1 |
On 2019-12-26 14:42, Michael Orlitzky wrote: |
2 |
> So before you push this, I would figure out what you want the Jenkins |
3 |
> user to look like on your machine, and add an -r1 of acct-user/jenkins |
4 |
> in a local overlay that configures it how you want. At that point, you |
5 |
> can drop the usermod calls from your configuration management tools. |
6 |
> |
7 |
> For the benefit of those other users, it would be extra nice if you |
8 |
> could document how to do all that. I recently had to do the same thing |
9 |
> for OpenDKIM, because the old instructions that were gave were being |
10 |
> wiped out on upgrades and reinstalls: |
11 |
> |
12 |
> https://wiki.gentoo.org/wiki/OpenDKIM#The_new_way |
13 |
> |
14 |
> Then if the home directory is only needed by people who are going to be |
15 |
> overriding the acct-user ebuild anyway, you might as well leave |
16 |
> ACCT_USER_HOME at the default and let people set it in their overlays. |
17 |
|
18 |
Now, after reading the wiki for OpenDKIM I am more concerned than |
19 |
before: We are also changing groups?! |
20 |
|
21 |
Let me show you an example: |
22 |
System has www-servers/nginx installed which created nginx user+group |
23 |
via user eclass. |
24 |
|
25 |
Now let's say I have a custom application for which I created user+group |
26 |
"myapp". |
27 |
|
28 |
I add nginx user to myapp group to allow nginx to access files from |
29 |
myapp to serve application. |
30 |
|
31 |
My current understanding is that during www-servers/nginx migration to |
32 |
GLEP-81, i.e. when www-servers/nginx ebuild will pull in acct-user/nginx |
33 |
and acct-group/nginx for the first time, the acct-* thing will do |
34 |
|
35 |
local groups=${ACCT_USER_GROUPS[*]} |
36 |
esetgroups "${ACCT_USER_NAME}" "${groups// /,}" |
37 |
|
38 |
which would remove nginx from myapp group to match ACCT_USER_GROUPS set |
39 |
in acct-*/nginx ebuild which would break my application server. Does |
40 |
that really happen? |
41 |
|
42 |
And would I really have to create my own acct-*/nginx user+group ebuild |
43 |
to mirror my myapp use case? In other words: Thanks to GLEP 81, in |
44 |
Gentoo, you can no longer use known default Linux utilities like usermod |
45 |
to maintain your system and make changes to users/groups created by |
46 |
packages, instead you will always have to 'fork' involved acct-*/<user> |
47 |
package and adjust for your needs? |
48 |
|
49 |
Things like |
50 |
|
51 |
https://docs.saltstack.com/en/latest/ref/states/all/salt.states.user.html |
52 |
https://docs.ansible.com/ansible/latest/modules/user_module.html |
53 |
|
54 |
which are commonly used to apply configurations can't be used anymore?! |
55 |
|
56 |
Which will become funny if you are maintaining multiple systems: On one |
57 |
system you have said "myapp", but on another system you would have a |
58 |
second application named "myapp2". So you cannot even share repositories |
59 |
between your systems anymore or would have to ensure somehow that system |
60 |
A which acts as application server for "myapp" will only get |
61 |
acct-*/<user>-<numeric-identifier-for-myapp-cfg> and system B which will |
62 |
act as application server for "myapp2" will get |
63 |
acct-*/<user>-<numerc-identifier-for-another-myapp2-cfg> instead?! Not |
64 |
to mention what will happen if you get a third system which will be able |
65 |
to run multiple nginx instances, one for myapp and one for myapp2... ;] |
66 |
|
67 |
|
68 |
-- |
69 |
Regards, |
70 |
Thomas Deutschmann / Gentoo Linux Developer |
71 |
C4DD 695F A713 8F24 2AA1 5638 5849 7EE5 1D5D 74A5 |