1 |
Hi, |
2 |
|
3 |
On 2019-12-26 16:28, Michael Orlitzky wrote: |
4 |
>> And would I really have to create my own acct-*/nginx user+group |
5 |
>> ebuild to mirror my myapp use case? In other words: Thanks to GLEP |
6 |
>> 81, in Gentoo, you can no longer use known default Linux utilities |
7 |
>> like usermod to maintain your system and make changes to |
8 |
>> users/groups created by packages, instead you will always have to |
9 |
>> 'fork' involved acct-*/<user> package and adjust for your needs? |
10 |
> |
11 |
> That's right, but you're making it sound worse than it is. You also |
12 |
> cannot use known default tools like rm, mv, cp, and your text editor |
13 |
> to change things installed by system packages, because those changes |
14 |
> will get overwritten the next time that the package is upgraded or |
15 |
> reinstalled. Now user/group management works the same way. |
16 |
> |
17 |
> If you want to change something that belongs to the system, you |
18 |
> override and tweak the package that installs it. It's consistent, and |
19 |
> you don't have to tell people to install puppet/salt/etc. as a |
20 |
> special case just to make users work like everything else. Those were |
21 |
> always band-aids for the lack of a better way to do it. |
22 |
|
23 |
Why can't I use rm, mv, cp or text editor to change things? |
24 |
|
25 |
System configuration management is abstraction. You don't care about |
26 |
details like if you are using Debian, RHEL or Gentoo. This is |
27 |
implemented in used tool. You only define "states": |
28 |
|
29 |
- Make sure user X is present and member of group Y. |
30 |
|
31 |
- Make sure directory /var/foo exists and is owned by x:y. |
32 |
|
33 |
- Make sure service Z is installed. |
34 |
|
35 |
- Make sure your configuration for service Z is installed. |
36 |
|
37 |
- Make sure service Z is enabled and running. |
38 |
|
39 |
*You* don't need to know if you have to use apt, yum or emerge to get Z |
40 |
installed. This is something the tool (puppet, ansible, salt, chef...) |
41 |
will know and take care of. You will probably manage a mapping of |
42 |
package names on your own so that you can always say "Install Z" but on |
43 |
Debian your configuration management tool will install openssh-server |
44 |
and on Gentoo it will just be a package named net-misc/openssh. |
45 |
|
46 |
You can deploy your own configuration (=replace /etc/ssh/sshd_config) or |
47 |
you can say "Make sure /etc/ssh/sshd_config contains 'PermitRootLogin |
48 |
without-password'" or that "/etc/php/fpm-php7.4/ext-active/foo.ini" is |
49 |
absent on Gentoo which will translate to "[[ ! -f |
50 |
/var/lib/php/modules/7.4/fpm/disabled_by_admin/foo]] && phpdismod -v 7.4 |
51 |
-s fpm foo ]]" |
52 |
on Debian. |
53 |
|
54 |
|
55 |
>> Things like |
56 |
>> |
57 |
>> https://docs.saltstack.com/en/latest/ref/states/all/salt.states.user.html |
58 |
>> |
59 |
>> |
60 |
https://docs.ansible.com/ansible/latest/modules/user_module.html |
61 |
>> |
62 |
>> which are commonly used to apply configurations can't be used |
63 |
>> anymore?! |
64 |
> |
65 |
> You don't need them any more, there's a better way to do it. |
66 |
|
67 |
Ever deployed a custom Tomcat application for example? Sure, you have |
68 |
dozen ways to do that. Like dev-util/jenkins-bin, you could create your |
69 |
own package. But if you have to maintain various operating systems you |
70 |
will write a role/state, see above. Or if this is your own in-house |
71 |
application it could be easier that your CI pipline will just copy to |
72 |
/srv/myapp/$buildid on each application server and to flip |
73 |
/srv/myapp/current symlink so you can update/rollback in seconds and to |
74 |
support staggered deployment. |
75 |
|
76 |
My point is, it's pointless to say there are better ways. Making Gentoo |
77 |
special because you can't use well established things which are working |
78 |
on every other distribution and would require that everyone would |
79 |
rewrite their states/roles and/or implement something new just to keep |
80 |
Gentoo supported is not going to happen. |
81 |
|
82 |
|
83 |
> I don't completely understand your example, but it doesn't sound |
84 |
> like something that should be particularly hard. Can you elaborate |
85 |
> before I stick my foot in my mouth? |
86 |
|
87 |
Heh :) |
88 |
|
89 |
In you example user would have to fork acct-*/<user/group> package in |
90 |
his/her overlay to adjust for his/her needs. At the moment, all larger |
91 |
Gentoo setups I am aware of are maintaining a company repository in |
92 |
addition to the official Gentoo repository. So they would put |
93 |
acct-user/nginx-0-r1 and acct-group/nginx-0-r1 in that repository with |
94 |
their changes. But this doesn't work if you have multiple different |
95 |
nginx instances for example. Sure, the forked acct-* packages would work |
96 |
for all the application servers running this specific role/state. But |
97 |
these adjusted packages would be wrong for the servers running grafana |
98 |
role/state, i.e. running www-apps/grafana-bin behind www-servers/nginx |
99 |
proxy. So you would end up with multiple acct-*/nginx ebuilds for each |
100 |
configuration which can't be right. Whereas at the moment you will use |
101 |
your configuration management tool to get things into describe state. |
102 |
|
103 |
|
104 |
-- |
105 |
Regards, |
106 |
Thomas Deutschmann / Gentoo Linux Developer |
107 |
C4DD 695F A713 8F24 2AA1 5638 5849 7EE5 1D5D 74A5 |