Bug 991502

Summary: Ensure that rhel addon products reserved uids/gids are documented in setup rpm
Product: Red Hat Enterprise Linux 6 Reporter: Dave Sullivan <dsulliva>
Component: setupAssignee: Ondrej Vasik <ovasik>
Status: CLOSED CURRENTRELEASE QA Contact: qe-baseos-daemons
Severity: high Docs Contact:
Priority: high    
Version: 6.4CC: azelinka, jkurik
Target Milestone: rcKeywords: ZStream
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
The setup package reserves the system static user and group IDs in the range of 0 to 200 for various applications. This update synchronizes the list of reserved IDs (available in the /usr/share/doc/setup-*/uidgid file) for Red Hat layered products with the latest upstream version of this list.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2013-11-14 10:43:04 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 991508, 998912    

Description Dave Sullivan 2013-08-02 14:59:18 UTC 
Description of problem:

It looks like we are failing to document reserved uids/gids for addon RHEL products.

For example openstack uid/gids are not documented in setup rpm

mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash
qpidd:x:498:499:Owner of Qpidd Daemons:/var/lib/qpidd:/sbin/nologin
keystone:x:163:163:OpenStack Keystone Daemons:/var/lib/keystone:/sbin/nologin
glance:x:161:161:OpenStack Glance Daemons:/var/lib/glance:/sbin/nologin
cinder:x:165:165:OpenStack Cinder Daemons:/var/lib/cinder:/sbin/nologin
nova:x:162:162:OpenStack Nova Daemons:/var/lib/nova:/sbin/nologin
memcached:x:497:496:Memcached daemon:/var/run/memcached:/sbin/nologin
nagios:x:496:495::/var/spool/nagios:/sbin/nologin

cat /usr/share/doc/setup-2.8.14/uidgid


Version-Release number of selected component (if applicable):

setup-2.8.14-20.el6.noarch



Additional info:

I'm not sure how well this process is exposed to RHEL Product PMs or third party vendors

Another RFE will be filed to document the setup rpm and document this material as well

https://fedoraproject.org/wiki/Packaging:UsersAndGroups

Specifically the allocation strategies.  If you look at those scripts you can sort of see how you prevent yourself from running into problems with uid/gid relative to using the dynamic allocation strategy.  

So it does look like setup rpm is the right spot, it's just a matter of folks following the FCP process for obtaining a soft static uid/gid.

we need to expose this to the RHEL Product PMs to ensure they are following this process.  As well as exposing this to third party/hardware partner vendors as well.

Because as we have seen from the setup rpm we are missing documented uid/gid for openstack, and I suspect there are others.

The other thing is that we will have to work on is migrating the above documentation into RHEL documentation.

On another note, it looks like there will be some movement of the reserved space going up to 1000.

So probably best to start non reserved gids at something higher then 1000, maybe 5000 is a good best practice strategy.
Comment 2 Ondrej Vasik 2013-08-04 19:28:55 UTC 
Static user id allocations in RHEL-6+ are only under 200. Id's you mentioned were reserved and documented in upstream/Fedora setup uidgid file ( see https://git.fedorahosted.org/cgit/setup.git/tree/uidgid ), however, there was no update of setup package meanwhile. Once we will have RHEL-6 setup update, these openstack id's will be documented there.

In Fedora, dynamic range for system ids is now 0-999, this seems to be sufficient. 0-4999 seems to be too much to me. In addition, recent (~ 2 months ago) modification of Fedora packaging guidelines introduced the need for FPC ticket when the static uid is being requested. For many allocations, dynamic id is sufficient. I'm no longer allowed to assign the static ids myself in setup package.
Comment 3 Dave Sullivan 2013-08-07 18:37:27 UTC 
The 5000 was only a suggestion for a non-reserved uid/gid creation starting point, not really for what we need as reserved space.  So that was not an RFE request to extend beyond 1000.

With the dynamic allocation strategy from suggestion from the https://fedoraproject.org/wiki/Packaging:UsersAndGroups url that is a good one.

However it doesn't really help with customers who desire to grab a specific uid/gid.

This request wasn't really to solve that issue.

It was mainly to find a document of RHEL reserved uid/gids, I believe which is the intention of our setup rpm.  So sounds like all will be good as soon as fedora setup rpm changes roll into RHEL.

Thanks,

Dave