
>   guideline that the FPC decided upon.
> * The Guidelines specify that only dynamic UID and GID allocation is
>   supposed to be used and the Guidelines give instructions for how sysadmins
>   can adapt that to being static on a site-by-site basis by pre-allocating
>   the uids.  Despite this, some packages have added their own static uids
>   and gids.  This has lead to bugs.
> 
> What things have changed since then?
> 
> * New FPC members who might be able to either come up with something
>   different or would vote differently on this
> * The 1000SystemAccounts[1]_ Feature of F16 has expanded the range of static
>   system accounts.  However, the range is still miniscule -- we only have
>   from 0 to 200 and according to /usr/share/doc/setup-2.8.67/uidgid
>   approximately 160 of those have already been allocated

Just small corrections here - only 118 uids and 144 gids are reserved so
far. You probably did just `cat uidgid | wc -l` - which is not telling
you the real numbers.

Anyway - you are right, we have more than 40% of new space already used
in less than 4 years (actually this increase was not part of the
1000SystemAccounts feature, but came earlier, as 100 static id's stopped
to be enough in summer 2009). The trend of static ids request is
increasing, especially because of openstack (cloud), so current
allocation space is enough for 2-3 years. We may go cheap way and
increase the static threshold to 300 if necessary - if done properly, it
should not harm anyone, as the dynamically allocated systemid's are
going downwards from the upper limit ( some warning for 1-2 releases, if
someone uses the id's in the 200-300 area and than doing the change).

Still - even the increase of the static ids range and the increase of
system account rang is not in line with LSB specification, which is
pretty strict there (0-100 and 0-500). 

Greetings,
         Ondrej

More information about the packaging mailing list