| 1 |
Hi, |
| 2 |
|
| 3 |
On 2021-01-04 04:18, Michael Orlitzky wrote: |
| 4 |
> It would be nice if this was well-supported by the official way of |
| 5 |
> modifying system users/groups; that is, by using an overlay with |
| 6 |
> modified user/group ebuilds. |
| 7 |
|
| 8 |
No, this doesn't work: |
| 9 |
|
| 10 |
1) It's conflicting with the goals other have. See Mike's first reply to |
| 11 |
my patch proposal: |
| 12 |
|
| 13 |
> So the main problem I see with doing this is that it becomes |
| 14 |
> impossible to reliably make changes to a user in later ebuild |
| 15 |
> revisions. |
| 16 |
|
| 17 |
He is obviously looking for a way to allow maintainers to change users |
| 18 |
afterwards. But if we tell people, "If you need customization, fork the |
| 19 |
user/group ebuild in your overlay" we will disconnect these users from |
| 20 |
future changes. |
| 21 |
|
| 22 |
|
| 23 |
2) Thank you for outlining the process how to make changes to users |
| 24 |
using the new acct-* way. It's a nice 'hack'. But it is an own, new way, |
| 25 |
which makes Gentoo special, unique. And this creates additional problems: |
| 26 |
|
| 27 |
This maybe work for your local system. In environments where everything |
| 28 |
is Gentoo and everyone knows Gentoo. But in today's world you are using |
| 29 |
configuration management tools like Ansible, Puppet, Saltstack, Chef... |
| 30 |
|
| 31 |
People who are not necessarily familiar with every implementation detail |
| 32 |
must be able to write configurations (recipes) and the used tool is |
| 33 |
supposed to take care of the differences. In the end, in the ideal |
| 34 |
world, you are just looking at your code describing a state the system |
| 35 |
should have. |
| 36 |
|
| 37 |
But this doesn't work if you make Gentoo so special that you will break |
| 38 |
most tools, will require adjustments or special Gentoo support just for |
| 39 |
stuff Gentoo is doing differently and like everyone else. |
| 40 |
|
| 41 |
Don't get me wrong here: Yes, these tools already have to implement USE |
| 42 |
flags for example which are unique for Gentoo. But stuff like user |
| 43 |
management isn't or should *not*. |
| 44 |
|
| 45 |
When you will get LPIC certification one can expect that you have some |
| 46 |
basic knowledge in Linux stuff allowing you to do common tasks on all |
| 47 |
different Linux systems. Now there comes Gentoo where you aren't allowed |
| 48 |
to use standard Linux tools like 'usermod' when deploying another |
| 49 |
service if you don't want to risk that your service will go down when |
| 50 |
following best practice and do regular world upgrades. Really? |
| 51 |
|
| 52 |
|
| 53 |
3) More important, the idea of forking acct-* packages whenever you need |
| 54 |
to make modifications don't scale. Like I already outlined in February |
| 55 |
2020, you cannot create overlays for each different user configuration: |
| 56 |
|
| 57 |
I.e. using memcached/redis: You grant permission to socket via group. So |
| 58 |
you put other services belonging to that application you are deploying |
| 59 |
into your user running the key value store. Do you really expect that |
| 60 |
one would create multiple overlays per application using one of these |
| 61 |
services? How would you maintain hundreds of overlays? How would you |
| 62 |
keep track that each box will use the correct overlay to get the |
| 63 |
specific customized acct-* package? How do you deal with scenarios where |
| 64 |
you don't just deploy single instances? |
| 65 |
|
| 66 |
Again, I understand the acct-* fork idea. But I think we have to admit |
| 67 |
that this will only work for the local system or small environments. |
| 68 |
|
| 69 |
For any professional environment this won't work nor scale. |
| 70 |
|
| 71 |
|
| 72 |
4) Yet we have to talk about the idea in general that it is really not a |
| 73 |
good idea to automatically make changes to the user if you run the risk |
| 74 |
of overwriting changes explicitly made by the system administrator. |
| 75 |
|
| 76 |
It's one thing that multiple local users will get removed from portage |
| 77 |
group when you remerge acct-user/portage, but if you kill services |
| 78 |
because package maintainers are pushing their vision of how to run the |
| 79 |
package, it's not. |
| 80 |
|
| 81 |
|
| 82 |
-- |
| 83 |
Regards, |
| 84 |
Thomas Deutschmann / Gentoo Linux Developer |
| 85 |
fpr: C4DD 695F A713 8F24 2AA1 5638 5849 7EE5 1D5D 74A5 |
Archives