Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ws: please provide sysusers.d entries for system users/groups #15027

Open
lucab opened this issue Dec 9, 2020 · 2 comments
Open

ws: please provide sysusers.d entries for system users/groups #15027

lucab opened this issue Dec 9, 2020 · 2 comments
Assignees
@martinpitt
Labels
enhancement webserver

Comments

@lucab
Copy link

lucab commented Dec 9, 2020

It looks like most socket and service units for cockpit-ws support running under custom system users/groups (e.g. @user@ / @wsinstanceuser@, and related groups) from autoconf.

It would be nice to provide separate sysusers.d files with relevant entries for each of those, so that downstream distributions could automatically pick up the system user/group creation in a uniform way (see https://fedoraproject.org/wiki/Changes/Adopting_sysusers.d_format for an example from Fedora).
@lucab lucab changed the title ws: please provide sysuser.d entries for system users/groups ws: please provide sysusers.d entries for system users/groups Dec 9, 2020
@martinpitt martinpitt self-assigned this Jan 3, 2023
@martinpitt
Copy link
Member

I will work on that now, we've postponed this too often. We originally considered moving to DynamicUser= in #16811, but that does not work for cockpit-ws at least as sockets don't support DynamicUser= (see systemd/systemd#23067). But we've done this for Arch, Fedora mandates it now, and Debian has supported it as well -- it's at least better than direct useradd calls.

@martinpitt martinpitt mentioned this issue Jan 3, 2023
Closed
1 task
@martinpitt
Copy link
Member

Done in PR #18112

martinpitt added a commit to martinpitt/cockpit that referenced this issue Jan 4, 2023
@martinpitt
systemd: Use sysusers.d to create ws users
b61f854 
Move to using systemd's sysusers declarative files [1] for creating our
system users/groups. Arch already does that, Fedora moved to it since
Fedora 32 [2], and Debian supports it as well [3].

In debian/cockpit-ws.postinst, move the `#DEBHELPER#` block above the
statoverride, as the former now generates the user, and the latter needs
it.

Unfortunately Fedora/rpm's `%attr` does not really work with sysusers
files shipped upstream yet. The conf files are not installed yet during
`%pre`, but creating the users in `%post` is too late for the file
unpack phase, so cockpit-session would get the wrong permissions. Thus
duplicate the two sysusers config lines verbatim in `%pre`, which is at
least marginally better than calling `useradd` etc. programmatically.

Extend TestConnection.testWsPackage to remove the system users, reboot,
and validate that cockpit still works. This ensures correct sysusers.d
packaging across all distributions, as our normal CI images already have
the system users.

Fixes cockpit-project#15027

[1] https://www.freedesktop.org/software/systemd/man/sysusers.d.html
[2] https://fedoraproject.org/wiki/Changes/Adopting_sysusers.d_format
[3] https://manpages.debian.org/dh_installsysusers
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@martinpitt martinpitt

Labels
enhancement webserver
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

systemd: Use sysusers.d to create ws users martinpitt/cockpit
3 participants
@lucab @martinpitt @KKoukiou