On Fri, Aug 08, 2008 at 09:42:44PM +0100, Ceri Davies wrote:
> On Fri, Aug 08, 2008 at 03:34:06PM -0500, Nicolas Williams wrote:
>
> > Any solution that gets us more reserved IDs would be welcome. If Ceri
> > is right then simply raising the current limit -- the easiest way out --
> > won't be pleasant.
>
> I didn't mean to imply that raising the limit shouldn't be done: I think
> that it should. That's what release notes are for :)
To set out my thoughts on this in full, the current behaviour of IPS
(that of dynamically allocating UIDs when a port is installed) is
undesirable; it doesn't solve the problem of exhaustion and makes
administration of more than one machine very likely to be problematic.
What's worse, it destroys predictability and will cause administrators
headaches, possibly to the point where IPS' benefits will be outshone.
Therefore, it is reasonably clear that more UIDs are required. The
current interoperability standard appears to be Linux within this
project, which in Debian at least starts user accounts at 1000. FreeBSD
also starts at 1000 for user accounts, while AIX seems to start
somewhere around 200 and MacOSX at 500. Therefore, 1000 seems
reasonably portable,
More importantly, whatever is chosen should provide plenty of room.
As an example, the FreeBSD Ports collection has a static file that
reserves UIDs under 1000 for its own use. That file [1] currently
contains 145 reserved UIDs, while the ports collection currently
contains 18920 software packages.
Equally importantly, FreeBSD also reserves group IDs under 1000 for use
by the Ports collection. 133 of these are currently used [2].
I believe that a good (and reasonable) approach to take from here would
be:
a) Increase the system reserved space to 1000 for both group IDs
and user IDs as soon as possible/for the next major release;
b) Declare user and group IDs under 100 as reserved for use by the
{Open,}Solaris system;
c) User and group IDs from 100 to 899 are for use by public IPS
repositories. Each entry should be registered "centrally"
with an authority responsible for allocating IDs and these
files should be well publicised in documentation [3];
d) User and group IDs from 900 to 999 are for use by local IPS
repositories or people who do not wish to register for the
UID/GID record;
e) IPS stops doing different things on every machine, allowing
administrators to sleep again.
I don't want to sweat the details too much; the important thing to me is
that I do not end up with a completely different password file depending
on whether I installed openldap before postfix or vice versa (or worse,
if IPS randomly allocates UIDs, even machines with the same package set
could have different password files).
Ceri
[1] http://www.freebsd.org/cgi/cvsweb.cgi/ports/UIDs
[2] http://www.freebsd.org/cgi/cvsweb.cgi/ports/GIDs
[3] http://www.freebsd.org/doc/en/books/porters-handbook/dads-uid-and-gids.html
--
That must be wonderful! I don't understand it at all.
-- Moliere
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
URL:
<http://mail.opensolaris.org/pipermail/opensolaris-arc/attachments/20080809/56142198/attachment.bin>
