Bug#888126: [patch] Please enable systemd-sysusers unit
Hello all,
Michael Vogt [2018-02-01 7:39 +0100]:
> just a small update on this. systemd git master has the needed support
> to reproduce the base-passwd passwd and group files now.
Many thanks for driving this! Now that 238 is released and has all the
necessary support, I've done another attempt at this:
https://salsa.debian.org/systemd-team/systemd/merge_requests/4
This generates the files from base-file's {passwd,group}.master.
I tested this on a Debian sid container in LXC - pretty cool to see the
container boot with a completely absent /etc! I diffed the original and
sysusers-generated passwd/group/shadow files and they are sufficiently similar.
>
> https://github.com/systemd/systemd/blob/master/test/TEST-21-SYSUSERS/test-5.input
Nice that there is an upstream test for this now!
> The only remaining problem is that it generates /sbin/nologin which we
> do not have (we use /usr/sbin/nologin).
As sysusers.d now supports specifying a shell, the above just uses the value
from the *.master file, so this isn't a problem.
Martin
___
Pkg-systemd-maintainers mailing list
Pkg-systemd-maintainers@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-systemd-maintainers
Bug#888126: [patch] Please enable systemd-sysusers unit
On Mon, Jan 29, 2018 at 09:28:36AM +0100, Michael Vogt wrote:
> On Sat, Jan 27, 2018 at 10:20:46PM +0100, Martin Pitt wrote:
[..]
> Fixing this in the code is pretty trivial, we just need an OK from
> upstream how to do it (either by ensuing the uid:gid syntax never
> changes the uid/gid or via a new prefix/postfix like "!" to force
> creation).
[..]
Fwiw, I send https://github.com/systemd/systemd/pull/8037 which will
allow the reuse of IDs and added a test-case that replicates the
base-passwd master.{passwd,group} (modulo the /usr/sbin/nologin vs
/sbin/nologin issue and "sync" having a different login shell).
Cheers,
Michael
___
Pkg-systemd-maintainers mailing list
Pkg-systemd-maintainers@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-systemd-maintainers
Bug#888126: [patch] Please enable systemd-sysusers unit
On Sat, Jan 27, 2018 at 10:20:46PM +0100, Martin Pitt wrote: [..] > Michael Vogt [2018-01-23 16:15 +0100]: > > sync:*:4:65534:sync:/bin:/bin/sync > > > > which cannot be represented because you cannot specify a different > > primary gid in the sysusers file (or a login shell). So extra work is > > required for this but (personally) I would love to this is. > > Since you freshly looked at this, was this the only problem? I figure the sync > group is mostly unused anyway, and completely irrelevant for containers - but > does this also affect static groups which are actually important? I. e. which > static groups cannot be replicated with sysusers? I think man is the important one, it has uid=6 gid=12. Also nobody and nogroup share the same id but different names. > IMHO if we enable this, we should also provide a reasonably correct static > sysusers so that the program actually works as intended. It doesn't need to > (and can't right now) be perfect, but at least not completely break your > system. Toally agree. To do that I pushed a PR to systemd (https://github.com/systemd/systemd/pull/7973) to allow a new uid:gid syntax. Fwiw, I'm impressed once more by the quality and speed of the upstream code reviews. With and the attached sysusers.d conf file we are closer but there is the issue that some users/groups share the same ID, e.g. nouser and nogroup. systemd-sysusers does not like that, it will pick a new ID in this case. Fixing this in the code is pretty trivial, we just need an OK from upstream how to do it (either by ensuing the uid:gid syntax never changes the uid/gid or via a new prefix/postfix like "!" to force creation). Then there is also a small issue incompatibility with the shell: ``` $ head -n2 passwd root:x:0:0::/root:/bin/sh daemon:x:1:1::/usr/sbin:/sbin/nologin $ head -n2 /usr/share/base-passwd/passwd.master root:*:0:0:root:/root:/bin/bash daemon:*:1:1:daemon:/usr/sbin:/usr/sbin/nologin ``` For root it is "nologin" and the path of /sbin/nologin between Debian and Fedora differs. Thats another open issue. That seems to be the blockers for making this available generally. What do you think? Cheers, Michael #Type NameID GECOS Home directory u root 0 - /root u daemon 1 - /usr/sbin u bin 2 - /bin u sys 3 - /dev g adm 4 - g tty 5 - g disk 6 - g man 12- u sync 4:65534 - /bin u games5:60 - /usr/games u man 6:12 - /var/cache/man u lp 7 - /var/spool/lpd u mail 8 - /var/mail u news 9 - /var/spool/news u uucp10 - /var/spool/uucp u proxy 13 - /bin g kmem15 - g dialout 20 - g fax 21 - g voice 22 - g cdrom 24 - g floppy 25 - g tape26 - g sudo27 - g audio 29 - g dip 30 - u www-data33 - /var/www u backup 34 - /var/backups g operator37 - u list38 - /var/list u irc 39 - /var/run/ircd g src 40 - u gnats 41 - /var/lib/gnats g shadow 42 - g utmp43 - g video 44 - g sasl45 - g plugdev 46 - g staff 50 - g games 60 - g users 100 - u nobody 65534:65534 - /nonexistent g nogroup 65534 - ___ Pkg-systemd-maintainers mailing list Pkg-systemd-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-systemd-maintainers
