6:21 p.m.
This fixes another missing sysusers file and changes the
RPM spec to take account of new RPM processing of sysusers
files at install time.
Daniel P. Berrangé (2):
tools: add sysusers file to create 'virtlogin' group
rpm: disable account creation for Fedora >= 42
libvirt.spec.in | 19 +++++++++++++++++++
tools/libvirt-login-shell.sysusers.conf | 1 +
tools/meson.build | 7 +++++++
3 files changed, 27 insertions(+)
create mode 100644 tools/libvirt-login-shell.sysusers.conf
--
2.47.1
6:21 p.m.
New subject: [PATCH 1/2] tools: add sysusers file to create 'virtlogin' group
We previously added a sysusers file, but missed the 'virtlogin' group.
This group is used to make the virt-login-shell binary setgid, so we
shoudl be registering that too. It must be done in a separate sysusers
file, however, since it is packaged separately from the daemons.
Fixes: a2c3e390f7bedf36f4ddc544d09fe3b8772c5c6f
Signed-off-by: Daniel P. Berrangé <berrange(a)redhat.com>
---
libvirt.spec.in | 3 +++
tools/libvirt-login-shell.sysusers.conf | 1 +
tools/meson.build | 7 +++++++
3 files changed, 11 insertions(+)
create mode 100644 tools/libvirt-login-shell.sysusers.conf
diff --git a/libvirt.spec.in b/libvirt.spec.in
index 5c5d36966d..5825de7cf1 100644
--- a/libvirt.spec.in
+++ b/libvirt.spec.in
@@ -1095,6 +1095,8 @@ Wireshark dissector plugin for better analysis of libvirt RPC
traffic.
%package login-shell
Summary: Login shell for connecting users to an LXC container
Requires: libvirt-libs = %{version}-%{release}
+# For uid creation during pre
+Requires(pre): shadow-utils
%description login-shell
Provides the set-uid virt-login-shell binary that is used to
@@ -2533,6 +2535,7 @@ exit 0
%attr(4750, root, virtlogin) %{_bindir}/virt-login-shell
%{_libexecdir}/virt-login-shell-helper
%config(noreplace) %{_sysconfdir}/libvirt/virt-login-shell.conf
+%{_sysusersdir}/libvirt-login-shell.conf
%{_mandir}/man1/virt-login-shell.1*
%endif
diff --git a/tools/libvirt-login-shell.sysusers.conf
b/tools/libvirt-login-shell.sysusers.conf
new file mode 100644
index 0000000000..5459fd99ce
--- /dev/null
+++ b/tools/libvirt-login-shell.sysusers.conf
@@ -0,0 +1 @@
+g virtlogin -
diff --git a/tools/meson.build b/tools/meson.build
index 3f4e2a3c4b..4d5c9e4bba 100644
--- a/tools/meson.build
+++ b/tools/meson.build
@@ -123,6 +123,13 @@ if conf.has('WITH_LOGIN_SHELL')
)
install_data('virt-login-shell.conf', install_dir: sysconfdir /
'libvirt')
+
+ # Install the sysuser config for the setgid binary
+ install_data(
+ 'libvirt-login-shell.sysusers.conf',
+ install_dir: sysusersdir,
+ rename: [ 'libvirt-login-shell.conf' ],
+ )
endif
if host_machine.system() == 'windows'
--
2.47.1
6:56 p.m.
New subject: [PATCH 1/2] tools: add sysusers file to create 'virtlogin' group
On Thu, Jan 30, 2025 at 15:21:30 +0000, Daniel P. Berrangé wrote:
We previously added a sysusers file, but missed the
'virtlogin' group.
This group is used to make the virt-login-shell binary setgid, so we
shoudl be registering that too. It must be done in a separate sysusers
file, however, since it is packaged separately from the daemons.
Fixes: a2c3e390f7bedf36f4ddc544d09fe3b8772c5c6f
Signed-off-by: Daniel P. Berrangé <berrange(a)redhat.com>
---
libvirt.spec.in | 3 +++
tools/libvirt-login-shell.sysusers.conf | 1 +
tools/meson.build | 7 +++++++
3 files changed, 11 insertions(+)
create mode 100644 tools/libvirt-login-shell.sysusers.conf
Reviewed-by: Jiri Denemark <jdenemar(a)redhat.com>
6:21 p.m.
New subject: [PATCH 2/2] rpm: disable account creation for Fedora >= 42
In Fedora >= 42, support for user/group account creation based on
sysusers files has been enabled in RPM. Manually running useradd/
groupadd is thus obsolete.
Signed-off-by: Daniel P. Berrangé <berrange(a)redhat.com>
---
libvirt.spec.in | 16 ++++++++++++++++
1 file changed, 16 insertions(+)
diff --git a/libvirt.spec.in b/libvirt.spec.in
index 5825de7cf1..be91fa6bb4 100644
--- a/libvirt.spec.in
+++ b/libvirt.spec.in
@@ -44,6 +44,12 @@
%define with_qemu_kvm 0
%endif
+%if 0%{?fedora} >= 42
+ %define with_account_add 0
+%else
+ %define with_account_add 1
+%endif
+
%define with_qemu_tcg %{with_qemu}
# RHEL disables TCG on all architectures
@@ -535,8 +541,10 @@ Requires(posttrans): /usr/bin/systemctl
Requires(preun): /usr/bin/systemctl
# libvirtd depends on 'messagebus' service
Requires: dbus
+%if %{with_account_add}
# For uid creation during pre
Requires(pre): shadow-utils
+%endif
# Needed by /usr/libexec/libvirt-guests.sh script.
%if 0%{?fedora}
Requires: gettext-runtime
@@ -1095,8 +1103,10 @@ Wireshark dissector plugin for better analysis of libvirt RPC
traffic.
