1 |
On Sat, 28 Jan 2017 11:28:45 +0000 |
2 |
James Le Cuirot <chewi@g.o> wrote: |
3 |
|
4 |
> On Fri, 27 Jan 2017 18:37:52 -0800 |
5 |
> Patrick McLean <chutzpah@g.o> wrote: |
6 |
> |
7 |
> > I don't think we need to have stable UIDs/GIDs in the "normal" case of |
8 |
> > standalone users with a single Gentoo system at home. The people who |
9 |
> > need predictable UIDs/GIDs are the "enterprise" users or the home users |
10 |
> > who use things such as NFS. I work for a company that uses Gentoo, we |
11 |
> > have a bunch of workarounds to make sure that UIDs and GIDs are |
12 |
> > stable. To make something to solve our problem (and I suspect everyone |
13 |
> > else who cares about this), it would be sufficient to have a mechanism |
14 |
> > to override the default random assignment with a fixed UID/GID. |
15 |
> > Possibly some file in /etc/portage or in the profile (or both) that |
16 |
> > allows one to configure what UID/GID a user will get when the user is |
17 |
> > being created. One advantage of this is that user.eclass could be |
18 |
> > modified to support it, so we don't have to wait for a new EAPI before |
19 |
> > taking advantage of it. |
20 |
> |
21 |
> Is this really a problem in enterprise? What are the workarounds you're |
22 |
> using? NFS has long had idmapd, which takes care of this problem. I |
23 |
> still find people shy away from NFSv4 but I've not had any trouble with |
24 |
> it. There's also LDAP, usually coupled with sssd these days, in which |
25 |
> case the users and groups are created just once on a central server. |
26 |
> Samba with Active Directory effectively gives you the same thing and |
27 |
> can also be coupled with sssd. I recently tried mixing Samba, sssd, and |
28 |
> NFS, which was quite fascinating and surprisingly easy thanks to |
29 |
> realmd. This allowed me to use NFS with Kerberos, which is something |
30 |
> you really need in an enterprise environment. |
31 |
> |
32 |
|
33 |
We are using both NFSv3 and NFSv4, the UID stability is also important |
34 |
when you are using full-image deployments, and have local storage on |
35 |
the system, you don't want the new OS to have different UIDs/GIDs than |
36 |
the previous installation. |
37 |
|
38 |
We are using file in /etc/portage/env that define a pre_pkg_setup that |
39 |
creates the users before the standard pkg_setup does, with our stable |
40 |
UID/GID for that system. We have to do this for each package that |
41 |
creates a user that may be used to store stable data. |