systemd: Use systemd-sysusers to create cockpit-wsinstance user #20365
Conversation
travier
changed the title
|
Ideally those files would be both named |
travier
force-pushed
the
main-sysusersconfig
branch
2 times, most recently
from
925f5a1
to
71eb67f
Compare
|
Note that this still uses "static" users with "dynamic at install time" allocation. So not the systemd DynamicUsers support. I don't have the full context so I don't understand why it's related to socket activation. |
|
I don't understand the packit build failures :/ |
There was a problem hiding this comment.
Thanks! Reviewed, and now I remember again why our initial approach got stuck, and why we didn't move forward with sysusers. Let's discuss this a bit.
@allisonkarlitskaya this probably interests you as well.
tools/cockpit.spec
Outdated
| @@ -52,6 +52,7 @@ URL: https://cockpit-project.org/ | |||
| Version: 0 | |||
| Release: 1%{?dist} | |||
| Source0: https://github.com/cockpit-project/cockpit/releases/download/%{version}/cockpit-%{version}.tar.xz | |||
| Source1: cockpit-sysusers.conf | |||
There was a problem hiding this comment.
Having to duplicate and keep this in sync with upstream is really ugly, let's avoid that. The whole point of moving to sysusers is to drop downstream packaging stuff IMHO, otherwise we could just leave it as-is.
tools/cockpit.spec
Outdated
| getent passwd cockpit-ws >/dev/null || useradd -r -g cockpit-ws -d /nonexisting -s /sbin/nologin -c "User for cockpit web service" cockpit-ws | ||
| getent group cockpit-wsinstance >/dev/null || groupadd -r cockpit-wsinstance | ||
| getent passwd cockpit-wsinstance >/dev/null || useradd -r -g cockpit-wsinstance -d /nonexisting -s /sbin/nologin -c "User for cockpit-ws instances" cockpit-wsinstance | ||
| %sysusers_create_compat %{SOURCE1} |
There was a problem hiding this comment.
I wonder, how would that even work with this approach? Even if the sysusers file is taken from dist-git instead of upstream, it wuold still be shipped by the rpm and thus isn't yet available in %pre?
I suppose this will do that evil thing where it translates a sysusers file into useradd commands? I just found this:
❱❱❱ rpm -q --scripts pipewire
preinstall scriptlet (using /bin/sh):
# generated from pipewire.sysusers
getent group 'pipewire' >/dev/null || groupadd -r 'pipewire' || :
getent passwd 'pipewire' >/dev/null || \
useradd -r -g 'pipewire' -d '/run/pipewire' -s '/usr/sbin/nologin' -c 'PipeWire System Daemon' 'pipewire' || :
This is all new to me, so sorry for rambling.. But this looks hackish. I suppose it allows rpms to ship files which are owned by a sysusers owner. The only file in cockpit-ws which needs that is
%attr(4750, root, cockpit-wsinstance) %{_libexecdir}/cockpit-session
I think all this was the reason why in our initial approach we wanted to first get rid of that suid root binary (see PR #16808), and then there wouldn't be any need for static sysusers any more.
There was a problem hiding this comment.
Unfortunately I don't think it's possible to drop this copy due to how macro expansions work and until we fully have Fedora switch to using systemd sysusers (it's only using the format right now, not the command).
See also https://src.fedoraproject.org/rpms/systemd/pull-request/121 that might simplify things a bit.
There was a problem hiding this comment.
TBH I consider this is a blocker. This makes the packaging structure more complicated and brittle. So for me, it's either "chmod cockpit-session in %post as we do in Debian/Arch" (see below), or block this on getting rid of the suid root binary.
I think we didn't do this in the past because we hoped to remove the users entirely. Since that didn't (can't) happen, we're stuck requiring these users to exist. I have nothing against moving to using systemd-sysusers for it (and even prefer it). |
travier
force-pushed
the
main-sysusersconfig
branch
4 times, most recently
from
da36695
to
bba85d0
Compare
|
@travier Thanks! I like the new commits, and as the main "use sysusers" thing needs more investigation, we can land them in a separate PR now. "Remove cockpit(-ws-instance) user/group config option" should come first, and then the renaming of src/systemd/cockpit-tempfiles.conf.in . However, not to -tmpfiles.conf please, as it ends up in /usr/lib/tmpfiles.d/ and there it should be named |
|
@travier Sorry, forgot: do you want to send a new PR for this, or shall I take this over? |
|
@travier I read https://rpm-software-management.github.io/rpm/manual/users_and_groups.html and rpm 4.19 makes this much easier -- in essence, just shipping a sysusers.d/ file should be enough (plus the Unfortunately RHEL 9 still has rpm 4.16, but for that I'd be ok with duplicating the sysusers.d line with |
I'll happily let you take over if you don't mind as it's autoconf changes that I'm not familiar with and just hack around.
