1 |
On 12/26/19 9:41 AM, Thomas Deutschmann wrote: |
2 |
> |
3 |
> which would remove nginx from myapp group to match ACCT_USER_GROUPS set |
4 |
> in acct-*/nginx ebuild which would break my application server. Does |
5 |
> that really happen? |
6 |
|
7 |
Yes; if we want to be able to add/remove groups in acct-user ebuilds, |
8 |
then that's the only possible thing it could do. |
9 |
|
10 |
|
11 |
> And would I really have to create my own acct-*/nginx user+group ebuild |
12 |
> to mirror my myapp use case? In other words: Thanks to GLEP 81, in |
13 |
> Gentoo, you can no longer use known default Linux utilities like usermod |
14 |
> to maintain your system and make changes to users/groups created by |
15 |
> packages, instead you will always have to 'fork' involved acct-*/<user> |
16 |
> package and adjust for your needs? |
17 |
|
18 |
That's right, but you're making it sound worse than it is. You also |
19 |
cannot use known default tools like rm, mv, cp, and your text editor to |
20 |
change things installed by system packages, because those changes will |
21 |
get overwritten the next time that the package is upgraded or |
22 |
reinstalled. Now user/group management works the same way. |
23 |
|
24 |
If you want to change something that belongs to the system, you override |
25 |
and tweak the package that installs it. It's consistent, and you don't |
26 |
have to tell people to install puppet/salt/etc. as a special case just |
27 |
to make users work like everything else. Those were always band-aids for |
28 |
the lack of a better way to do it. |
29 |
|
30 |
|
31 |
> |
32 |
> Things like |
33 |
> |
34 |
> https://docs.saltstack.com/en/latest/ref/states/all/salt.states.user.html |
35 |
> https://docs.ansible.com/ansible/latest/modules/user_module.html |
36 |
> |
37 |
> which are commonly used to apply configurations can't be used anymore?! |
38 |
|
39 |
You don't need them any more, there's a better way to do it. |
40 |
|
41 |
|
42 |
> Which will become funny if you are maintaining multiple systems: On one |
43 |
> system you have said "myapp", but on another system you would have a |
44 |
> second application named "myapp2". So you cannot even share repositories |
45 |
> between your systems anymore or would have to ensure somehow that system |
46 |
> A which acts as application server for "myapp" will only get |
47 |
> acct-*/<user>-<numeric-identifier-for-myapp-cfg> and system B which will |
48 |
> act as application server for "myapp2" will get |
49 |
> acct-*/<user>-<numerc-identifier-for-another-myapp2-cfg> instead?! Not |
50 |
> to mention what will happen if you get a third system which will be able |
51 |
> to run multiple nginx instances, one for myapp and one for myapp2... ;] |
52 |
|
53 |
I don't completely understand your example, but it doesn't sound like |
54 |
something that should be particularly hard. Can you elaborate before I |
55 |
stick my foot in my mouth? |