Gentoo Archives: gentoo-dev

From: Thomas Deutschmann <whissi@g.o>
To: gentoo-dev@l.g.o
Subject: Re: [gentoo-dev] [PATCH 2/4] acct-user/jenkins: Add jenkins user, UID 473
Date: Thu, 26 Dec 2019 14:42:09
In Reply to: Re: [gentoo-dev] [PATCH 2/4] acct-user/jenkins: Add jenkins user, UID 473 by Michael Orlitzky
1 On 2019-12-26 14:42, Michael Orlitzky wrote:
2 > So before you push this, I would figure out what you want the Jenkins
3 > user to look like on your machine, and add an -r1 of acct-user/jenkins
4 > in a local overlay that configures it how you want. At that point, you
5 > can drop the usermod calls from your configuration management tools.
6 >
7 > For the benefit of those other users, it would be extra nice if you
8 > could document how to do all that. I recently had to do the same thing
9 > for OpenDKIM, because the old instructions that were gave were being
10 > wiped out on upgrades and reinstalls:
11 >
12 >
13 >
14 > Then if the home directory is only needed by people who are going to be
15 > overriding the acct-user ebuild anyway, you might as well leave
16 > ACCT_USER_HOME at the default and let people set it in their overlays.
18 Now, after reading the wiki for OpenDKIM I am more concerned than
19 before: We are also changing groups?!
21 Let me show you an example:
22 System has www-servers/nginx installed which created nginx user+group
23 via user eclass.
25 Now let's say I have a custom application for which I created user+group
26 "myapp".
28 I add nginx user to myapp group to allow nginx to access files from
29 myapp to serve application.
31 My current understanding is that during www-servers/nginx migration to
32 GLEP-81, i.e. when www-servers/nginx ebuild will pull in acct-user/nginx
33 and acct-group/nginx for the first time, the acct-* thing will do
35 local groups=${ACCT_USER_GROUPS[*]}
36 esetgroups "${ACCT_USER_NAME}" "${groups// /,}"
38 which would remove nginx from myapp group to match ACCT_USER_GROUPS set
39 in acct-*/nginx ebuild which would break my application server. Does
40 that really happen?
42 And would I really have to create my own acct-*/nginx user+group ebuild
43 to mirror my myapp use case? In other words: Thanks to GLEP 81, in
44 Gentoo, you can no longer use known default Linux utilities like usermod
45 to maintain your system and make changes to users/groups created by
46 packages, instead you will always have to 'fork' involved acct-*/<user>
47 package and adjust for your needs?
49 Things like
54 which are commonly used to apply configurations can't be used anymore?!
56 Which will become funny if you are maintaining multiple systems: On one
57 system you have said "myapp", but on another system you would have a
58 second application named "myapp2". So you cannot even share repositories
59 between your systems anymore or would have to ensure somehow that system
60 A which acts as application server for "myapp" will only get
61 acct-*/<user>-<numeric-identifier-for-myapp-cfg> and system B which will
62 act as application server for "myapp2" will get
63 acct-*/<user>-<numerc-identifier-for-another-myapp2-cfg> instead?! Not
64 to mention what will happen if you get a third system which will be able
65 to run multiple nginx instances, one for myapp and one for myapp2... ;]
68 --
69 Regards,
70 Thomas Deutschmann / Gentoo Linux Developer
71 C4DD 695F A713 8F24 2AA1 5638 5849 7EE5 1D5D 74A5


File name MIME type
signature.asc application/pgp-signature