RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 991502 - Ensure that rhel addon products reserved uids/gids are documented in setup rpm
Summary: Ensure that rhel addon products reserved uids/gids are documented in setup rpm
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: setup
Version: 6.4
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: rc
: ---
Assignee: Ondrej Vasik
QA Contact: qe-baseos-daemons
URL:
Whiteboard:
Depends On:
Blocks: 991508 998912
TreeView+ depends on / blocked
 
Reported: 2013-08-02 14:59 UTC by Dave Sullivan
Modified: 2018-12-03 19:30 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
The setup package reserves the system static user and group IDs in the range of 0 to 200 for various applications. This update synchronizes the list of reserved IDs (available in the /usr/share/doc/setup-*/uidgid file) for Red Hat layered products with the latest upstream version of this list.
Clone Of:
Environment:
Last Closed: 2013-11-14 10:43:04 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Dave Sullivan 2013-08-02 14:59:18 UTC 
Description of problem:

It looks like we are failing to document reserved uids/gids for addon RHEL products.

For example openstack uid/gids are not documented in setup rpm

mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash
qpidd:x:498:499:Owner of Qpidd Daemons:/var/lib/qpidd:/sbin/nologin
keystone:x:163:163:OpenStack Keystone Daemons:/var/lib/keystone:/sbin/nologin
glance:x:161:161:OpenStack Glance Daemons:/var/lib/glance:/sbin/nologin
cinder:x:165:165:OpenStack Cinder Daemons:/var/lib/cinder:/sbin/nologin
nova:x:162:162:OpenStack Nova Daemons:/var/lib/nova:/sbin/nologin
memcached:x:497:496:Memcached daemon:/var/run/memcached:/sbin/nologin
nagios:x:496:495::/var/spool/nagios:/sbin/nologin

cat /usr/share/doc/setup-2.8.14/uidgid


Version-Release number of selected component (if applicable):

setup-2.8.14-20.el6.noarch



Additional info:

I'm not sure how well this process is exposed to RHEL Product PMs or third party vendors

Another RFE will be filed to document the setup rpm and document this material as well

https://fedoraproject.org/wiki/Packaging:UsersAndGroups

Specifically the allocation strategies.  If you look at those scripts you can sort of see how you prevent yourself from running into problems with uid/gid relative to using the dynamic allocation strategy.  

So it does look like setup rpm is the right spot, it's just a matter of folks following the FCP process for obtaining a soft static uid/gid.

we need to expose this to the RHEL Product PMs to ensure they are following this process.  As well as exposing this to third party/hardware partner vendors as well.

Because as we have seen from the setup rpm we are missing documented uid/gid for openstack, and I suspect there are others.

The other thing is that we will have to work on is migrating the above documentation into RHEL documentation.

On another note, it looks like there will be some movement of the reserved space going up to 1000.

So probably best to start non reserved gids at something higher then 1000, maybe 5000 is a good best practice strategy.
Comment 2 Ondrej Vasik 2013-08-04 19:28:55 UTC 
Static user id allocations in RHEL-6+ are only under 200. Id's you mentioned were reserved and documented in upstream/Fedora setup uidgid file ( see https://git.fedorahosted.org/cgit/setup.git/tree/uidgid ), however, there was no update of setup package meanwhile. Once we will have RHEL-6 setup update, these openstack id's will be documented there.

In Fedora, dynamic range for system ids is now 0-999, this seems to be sufficient. 0-4999 seems to be too much to me. In addition, recent (~ 2 months ago) modification of Fedora packaging guidelines introduced the need for FPC ticket when the static uid is being requested. For many allocations, dynamic id is sufficient. I'm no longer allowed to assign the static ids myself in setup package.
Comment 3 Dave Sullivan 2013-08-07 18:37:27 UTC 
The 5000 was only a suggestion for a non-reserved uid/gid creation starting point, not really for what we need as reserved space.  So that was not an RFE request to extend beyond 1000.

With the dynamic allocation strategy from suggestion from the https://fedoraproject.org/wiki/Packaging:UsersAndGroups url that is a good one.

However it doesn't really help with customers who desire to grab a specific uid/gid.

This request wasn't really to solve that issue.

It was mainly to find a document of RHEL reserved uid/gids, I believe which is the intention of our setup rpm.  So sounds like all will be good as soon as fedora setup rpm changes roll into RHEL.

Thanks,

Dave
Note You need to log in before you can comment on or make changes to this bug.