1 |
Hi, |
2 |
|
3 |
On 2021-01-04 04:18, Michael Orlitzky wrote: |
4 |
> It would be nice if this was well-supported by the official way of |
5 |
> modifying system users/groups; that is, by using an overlay with |
6 |
> modified user/group ebuilds. |
7 |
|
8 |
No, this doesn't work: |
9 |
|
10 |
1) It's conflicting with the goals other have. See Mike's first reply to |
11 |
my patch proposal: |
12 |
|
13 |
> So the main problem I see with doing this is that it becomes |
14 |
> impossible to reliably make changes to a user in later ebuild |
15 |
> revisions. |
16 |
|
17 |
He is obviously looking for a way to allow maintainers to change users |
18 |
afterwards. But if we tell people, "If you need customization, fork the |
19 |
user/group ebuild in your overlay" we will disconnect these users from |
20 |
future changes. |
21 |
|
22 |
|
23 |
2) Thank you for outlining the process how to make changes to users |
24 |
using the new acct-* way. It's a nice 'hack'. But it is an own, new way, |
25 |
which makes Gentoo special, unique. And this creates additional problems: |
26 |
|
27 |
This maybe work for your local system. In environments where everything |
28 |
is Gentoo and everyone knows Gentoo. But in today's world you are using |
29 |
configuration management tools like Ansible, Puppet, Saltstack, Chef... |
30 |
|
31 |
People who are not necessarily familiar with every implementation detail |
32 |
must be able to write configurations (recipes) and the used tool is |
33 |
supposed to take care of the differences. In the end, in the ideal |
34 |
world, you are just looking at your code describing a state the system |
35 |
should have. |
36 |
|
37 |
But this doesn't work if you make Gentoo so special that you will break |
38 |
most tools, will require adjustments or special Gentoo support just for |
39 |
stuff Gentoo is doing differently and like everyone else. |
40 |
|
41 |
Don't get me wrong here: Yes, these tools already have to implement USE |
42 |
flags for example which are unique for Gentoo. But stuff like user |
43 |
management isn't or should *not*. |
44 |
|
45 |
When you will get LPIC certification one can expect that you have some |
46 |
basic knowledge in Linux stuff allowing you to do common tasks on all |
47 |
different Linux systems. Now there comes Gentoo where you aren't allowed |
48 |
to use standard Linux tools like 'usermod' when deploying another |
49 |
service if you don't want to risk that your service will go down when |
50 |
following best practice and do regular world upgrades. Really? |
51 |
|
52 |
|
53 |
3) More important, the idea of forking acct-* packages whenever you need |
54 |
to make modifications don't scale. Like I already outlined in February |
55 |
2020, you cannot create overlays for each different user configuration: |
56 |
|
57 |
I.e. using memcached/redis: You grant permission to socket via group. So |
58 |
you put other services belonging to that application you are deploying |
59 |
into your user running the key value store. Do you really expect that |
60 |
one would create multiple overlays per application using one of these |
61 |
services? How would you maintain hundreds of overlays? How would you |
62 |
keep track that each box will use the correct overlay to get the |
63 |
specific customized acct-* package? How do you deal with scenarios where |
64 |
you don't just deploy single instances? |
65 |
|
66 |
Again, I understand the acct-* fork idea. But I think we have to admit |
67 |
that this will only work for the local system or small environments. |
68 |
|
69 |
For any professional environment this won't work nor scale. |
70 |
|
71 |
|
72 |
4) Yet we have to talk about the idea in general that it is really not a |
73 |
good idea to automatically make changes to the user if you run the risk |
74 |
of overwriting changes explicitly made by the system administrator. |
75 |
|
76 |
It's one thing that multiple local users will get removed from portage |
77 |
group when you remerge acct-user/portage, but if you kill services |
78 |
because package maintainers are pushing their vision of how to run the |
79 |
package, it's not. |
80 |
|
81 |
|
82 |
-- |
83 |
Regards, |
84 |
Thomas Deutschmann / Gentoo Linux Developer |
85 |
fpr: C4DD 695F A713 8F24 2AA1 5638 5849 7EE5 1D5D 74A5 |