| 1 |
On Mon, Nov 28, 2016 at 8:21 AM, William L. Thomson Jr. <wlt-ml@××××××.com> |
| 2 |
wrote: |
| 3 |
|
| 4 |
> On Friday, November 25, 2016 11:39:15 PM EST Daniel Campbell wrote: |
| 5 |
> > |
| 6 |
> > I could see a use-case for someone wanting to install a given daemon or |
| 7 |
> > server with a specific user and/or group. I'm not sure this is the right |
| 8 |
> > approach (nor do I know what is), but I think we have room to think |
| 9 |
> > about a solution; ideally one that is dead-simple to implement and |
| 10 |
> > doesn't have a ton of edge-cases. |
| 11 |
> > |
| 12 |
> > What is QA's current policy on user/group creation, btw? |
| 13 |
> |
| 14 |
> Years ago there was talk/discussion of having some list/database of |
| 15 |
> UID/GID[1] |
| 16 |
> [2], so that we have consistent assignment. Arch seems to be the only |
| 17 |
> distro |
| 18 |
> thus far who has produced such a list[1], but seems to be outdated and not |
| 19 |
> maintained. Also seems to deviate from some UID/GID numbers RedHat uses for |
| 20 |
> example[2]. Arch 78 for KVM group, RedHat uses 36. |
| 21 |
> |
| 22 |
> While there are many reasons people do not care about UID/GID, and |
| 23 |
> arguments |
| 24 |
> could be made that it might be better to have them vary on systems and be |
| 25 |
> unique. Though some things there are already common UID/GID across distros. |
| 26 |
> |
| 27 |
> I think in the long run, surely for anyone managing lots of systems. It is |
| 28 |
> far |
| 29 |
> better to have a consistent standard list of UID/GID including names. Maybe |
| 30 |
> other distro's will adopt and become more of a standard. |
| 31 |
> |
| 32 |
|
| 33 |
Generally speaking as a fellow who maintained thousands of systems (many of |
| 34 |
which ran various operating systems.) |
| 35 |
|
| 36 |
You cannot rely on all OS vendors to synchronize uid / gid. You cannot even |
| 37 |
rely on some single vendors to synchronize uid / gids between releases of |
| 38 |
their own products. If you build your fleet maintenance with this premise |
| 39 |
in mind; most folks I've seen come up with a way to manage it. |
| 40 |
|
| 41 |
Often it means things like: |
| 42 |
|
| 43 |
1) Adding shared accounts to a database and using nsswitch to forward |
| 44 |
lookups. |
| 45 |
2) Adding configuration management rules to add named accounts to every |
| 46 |
machine. |
| 47 |
3) Building your fleet such as local uid / gid doesn't matter so much |
| 48 |
(often this means the demise of shared filesystems or other bolt-on |
| 49 |
authentication / authorization mechanisms. |
| 50 |
|
| 51 |
Typically since most folks building a fleet have to synchronize uid / gid |
| 52 |
of actual human users anyway (so people can login / access files / etc) and |
| 53 |
so the burden just becomes "give me a list of accounts I should add to my |
| 54 |
'syncer' so they are auto-populated on all machines'. |
| 55 |
|
| 56 |
The uids and gids don't matter so much (I can assign them myself, often I |
| 57 |
need to inter-operate with other systems where names are already in use, |
| 58 |
etc.) But just having a list of "these system accounts are important" is |
| 59 |
probably useful on its own. |
| 60 |
|
| 61 |
-A |
| 62 |
|
| 63 |
|
| 64 |
> |
| 65 |
> 1. http://marc.info/?l=gentoo-dev&w=2&r=1&s=Assigning+ |
| 66 |
> unique+system+uid%2Fgid |
| 67 |
> +for+new+&q=b |
| 68 |
> 2. http://marc.info/?t=117034194400005&r=1&w=2 |
| 69 |
> 3. https://wiki.archlinux.org/index.php?title=DeveloperWiki: |
| 70 |
> UID_/_GID_Database |
| 71 |
> 4. https://access.redhat.com/documentation/en-US/ |
| 72 |
> Red_Hat_Enterprise_Virtualization/3.5/html/Installation_Guide/sect- |
| 73 |
> System_Accounts.html |
| 74 |
> |
| 75 |
> -- |
| 76 |
> William L. Thomson Jr. |
| 77 |
> |
Archives