Bug 991502 - Ensure that rhel addon products reserved uids/gids are documented in setup rpm
Ensure that rhel addon products reserved uids/gids are documented in setup rpm
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: setup (Show other bugs)
Unspecified Unspecified
high Severity high
: rc
: ---
Assigned To: Ondrej Vasik
: ZStream
Depends On:
Blocks: 991508 998912
  Show dependency treegraph
Reported: 2013-08-02 10:59 EDT by Dave Sullivan
Modified: 2013-11-14 05:43 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
The setup package reserves the system static user and group IDs in the range of 0 to 200 for various applications. This update synchronizes the list of reserved IDs (available in the /usr/share/doc/setup-*/uidgid file) for Red Hat layered products with the latest upstream version of this list.
Story Points: ---
Clone Of:
Last Closed: 2013-11-14 05:43:04 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Dave Sullivan 2013-08-02 10:59:18 EDT
Description of problem:

It looks like we are failing to document reserved uids/gids for addon RHEL products.

For example openstack uid/gids are not documented in setup rpm

mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash
qpidd:x:498:499:Owner of Qpidd Daemons:/var/lib/qpidd:/sbin/nologin
keystone:x:163:163:OpenStack Keystone Daemons:/var/lib/keystone:/sbin/nologin
glance:x:161:161:OpenStack Glance Daemons:/var/lib/glance:/sbin/nologin
cinder:x:165:165:OpenStack Cinder Daemons:/var/lib/cinder:/sbin/nologin
nova:x:162:162:OpenStack Nova Daemons:/var/lib/nova:/sbin/nologin
memcached:x:497:496:Memcached daemon:/var/run/memcached:/sbin/nologin

cat /usr/share/doc/setup-2.8.14/uidgid

Version-Release number of selected component (if applicable):


Additional info:

I'm not sure how well this process is exposed to RHEL Product PMs or third party vendors

Another RFE will be filed to document the setup rpm and document this material as well


Specifically the allocation strategies.  If you look at those scripts you can sort of see how you prevent yourself from running into problems with uid/gid relative to using the dynamic allocation strategy.  

So it does look like setup rpm is the right spot, it's just a matter of folks following the FCP process for obtaining a soft static uid/gid.

we need to expose this to the RHEL Product PMs to ensure they are following this process.  As well as exposing this to third party/hardware partner vendors as well.

Because as we have seen from the setup rpm we are missing documented uid/gid for openstack, and I suspect there are others.

The other thing is that we will have to work on is migrating the above documentation into RHEL documentation.

On another note, it looks like there will be some movement of the reserved space going up to 1000.

So probably best to start non reserved gids at something higher then 1000, maybe 5000 is a good best practice strategy.
Comment 2 Ondrej Vasik 2013-08-04 15:28:55 EDT
Static user id allocations in RHEL-6+ are only under 200. Id's you mentioned were reserved and documented in upstream/Fedora setup uidgid file ( see https://git.fedorahosted.org/cgit/setup.git/tree/uidgid ), however, there was no update of setup package meanwhile. Once we will have RHEL-6 setup update, these openstack id's will be documented there.

In Fedora, dynamic range for system ids is now 0-999, this seems to be sufficient. 0-4999 seems to be too much to me. In addition, recent (~ 2 months ago) modification of Fedora packaging guidelines introduced the need for FPC ticket when the static uid is being requested. For many allocations, dynamic id is sufficient. I'm no longer allowed to assign the static ids myself in setup package.
Comment 3 Dave Sullivan 2013-08-07 14:37:27 EDT
The 5000 was only a suggestion for a non-reserved uid/gid creation starting point, not really for what we need as reserved space.  So that was not an RFE request to extend beyond 1000.

With the dynamic allocation strategy from suggestion from the https://fedoraproject.org/wiki/Packaging:UsersAndGroups url that is a good one.

However it doesn't really help with customers who desire to grab a specific uid/gid.

This request wasn't really to solve that issue.

It was mainly to find a document of RHEL reserved uid/gids, I believe which is the intention of our setup rpm.  So sounds like all will be good as soon as fedora setup rpm changes roll into RHEL.



Note You need to log in before you can comment on or make changes to this bug.