| 1 |
Hi, |
| 2 |
|
| 3 |
On 2019-12-26 16:28, Michael Orlitzky wrote: |
| 4 |
>> And would I really have to create my own acct-*/nginx user+group |
| 5 |
>> ebuild to mirror my myapp use case? In other words: Thanks to GLEP |
| 6 |
>> 81, in Gentoo, you can no longer use known default Linux utilities |
| 7 |
>> like usermod to maintain your system and make changes to |
| 8 |
>> users/groups created by packages, instead you will always have to |
| 9 |
>> 'fork' involved acct-*/<user> package and adjust for your needs? |
| 10 |
> |
| 11 |
> That's right, but you're making it sound worse than it is. You also |
| 12 |
> cannot use known default tools like rm, mv, cp, and your text editor |
| 13 |
> to change things installed by system packages, because those changes |
| 14 |
> will get overwritten the next time that the package is upgraded or |
| 15 |
> reinstalled. Now user/group management works the same way. |
| 16 |
> |
| 17 |
> If you want to change something that belongs to the system, you |
| 18 |
> override and tweak the package that installs it. It's consistent, and |
| 19 |
> you don't have to tell people to install puppet/salt/etc. as a |
| 20 |
> special case just to make users work like everything else. Those were |
| 21 |
> always band-aids for the lack of a better way to do it. |
| 22 |
|
| 23 |
Why can't I use rm, mv, cp or text editor to change things? |
| 24 |
|
| 25 |
System configuration management is abstraction. You don't care about |
| 26 |
details like if you are using Debian, RHEL or Gentoo. This is |
| 27 |
implemented in used tool. You only define "states": |
| 28 |
|
| 29 |
- Make sure user X is present and member of group Y. |
| 30 |
|
| 31 |
- Make sure directory /var/foo exists and is owned by x:y. |
| 32 |
|
| 33 |
- Make sure service Z is installed. |
| 34 |
|
| 35 |
- Make sure your configuration for service Z is installed. |
| 36 |
|
| 37 |
- Make sure service Z is enabled and running. |
| 38 |
|
| 39 |
*You* don't need to know if you have to use apt, yum or emerge to get Z |
| 40 |
installed. This is something the tool (puppet, ansible, salt, chef...) |
| 41 |
will know and take care of. You will probably manage a mapping of |
| 42 |
package names on your own so that you can always say "Install Z" but on |
| 43 |
Debian your configuration management tool will install openssh-server |
| 44 |
and on Gentoo it will just be a package named net-misc/openssh. |
| 45 |
|
| 46 |
You can deploy your own configuration (=replace /etc/ssh/sshd_config) or |
| 47 |
you can say "Make sure /etc/ssh/sshd_config contains 'PermitRootLogin |
| 48 |
without-password'" or that "/etc/php/fpm-php7.4/ext-active/foo.ini" is |
| 49 |
absent on Gentoo which will translate to "[[ ! -f |
| 50 |
/var/lib/php/modules/7.4/fpm/disabled_by_admin/foo]] && phpdismod -v 7.4 |
| 51 |
-s fpm foo ]]" |
| 52 |
on Debian. |
| 53 |
|
| 54 |
|
| 55 |
>> Things like |
| 56 |
>> |
| 57 |
>> https://docs.saltstack.com/en/latest/ref/states/all/salt.states.user.html |
| 58 |
>> |
| 59 |
>> |
| 60 |
https://docs.ansible.com/ansible/latest/modules/user_module.html |
| 61 |
>> |
| 62 |
>> which are commonly used to apply configurations can't be used |
| 63 |
>> anymore?! |
| 64 |
> |
| 65 |
> You don't need them any more, there's a better way to do it. |
| 66 |
|
| 67 |
Ever deployed a custom Tomcat application for example? Sure, you have |
| 68 |
dozen ways to do that. Like dev-util/jenkins-bin, you could create your |
| 69 |
own package. But if you have to maintain various operating systems you |
| 70 |
will write a role/state, see above. Or if this is your own in-house |
| 71 |
application it could be easier that your CI pipline will just copy to |
| 72 |
/srv/myapp/$buildid on each application server and to flip |
| 73 |
/srv/myapp/current symlink so you can update/rollback in seconds and to |
| 74 |
support staggered deployment. |
| 75 |
|
| 76 |
My point is, it's pointless to say there are better ways. Making Gentoo |
| 77 |
special because you can't use well established things which are working |
| 78 |
on every other distribution and would require that everyone would |
| 79 |
rewrite their states/roles and/or implement something new just to keep |
| 80 |
Gentoo supported is not going to happen. |
| 81 |
|
| 82 |
|
| 83 |
> I don't completely understand your example, but it doesn't sound |
| 84 |
> like something that should be particularly hard. Can you elaborate |
| 85 |
> before I stick my foot in my mouth? |
| 86 |
|
| 87 |
Heh :) |
| 88 |
|
| 89 |
In you example user would have to fork acct-*/<user/group> package in |
| 90 |
his/her overlay to adjust for his/her needs. At the moment, all larger |
| 91 |
Gentoo setups I am aware of are maintaining a company repository in |
| 92 |
addition to the official Gentoo repository. So they would put |
| 93 |
acct-user/nginx-0-r1 and acct-group/nginx-0-r1 in that repository with |
| 94 |
their changes. But this doesn't work if you have multiple different |
| 95 |
nginx instances for example. Sure, the forked acct-* packages would work |
| 96 |
for all the application servers running this specific role/state. But |
| 97 |
these adjusted packages would be wrong for the servers running grafana |
| 98 |
role/state, i.e. running www-apps/grafana-bin behind www-servers/nginx |
| 99 |
proxy. So you would end up with multiple acct-*/nginx ebuilds for each |
| 100 |
configuration which can't be right. Whereas at the moment you will use |
| 101 |
your configuration management tool to get things into describe state. |
| 102 |
|
| 103 |
|
| 104 |
-- |
| 105 |
Regards, |
| 106 |
Thomas Deutschmann / Gentoo Linux Developer |
| 107 |
C4DD 695F A713 8F24 2AA1 5638 5849 7EE5 1D5D 74A5 |
Archives