You can also register uids with Debian. Quoting from the Policy
Manual[1]:
The UID and GID numbers are divided into classes as follows:
0-99:
Globally allocated by the Debian project, the same on every
Debian system. These ids will appear in the passwd and group
files of all Debian systems, new ids in this range being added
automatically as the base-passwd package is updated.
Packages which need a single statically allocated uid or gid
should use one of these; their maintainers should ask the
base-passwd maintainer for ids.
[1]https://www.debian.org/doc/debian-policy/ch-opersys.html
Best,
Paulo
On Sat, 2014-12-06 at 19:54 +0000, Steven C Timm wrote:
> Sage, at least in the Redhat world there are ways to get a pre-assigned
> uid/gid for a service that is
> part of a system service. There's a registered list of services that get
> fixed uid/gid, you can google for it.
> Any service can add an adduser command with a fixed uid/gid but best to
> cooperate with the various distros.
> Sometimes sysadmins will want to use a configuration management package such
> as puppet to
> create the users, that is another way to do it, because then the init scripts
> can detect the ceph user
> is already there.
>
> Steve Timm
>
> ________________________________________
> From: ceph-users [ceph-users-boun...@lists.ceph.com] on behalf of Sage Weil
> [sw...@redhat.com]
> Sent: Saturday, December 06, 2014 12:43 PM
> To: ceph-de...@vger.kernel.org; ceph-us...@ceph.com
> Subject: [ceph-users] running as non-root
>
> While we are on the subject of init systems and packaging, I would *love*
> to fix things up for hammer to
>
> - create a ceph user and group
> - add various users to ceph group (like qemu or kvm user and
> apache/www-data?)
> - fix permissions on /var/log/ceph and /var/run/ceph (770?) so that qemu
> and rgw can write logs and asok files there
> - make daemons run as ceph user instead of root
>
> The main hangup is with that last one. As I understand it, when packages
> create users, they get a semi-random UID assigned. That means that all
> the data on a ceph-osd disk would have a semi-random UID. If it were
> hot-swapped into another host, the uid would be wrong. Is there a way
> use a fixed uid?
>
> Also on the roadmap is defining proper selinux policies so that these
> dameons are confined into the appropriate directories etc., but I imagine
> running as non-root is a big help (or even prerequisite?) to making that
> happen?
>
> Suggestions or comments? Or volunteers? We haven't had time to look at
> this yet but I think it's important!
>
> sage
>
> _______________________________________________
> ceph-users mailing list
> ceph-users@lists.ceph.com
> http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
> _______________________________________________
> ceph-users mailing list
> ceph-users@lists.ceph.com
> http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
_______________________________________________
ceph-users mailing list
ceph-users@lists.ceph.com
http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
