| 1 |
On 2019-12-26 14:42, Michael Orlitzky wrote: |
| 2 |
> So before you push this, I would figure out what you want the Jenkins |
| 3 |
> user to look like on your machine, and add an -r1 of acct-user/jenkins |
| 4 |
> in a local overlay that configures it how you want. At that point, you |
| 5 |
> can drop the usermod calls from your configuration management tools. |
| 6 |
> |
| 7 |
> For the benefit of those other users, it would be extra nice if you |
| 8 |
> could document how to do all that. I recently had to do the same thing |
| 9 |
> for OpenDKIM, because the old instructions that were gave were being |
| 10 |
> wiped out on upgrades and reinstalls: |
| 11 |
> |
| 12 |
> https://wiki.gentoo.org/wiki/OpenDKIM#The_new_way |
| 13 |
> |
| 14 |
> Then if the home directory is only needed by people who are going to be |
| 15 |
> overriding the acct-user ebuild anyway, you might as well leave |
| 16 |
> ACCT_USER_HOME at the default and let people set it in their overlays. |
| 17 |
|
| 18 |
Now, after reading the wiki for OpenDKIM I am more concerned than |
| 19 |
before: We are also changing groups?! |
| 20 |
|
| 21 |
Let me show you an example: |
| 22 |
System has www-servers/nginx installed which created nginx user+group |
| 23 |
via user eclass. |
| 24 |
|
| 25 |
Now let's say I have a custom application for which I created user+group |
| 26 |
"myapp". |
| 27 |
|
| 28 |
I add nginx user to myapp group to allow nginx to access files from |
| 29 |
myapp to serve application. |
| 30 |
|
| 31 |
My current understanding is that during www-servers/nginx migration to |
| 32 |
GLEP-81, i.e. when www-servers/nginx ebuild will pull in acct-user/nginx |
| 33 |
and acct-group/nginx for the first time, the acct-* thing will do |
| 34 |
|
| 35 |
local groups=${ACCT_USER_GROUPS[*]} |
| 36 |
esetgroups "${ACCT_USER_NAME}" "${groups// /,}" |
| 37 |
|
| 38 |
which would remove nginx from myapp group to match ACCT_USER_GROUPS set |
| 39 |
in acct-*/nginx ebuild which would break my application server. Does |
| 40 |
that really happen? |
| 41 |
|
| 42 |
And would I really have to create my own acct-*/nginx user+group ebuild |
| 43 |
to mirror my myapp use case? In other words: Thanks to GLEP 81, in |
| 44 |
Gentoo, you can no longer use known default Linux utilities like usermod |
| 45 |
to maintain your system and make changes to users/groups created by |
| 46 |
packages, instead you will always have to 'fork' involved acct-*/<user> |
| 47 |
package and adjust for your needs? |
| 48 |
|
| 49 |
Things like |
| 50 |
|
| 51 |
https://docs.saltstack.com/en/latest/ref/states/all/salt.states.user.html |
| 52 |
https://docs.ansible.com/ansible/latest/modules/user_module.html |
| 53 |
|
| 54 |
which are commonly used to apply configurations can't be used anymore?! |
| 55 |
|
| 56 |
Which will become funny if you are maintaining multiple systems: On one |
| 57 |
system you have said "myapp", but on another system you would have a |
| 58 |
second application named "myapp2". So you cannot even share repositories |
| 59 |
between your systems anymore or would have to ensure somehow that system |
| 60 |
A which acts as application server for "myapp" will only get |
| 61 |
acct-*/<user>-<numeric-identifier-for-myapp-cfg> and system B which will |
| 62 |
act as application server for "myapp2" will get |
| 63 |
acct-*/<user>-<numerc-identifier-for-another-myapp2-cfg> instead?! Not |
| 64 |
to mention what will happen if you get a third system which will be able |
| 65 |
to run multiple nginx instances, one for myapp and one for myapp2... ;] |
| 66 |
|
| 67 |
|
| 68 |
-- |
| 69 |
Regards, |
| 70 |
Thomas Deutschmann / Gentoo Linux Developer |
| 71 |
C4DD 695F A713 8F24 2AA1 5638 5849 7EE5 1D5D 74A5 |
Archives