Bug#888126: [patch] Please enable systemd-sysusers unit
Hello Michael, all, Michael Vogt [2018-01-23 16:15 +0100]: > There is no downside (AFAICS), the unit is conditiional on > ConditionNeedsUpdate=/etc so it will never run on default Debian > systems. Agreed. It will mostly be dead weight in the systemd packages, but the new tool isn't too big, and most importantly, it doesn't drag in a new dependency. > I also looked into providing debian specific basic.conf that would > re-generate the base-passwd passwd.master (and group) file. However it looks > like the systemd-sysusers file format is not expressive enough for this > (which is slightly unfortunate). I.e. we have entries like Felipe and I also looked at this some years ago, and stumbled over the same issues. I can't find the discussion on the ML or bugs.d.o now, though. But this was the reason why we never enabled it, as it couldn't faithfully replicate Debian's static system users. > sync:*:4:65534:sync:/bin:/bin/sync > > which cannot be represented because you cannot specify a different > primary gid in the sysusers file (or a login shell). So extra work is > required for this but (personally) I would love to this is. Since you freshly looked at this, was this the only problem? I figure the sync group is mostly unused anyway, and completely irrelevant for containers - but does this also affect static groups which are actually important? I. e. which static groups cannot be replicated with sysusers? IMHO if we enable this, we should also provide a reasonably correct static sysusers so that the program actually works as intended. It doesn't need to (and can't right now) be perfect, but at least not completely break your system. Thanks, Martin ___ Pkg-systemd-maintainers mailing list Pkg-systemd-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-systemd-maintainers
Bug#888126: [patch] Please enable systemd-sysusers unit
package: systemd version: 236-3 Dear systemd team, please enable the systemd-sysuser.service unit. The rational is that users who want to use this inside their containers/deployments can do so. Attached is a (trivial) patch to enable the unit. It is also documented widely and the fact that it does not work on Debian (and Ubuntu) is slightly surprising. There is no downside (AFAICS), the unit is conditiional on ConditionNeedsUpdate=/etc so it will never run on default Debian systems. I also looked into providing debian specific basic.conf that would re-generate the base-passwd passwd.master (and group) file. However it looks like the systemd-sysusers file format is not expressive enough for this (which is slightly unfortunate). I.e. we have entries like sync:*:4:65534:sync:/bin:/bin/sync which cannot be represented because you cannot specify a different primary gid in the sysusers file (or a login shell). So extra work is required for this but (personally) I would love to this is. Thanks for your consideration! Michael >From 69af77164ce2eb9bdddfce1c397b9b0c1ae7da55 Mon Sep 17 00:00:00 2001 From: Michael Vogt Date: Tue, 23 Jan 2018 15:55:38 +0100 Subject: [PATCH] Enable sysusers service units This allows users who want to use /usr/lib/sysusers.d/* to use it together with an empty /etc. Note that this PR does not ship any sysuser.d files. It is up to the user to provide those. --- debian/rules | 1 - 1 file changed, 1 deletion(-) diff --git a/debian/rules b/debian/rules index 0389867ec..0cc4b85ec 100755 --- a/debian/rules +++ b/debian/rules @@ -216,7 +216,6 @@ override_dh_install: find debian/install/*/etc/systemd/system/ -type l -delete # FIXME: generate proper sysusers.d/basic.conf for Debian, and add autopkgtest rm -rf debian/install/*/usr/lib/sysusers.d/* - rm -f debian/install/*/lib/systemd/system/*sysusers*.service debian/install/*/lib/systemd/system/*/*sysusers*.service ifeq (, $(filter noudeb, $(DEB_BUILD_PROFILES))) dh_install -pudev-udeb -plibudev1-udeb --sourcedir=debian/install/udeb endif -- 2.14.1 ___ Pkg-systemd-maintainers mailing list Pkg-systemd-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-systemd-maintainers
