Red Hat Bugzilla – Bug 991502
Ensure that rhel addon products reserved uids/gids are documented in setup rpm
Last modified: 2013-11-14 05:43:04 EST
Description of problem:
It looks like we are failing to document reserved uids/gids for addon RHEL products.
For example openstack uid/gids are not documented in setup rpm
qpidd:x:498:499:Owner of Qpidd Daemons:/var/lib/qpidd:/sbin/nologin
keystone:x:163:163:OpenStack Keystone Daemons:/var/lib/keystone:/sbin/nologin
glance:x:161:161:OpenStack Glance Daemons:/var/lib/glance:/sbin/nologin
cinder:x:165:165:OpenStack Cinder Daemons:/var/lib/cinder:/sbin/nologin
nova:x:162:162:OpenStack Nova Daemons:/var/lib/nova:/sbin/nologin
Version-Release number of selected component (if applicable):
I'm not sure how well this process is exposed to RHEL Product PMs or third party vendors
Another RFE will be filed to document the setup rpm and document this material as well
Specifically the allocation strategies. If you look at those scripts you can sort of see how you prevent yourself from running into problems with uid/gid relative to using the dynamic allocation strategy.
So it does look like setup rpm is the right spot, it's just a matter of folks following the FCP process for obtaining a soft static uid/gid.
we need to expose this to the RHEL Product PMs to ensure they are following this process. As well as exposing this to third party/hardware partner vendors as well.
Because as we have seen from the setup rpm we are missing documented uid/gid for openstack, and I suspect there are others.
The other thing is that we will have to work on is migrating the above documentation into RHEL documentation.
On another note, it looks like there will be some movement of the reserved space going up to 1000.
So probably best to start non reserved gids at something higher then 1000, maybe 5000 is a good best practice strategy.
Static user id allocations in RHEL-6+ are only under 200. Id's you mentioned were reserved and documented in upstream/Fedora setup uidgid file ( see https://git.fedorahosted.org/cgit/setup.git/tree/uidgid ), however, there was no update of setup package meanwhile. Once we will have RHEL-6 setup update, these openstack id's will be documented there.
In Fedora, dynamic range for system ids is now 0-999, this seems to be sufficient. 0-4999 seems to be too much to me. In addition, recent (~ 2 months ago) modification of Fedora packaging guidelines introduced the need for FPC ticket when the static uid is being requested. For many allocations, dynamic id is sufficient. I'm no longer allowed to assign the static ids myself in setup package.
The 5000 was only a suggestion for a non-reserved uid/gid creation starting point, not really for what we need as reserved space. So that was not an RFE request to extend beyond 1000.
With the dynamic allocation strategy from suggestion from the https://fedoraproject.org/wiki/Packaging:UsersAndGroups url that is a good one.
However it doesn't really help with customers who desire to grab a specific uid/gid.
This request wasn't really to solve that issue.
It was mainly to find a document of RHEL reserved uid/gids, I believe which is the intention of our setup rpm. So sounds like all will be good as soon as fedora setup rpm changes roll into RHEL.