1 |
On Mon, Nov 28, 2016 at 8:21 AM, William L. Thomson Jr. <wlt-ml@××××××.com> |
2 |
wrote: |
3 |
|
4 |
> On Friday, November 25, 2016 11:39:15 PM EST Daniel Campbell wrote: |
5 |
> > |
6 |
> > I could see a use-case for someone wanting to install a given daemon or |
7 |
> > server with a specific user and/or group. I'm not sure this is the right |
8 |
> > approach (nor do I know what is), but I think we have room to think |
9 |
> > about a solution; ideally one that is dead-simple to implement and |
10 |
> > doesn't have a ton of edge-cases. |
11 |
> > |
12 |
> > What is QA's current policy on user/group creation, btw? |
13 |
> |
14 |
> Years ago there was talk/discussion of having some list/database of |
15 |
> UID/GID[1] |
16 |
> [2], so that we have consistent assignment. Arch seems to be the only |
17 |
> distro |
18 |
> thus far who has produced such a list[1], but seems to be outdated and not |
19 |
> maintained. Also seems to deviate from some UID/GID numbers RedHat uses for |
20 |
> example[2]. Arch 78 for KVM group, RedHat uses 36. |
21 |
> |
22 |
> While there are many reasons people do not care about UID/GID, and |
23 |
> arguments |
24 |
> could be made that it might be better to have them vary on systems and be |
25 |
> unique. Though some things there are already common UID/GID across distros. |
26 |
> |
27 |
> I think in the long run, surely for anyone managing lots of systems. It is |
28 |
> far |
29 |
> better to have a consistent standard list of UID/GID including names. Maybe |
30 |
> other distro's will adopt and become more of a standard. |
31 |
> |
32 |
|
33 |
Generally speaking as a fellow who maintained thousands of systems (many of |
34 |
which ran various operating systems.) |
35 |
|
36 |
You cannot rely on all OS vendors to synchronize uid / gid. You cannot even |
37 |
rely on some single vendors to synchronize uid / gids between releases of |
38 |
their own products. If you build your fleet maintenance with this premise |
39 |
in mind; most folks I've seen come up with a way to manage it. |
40 |
|
41 |
Often it means things like: |
42 |
|
43 |
1) Adding shared accounts to a database and using nsswitch to forward |
44 |
lookups. |
45 |
2) Adding configuration management rules to add named accounts to every |
46 |
machine. |
47 |
3) Building your fleet such as local uid / gid doesn't matter so much |
48 |
(often this means the demise of shared filesystems or other bolt-on |
49 |
authentication / authorization mechanisms. |
50 |
|
51 |
Typically since most folks building a fleet have to synchronize uid / gid |
52 |
of actual human users anyway (so people can login / access files / etc) and |
53 |
so the burden just becomes "give me a list of accounts I should add to my |
54 |
'syncer' so they are auto-populated on all machines'. |
55 |
|
56 |
The uids and gids don't matter so much (I can assign them myself, often I |
57 |
need to inter-operate with other systems where names are already in use, |
58 |
etc.) But just having a list of "these system accounts are important" is |
59 |
probably useful on its own. |
60 |
|
61 |
-A |
62 |
|
63 |
|
64 |
> |
65 |
> 1. http://marc.info/?l=gentoo-dev&w=2&r=1&s=Assigning+ |
66 |
> unique+system+uid%2Fgid |
67 |
> +for+new+&q=b |
68 |
> 2. http://marc.info/?t=117034194400005&r=1&w=2 |
69 |
> 3. https://wiki.archlinux.org/index.php?title=DeveloperWiki: |
70 |
> UID_/_GID_Database |
71 |
> 4. https://access.redhat.com/documentation/en-US/ |
72 |
> Red_Hat_Enterprise_Virtualization/3.5/html/Installation_Guide/sect- |
73 |
> System_Accounts.html |
74 |
> |
75 |
> -- |
76 |
> William L. Thomson Jr. |
77 |
> |