%package login-shell
Summary: Login shell for connecting users to an LXC container
Requires: libvirt-libs = %{version}-%{release}
+%if %{with_account_add}
# For uid creation during pre
Requires(pre): shadow-utils
+%endif
%description login-shell
Provides the set-uid virt-login-shell binary that is used to
@@ -1796,10 +1806,12 @@ export VIR_TEST_DEBUG=1
%pre daemon-common
%libvirt_sysconfig_pre libvirt-guests
%libvirt_systemd_oneshot_pre libvirt-guests
+%if %{with_account_add}
# 'libvirt' group is just to allow password-less polkit access to libvirt
# daemons. The uid number is irrelevant, so we use dynamic allocation.
getent group libvirt >/dev/null || groupadd -r libvirt
exit 0
+%endif
%posttrans daemon-common
%libvirt_sysconfig_posttrans libvirt-guests
@@ -1922,6 +1934,7 @@ exit 0
%libvirt_sysconfig_pre virtqemud
%libvirt_systemd_unix_pre virtqemud
+%if %{with_account_add}
# We want soft static allocation of well-known ids, as disk images
# are commonly shared across NFS mounts by id rather than name.
# See https://docs.fedoraproject.org/en-US/packaging-guidelines/UsersAndGroups/
@@ -1937,6 +1950,7 @@ if ! getent passwd 'qemu' >/dev/null; then
fi
fi
exit 0
+%endif
%posttrans daemon-driver-qemu
%libvirt_sysconfig_posttrans virtqemud
@@ -2063,8 +2077,10 @@ done
%if %{with_lxc}
%pre login-shell
+%if %{with_account_add}
getent group virtlogin >/dev/null || groupadd -r virtlogin
exit 0
+%endif
%endif
%endif
--
2.47.1
6:56 p.m.
New subject: [PATCH 2/2] rpm: disable account creation for Fedora >= 42
On Thu, Jan 30, 2025 at 15:21:31 +0000, Daniel P. Berrangé wrote:
In Fedora >= 42, support for user/group account creation based on
sysusers files has been enabled in RPM. Manually running useradd/
groupadd is thus obsolete.
Do you have any pointer to how this actually works? So far users/groups
defined in sysusers were created at the end of transaction, which was
pretty useless. Is the change in Fedora about creating the users/groups
after each package is installed or even before? In other words, will the
following still work or will installation complain that the user/groups
do not exist?
%attr(0755, %{qemu_user}, %{qemu_group})
%attr(4750, root, virtlogin)
Jirka
8:05 p.m.
New subject: [PATCH 2/2] rpm: disable account creation for Fedora >= 42
On Thu, Jan 30, 2025 at 04:56:07PM +0100, Jiri Denemark wrote:
On Thu, Jan 30, 2025 at 15:21:31 +0000, Daniel P. Berrangé wrote:
> In Fedora >= 42, support for user/group account creation based on
> sysusers files has been enabled in RPM. Manually running useradd/
> groupadd is thus obsolete.
Do you have any pointer to how this actually works? So far users/groups
defined in sysusers were created at the end of transaction, which was
pretty useless. Is the change in Fedora about creating the users/groups
after each package is installed or even before? In other words, will the
following still work or will installation complain that the user/groups
do not exist?
%attr(0755, %{qemu_user}, %{qemu_group})
%attr(4750, root, virtlogin)
That should do the right thing
https://fedoraproject.org/wiki/Changes/RPMSuportForSystemdSysusers
IIUC, RPM should see the sysusers files in the package and take care
to create the user accounts before deploying the files.
With regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
12:18 a.m.
New subject: [PATCH 2/2] rpm: disable account creation for Fedora >= 42
On Thu, Jan 30, 2025 at 17:05:05 +0000, Daniel P. Berrangé wrote:
On Thu, Jan 30, 2025 at 04:56:07PM +0100, Jiri Denemark wrote:
> On Thu, Jan 30, 2025 at 15:21:31 +0000, Daniel P. Berrangé wrote:
> > In Fedora >= 42, support for user/group account creation based on
> > sysusers files has been enabled in RPM. Manually running useradd/
> > groupadd is thus obsolete.
>
> Do you have any pointer to how this actually works? So far users/groups
> defined in sysusers were created at the end of transaction, which was
> pretty useless. Is the change in Fedora about creating the users/groups
> after each package is installed or even before? In other words, will the
> following still work or will installation complain that the user/groups
> do not exist?
>
> %attr(0755, %{qemu_user}, %{qemu_group})
> %attr(4750, root, virtlogin)
That should do the right thing
https://fedoraproject.org/wiki/Changes/RPMSuportForSystemdSysusers
IIUC, RPM should see the sysusers files in the package and take care
to create the user accounts before deploying the files.
Great, sysusers is finally becoming a useful thing :-)
Reviewed-by: Jiri Denemark <jdenemar(a)redhat.com>
6
days inactive
6
days old
6 comments
2 participants
participants (2)
-
Daniel P. Berrangé -
Jiri Denemark