Description of problem: pacemaker is using static useradd scripts Version-Release number of selected component (if applicable): pacemaker-2.1.3-2.el9 How reproducible: 100% Steps to Reproduce: 1.review %pre 2. 3. Actual results: %pre -n %{pkgname_pcmk_libs} # @TODO Use sysusers.d: # https://fedoraproject.org/wiki/Changes/Adopting_sysusers.d_format getent group %{gname} >/dev/null || groupadd -r %{gname} -g %{hacluster_id} getent passwd %{uname} >/dev/null || useradd -r -g %{gname} -u %{hacluster_id} -s /sbin/nologin -c "cluster user" %{uname} exit 0 Expected results: use of system-sysusers Additional info: https://www.freedesktop.org/software/systemd/man/systemd-sysusers.html https://fedoraproject.org/wiki/Changes/Adopting_sysusers.d_format
This has been done in Fedora and just needs to be backported to the RHEL/CentOS Stream spec
Haven't yet checked from which RHEL/CentOS versions on the macros do meet our needs. As seen in Fedora availability alone wasn't enough. At least - although the macro was there - I didn't manage to get the desired combination of user & primary group prior to f38. Fortunately one doesn't even need to setup a virtual machine to test - the sandbox container setup by mock should be sufficient. Don't know if it is worth the effort to verify user/group in the CI-gating-tests since they operate out of an rpm-installed setup.
The "uid:gid" syntax in pacemaker.sysusers does not work on RHEL9 because sysusers.generate-pre.sh does not support that syntax. A later patch in Fedora fixes this (https://src.fedoraproject.org/rpms/systemd/c/83301531c0aa22ffc155096826d8f5250c6a880a?branch=main), but the RHEL9 version is lacking it. So we'll need to come up with a different way to accomplish the same thing.
Rather than put in a hack to support "forever" could that patch get into CentOS Stream 9 and mark this as dependent on that?
I think all that's necessary is to change pacemaker.sysusers like so: diff --git a/pacemaker.sysusers b/pacemaker.sysusers index daadb96..5f768e5 100644 --- a/pacemaker.sysusers +++ b/pacemaker.sysusers @@ -1,3 +1,4 @@ #Type Name ID GECOS Home directory Shell g haclient 189 -u hacluster 189:haclient "cluster user" /var/lib/pacemaker /sbin/nologin +u hacluster 189 "cluster user" /var/lib/pacemaker /sbin/nologin +m hacluster haclient @kwenning Thoughts?
iirc that didn't make haclient the primary group for hacluster - but I might not remember correctly. I'd say if the macro-thing does the trick for our needs without additional hacks we go for it. So yes getting that fix from Fedora into CentOS would make that possible. If we need it at all. Otherwise I would suggest not to invest too much into a mechanism that seems not to be accepted by a majority of rpm/systemd-based distributions. We have had a hack in place already for years ;-) On the other side I'm not sure how long-lived that approach is anyway since rpm 4.19 comes with native support for taking care of users/groups. Didn't try that out though ... looking as if defining the current macro to empty might just be enough. Still the question if rpm supports the "uid:gid" syntax ... or some other mechanism that does the job for us ... rpm seems to support a mechanism that doesn't require packaging pacemaker.sysusers ... just for the case we should see a reason why that might be an issue for us. On the other hand rpm 4.19 hasn't even made it into rawhide yet.
The sysusers.generate-pre.sh script is provided by systemd, so that's the component where we would need a bug filed and a patch added. If we don't have time for that, the easiest thing to do would be to simply kick this along to a later release and try to push for that patch to be included in the mean time.
As RHEL 9.3 will not have the necessary RPM macros, this is being bumped to 9.4. The necessary changes have already been made in Fedora and can be used as a template.