Bug 845078

Summary: Reserve static UID/GID for OpenStack heat daemon
Product: [Fedora] Fedora Reporter: Steven Dake <sdake>
Component: setupAssignee: Ondrej Vasik <ovasik>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: rawhideCC: jpeeler, ovasik, pknirsch
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-08-06 11:23:40 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Steven Dake 2012-08-01 16:51:27 UTC 
Description of problem:
As per:

  http://fedoraproject.org/wiki/Packaging:UsersAndGroups

The heat package requires a static UID/GID combination for security concerns.  We would rather not dynamically allocate this UID/GID as it could cause problems during upgrade or backup and we wish to quiet rpmlint.
  
Version-Release number of selected component (if applicable):
Rawhide - targeted at F18

Additional info:
Heat is a network facing daemon which contains sensitive user information in its persistent storage area.  The persistent storage area is /var/lib/heat.  The current packaging uses root permissions.  We absolutely don't want heat to run as root user, so our alternative is a dynamic UID/GID which would result in problems during the upgrade or backup process.

The uid/gid combo desired is 'openstack-heat'.

Thanks
-steve
Comment 1 Ondrej Vasik 2012-08-05 19:33:04 UTC 
Just to be sure - so the reserved user/group name should be openstack-heat and homedir should be /var/lib/heat? Which package will be responsible for the user/group creation? Shell should be /sbin/nologin , right?
Comment 2 Steven Dake 2012-08-05 21:56:15 UTC 
yes user/group are openstack-heat, homedir should be /var/lib/heat.  Shell should be /sbin/nologin.  The package responsible for creation can either be setup or heat, depending on what you think is appropriate.

Regards
-steve
Comment 3 Ondrej Vasik 2012-08-06 11:23:40 UTC 
heat package is more appropriate for the user/group creation. I have reserved 187:187 uidgid pair for openstack-heat in setup-2.8.57-1.fc18 , feel free to use this static id in your next heat build. Closing RAWHIDE.
Comment 4 Jeff Peeler 2013-05-28 22:30:37 UTC 
Note that this was renamed to just "heat" in bug 923858.