Sound like a good idea.
Not sure I understand that. I would keep the existing |
travier
force-pushed
the
main-sysusersconfig
branch
from
bba85d0
to
c585677
Compare
|
Thanks! Still fails to build: I was going to take a look at this soon. Let's utilize rpm 4.19 where available, and add a hack for RHEL 9 only, as discussed above. Of course I'll appreciate if you want to work on this further 😄 |
|
I locally fixed the autoconfery and package/image build. I tried https://rpm-software-management.github.io/rpm/manual/users_and_groups.html, i.e. dropped all the but on install it does the wrong order, i.e. unpacks the files before creating the users: and after installation, /usr/libexec/cockpit-session has the wrong ownership (group root). So we require some extra hack for this. Why is this so complicated!? |
Up to you :). I have some spare time from time to time to push this but feel free to push any changes here directly if you get to it faster than me :). |
travier
force-pushed
the
main-sysusersconfig
branch
from
c585677
to
fbd826e
Compare
I'm definitely not knowledgeable regarding Debian packaging however so I'll let that to you. |
Yeah, that's the whole reason we have this duplication right now :/ |
martinpitt
force-pushed
the
main-sysusersconfig
branch
from
fbd826e
to
5de9a7a
Compare
|
I pushed what I have so far, as I'm EOD. This is the "clean" approach that ideally should work, but doesn't. rpm build works, but the tests will/should fail as cockpit-session has the wrong permissions. I captured the commit SHA of your original proposal in the description, so that we can always go back and compare. I'll continue this tomorrow. |
|
I filed rpm-software-management/rpm#3073 about this. Now pondering a workaround -- we could just leave the But I'll try to eliminate at least half of the problem -- we only need a persistent user for |
Not necessary any more since commit 644116a.
Since commit 644116a, the webserver certificates don't have to be owned by the cockpit-ws user/group any more. This allows us to use `DynamicUser` for cockpit.service, which eliminates the persistent `cockpit-ws` system user. Note that we can't yet eliminate `cockpit-wsinstance` as that's the owner of our `cockpit-session` suid root binary.
Let's clean up properly.
Even oldoldstable and the last two Ubuntu LTSes have never versions, this isn't necessary any more.
Add a sysusers config file for our remaining system user. Arch was already using sysusers, replace the packaging specific one with the upstream one. For Debian, run dh_installsysusers (compat level 14 will do that automatically in the future). RPM 4.19 has native support for sysusers in principle [1], but it's not currently enabled/working [2]. Fedora rather wants packages to do an overcomplicated process which keeps a downstream copy of the sysusers file in the packaging dist-git [3], which is error prone and ugly to automate. So keep the tried-and-tested current approach of creating the user directly in the spec's `%pre` script for the time being (which is necessary anyway for CentOS/RHEL 9). [1] https://rpm-software-management.github.io/rpm/manual/users_and_groups.html [2] rpm-software-management/rpm#3073 [3] https://docs.fedoraproject.org/en-US/packaging-guidelines/UsersAndGroups/#_dynamic_allocation
This upstreams the Arch approach, and provides a sensible setup with an upstream `make install`.
martinpitt
force-pushed
the
main-sysusersconfig
branch
from
5de9a7a
to
90b968f
Compare
martinpitt
changed the title
|
@travier I couldn't resist, and I have something that works now. This now builds on top of #20425. The second-to-last commit is the "conservative" approach which uses sysusers on Debian/Arch plus the original manual I tested this locally on Arch, Debian, and Fedora 40, both an upgrade and from a squeaky clean install, and it works nicely. What do you think? |
That's the option the libvirt maintainers took. Keep the We can drop the |
|
@travier Yeah, I'm not sure if the tmpfiles approach would violate some Fedora packaging standards. At this point this PR is all just draft/RFC. Thanks for your insights! |
|
I wanted to rebase this, but all of a sudden I'm not allowed to push into your branch any more: The ":heavy_check_mark: Maintainers are allowed to edit this pull request. " flag is still set, so this is some GitHub bug. So I cloned this as #20447 . @travier if you are, feel free to sync your branch with mine, otherwise we'll close this one and continue there. |
Use systemd-sysusers to create users & groups
Add a templated sysusers config file and use it in the RPM spec to
create users.
Replace the current Arch Linux specific config files.
Note that the (already resolved) cockpit-sysusers.conf file is needed
for the RPM specfile as a source as the macro can not be expanded using
the content from the source archive as it is not extracted during the
stage where RPM macro expansion happens. We thus need to keep a copy in
the dist-git repo.
See: https://docs.fedoraproject.org/en-US/packaging-guidelines/UsersAndGroups/#_dynamic_allocation
Todo:
DynamicUserfor cockpit.service #20425, rebase after landing@travier 's original proposal: travier@c585677 (doesn't build, dist-git hack)