Red Hat Bugzilla – Bug 511957
Allocate a 'qemu' username and groupname
Last modified: 2011-11-10 02:11:19 EST
Description of problem:
A Fedora 12 feature is for libvirt to run the QEMU guests as an unprivileged user account, instead of root:root
Thus, we need to have a 'qemu' username and groupname allocated.
The 'qemu' username should be a member of the 'qemu' and 'kvm' groups by default.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
Ok, the only problem with reservation is that there are no free uid/gid pairs under 100 (some free uids, no free gids). Are you ok with having reserved uid/gid above 100? E.g. 101? I'll modify /etc/profile and similar files to increase threshold for reserved uid/gids so likely no difference for you - but it will be first reserved uidgid above 100 - so some more modifications in some configs may be necessary to make it handled the same way as the rest of reserved system account id's.
The potential problem would be a local user account already using the newly allocated ID, but then user accounts don't start until 500 by default, so in theory there's a little space on most systems
In the RPM %post, instead of 'useradd -u 101 qemu', we'd likely have to first check if '101' was already allocated, and if so, fallback to letting useradd pick a random uid ?
Yep, user accounts start above 500 by default - anyway you have to always check for the existence of the uid/gid in the post - even under 100 ... Anyway - I checked (googled) about the existence of uid/gid 101 in Fedora - and it seems that some packages already do use that uid/gid even without reservation in setup uidgid file. Bad luck - the lowest one without presence in google archives was 107.
So I would say this one would be better - as it seems I have to make some cleanup/bugzillas filling to make order in Fedora above uid/gid 100.
So you should have something like in your %post:
getent group qemu >/dev/null || groupadd -g 107 -r qemu
getent group kvm >/dev/null || groupadd -g 36 -r kvm
getent passwd qemu >/dev/null || \
useradd -r -u 107 -g qemu -G kvm -d / -s /sbin/nologin \
-c "qemu user" qemu
This should be ok and sufficient (at least other packages with reserved uidgid in uidgid file just do that) - as it is user's fault to use that reserved id. So I'll reserve 107 uidgid pair in next rawhide setup update if you have no objections.
That gets my vote, thanks.
Ok, reserved 107:107 for qemu in setup-2.8.7-1.fc12, closing RAWHIDE.
Small question please, if I have this uid already taken on my system and want to install qemu-kvm can I just manually do:
useradd -r -g qemu -G kvm -d / -s /sbin/nologin -c "qemu user" qemu
before installing qemu-kvm? to create qemu user with a random uid... or will something get broken (i.e. if uid 107 usage is hardcoded somewhere else)?