Bug 1792462 - Adopting sysusers.d format
Summary: Adopting sysusers.d format
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: Changes Tracking
Version: 32
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Zbigniew Jędrzejewski-Szmek
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-01-17 16:52 UTC by Ben Cotton
Modified: 2025-01-23 20:30 UTC (History)
4 users (show)

Fixed In Version: systemd-245~rc1-2.fc32
Clone Of:
Environment:
Last Closed: 2020-04-28 14:30:25 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Ben Cotton 2020-01-17 16:52:29 UTC
This is a tracking bug for Change: Adopting sysusers.d format
For more details, see: https://fedoraproject.org/wiki/Changes/Adopting_sysusers.d_format

Files in sysusers.d format will be used to declare systems users so it will be possible to introspect system users. Users will still be created using old-style useradd calls.

Comment 1 Zbigniew Jędrzejewski-Szmek 2020-02-10 16:52:53 UTC
The basic machinery (rpm macros) in systemd-rpm-macros is now done. Unfortunately I missed
the mass rebuild, which means that packages will not get the new Provides:user() and group()
until they are rebuilt. Packages which do not use sysusers require more work. I converted
munge as an example: https://src.fedoraproject.org/rpms/munge/pull-request/1. I'll have time
to work more on this two weeks from now, and I'll submit some no-op rebuilds and PRs then.

Comment 2 Ben Cotton 2020-02-11 18:13:52 UTC
Branching Fedora 32 Changes from rawhide. Today is the Code Complete (testable) deadline. Please make sure your bug status is set appropriately:

Complete (testable) -> MODIFIED
Complete (100% code complete) -> ON_QA (deadline is 25 February)

If you need to defer this change until Fedora 33, please set the version back to 'rawhide'.

Comment 3 Ben Cotton 2020-02-28 16:31:43 UTC
The Code Complete (100% Complete) deadline has passed. If your Change is 100% complete, please set the status of this bug to ON_QA. If you need to defer to Fedora 33, please set the version to rawhide. A list of incomplete changes is being submitted to FESCo for review.

Comment 4 Zbigniew Jędrzejewski-Szmek 2020-02-29 12:20:46 UTC
The implementation on systemd side is there. Now all packages need to be converted...

Comment 5 Ben Cotton 2020-04-28 14:30:25 UTC
Fedora 32 is released!

Comment 6 Robin Lee 2022-03-27 09:58:03 UTC
(In reply to Zbigniew Jędrzejewski-Szmek from comment #4)
> The implementation on systemd side is there. Now all packages need to be
> converted...

It is the time for another feature change to enforce sysusers to all packages?
The usage of useradd/groupadd in %pre seems already removed from the guidline
https://docs.fedoraproject.org/en-US/packaging-guidelines/UsersAndGroups/ .
That's would be a great benefit for Silverblue/CoreOS users.

Comment 7 Colin Walters 2025-01-23 16:54:40 UTC
Just to xref here quite a while ago we added code in rpm-ostree to auto-synthesize sysusers.d entries from useradd/groupadd invocations from package scripts in https://github.com/coreos/rpm-ostree/pull/3897

But yes, it'd be really helpful to have a push to do this conversion.

That said there is a larger story here, see https://docs.fedoraproject.org/en-US/bootc/building-containers/#_invoking_useradd_as_part_of_a_container_build - I think especially it's notable to use DynamicUser=yes where possible, but also sysusers owning file content is a problem for image-based systems.

Comment 8 Zbigniew Jędrzejewski-Szmek 2025-01-23 20:30:40 UTC
I'm not sure if you meant to comment on this particular ticket, but it I got the message.

> https://github.com/coreos/rpm-ostree/pull/3897

This is a very interesting link. I just spent most of today creating a spec file munger to convert spec file %pre sections back into sysusers files ;)  (Though I don't think my work is wasted. The rpm-ostree interceptor only catches the calls and runs at a different time, but I needed to change the spec files and remove more of the scriptlet logic.)

>  I think especially it's notable to use DynamicUser=yes where possible, but also sysusers owning file content is a problem for image-based systems.

Yeah, DynamicUser= is generally nice and works nicely. As for sysusers owning file content, I don't think this is something that we can get rid of. There is maybe a few hundred of packages which do that, so image-based systems will need to support this.


Note You need to log in before you can comment on or make changes to this bug.