[PATCH 0/2] finish sysusers support
This fixes another missing sysusers file and changes the RPM spec to take account of new RPM processing of sysusers files at install time. Daniel P. Berrangé (2): tools: add sysusers file to create 'virtlogin' group rpm: disable account creation for Fedora >= 42 libvirt.spec.in | 19 +++++++++++++++++++ tools/libvirt-login-shell.sysusers.conf | 1 + tools/meson.build | 7 +++++++ 3 files changed, 27 insertions(+) create mode 100644 tools/libvirt-login-shell.sysusers.conf -- 2.47.1
We previously added a sysusers file, but missed the 'virtlogin' group. This group is used to make the virt-login-shell binary setgid, so we shoudl be registering that too. It must be done in a separate sysusers file, however, since it is packaged separately from the daemons. Fixes: a2c3e390f7bedf36f4ddc544d09fe3b8772c5c6f Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> --- libvirt.spec.in | 3 +++ tools/libvirt-login-shell.sysusers.conf | 1 + tools/meson.build | 7 +++++++ 3 files changed, 11 insertions(+) create mode 100644 tools/libvirt-login-shell.sysusers.conf diff --git a/libvirt.spec.in b/libvirt.spec.in index 5c5d36966d..5825de7cf1 100644 --- a/libvirt.spec.in +++ b/libvirt.spec.in @@ -1095,6 +1095,8 @@ Wireshark dissector plugin for better analysis of libvirt RPC traffic. %package login-shell Summary: Login shell for connecting users to an LXC container Requires: libvirt-libs = %{version}-%{release} +# For uid creation during pre +Requires(pre): shadow-utils %description login-shell Provides the set-uid virt-login-shell binary that is used to @@ -2533,6 +2535,7 @@ exit 0 %attr(4750, root, virtlogin) %{_bindir}/virt-login-shell %{_libexecdir}/virt-login-shell-helper %config(noreplace) %{_sysconfdir}/libvirt/virt-login-shell.conf +%{_sysusersdir}/libvirt-login-shell.conf %{_mandir}/man1/virt-login-shell.1* %endif diff --git a/tools/libvirt-login-shell.sysusers.conf b/tools/libvirt-login-shell.sysusers.conf new file mode 100644 index 0000000000..5459fd99ce --- /dev/null +++ b/tools/libvirt-login-shell.sysusers.conf @@ -0,0 +1 @@ +g virtlogin - diff --git a/tools/meson.build b/tools/meson.build index 3f4e2a3c4b..4d5c9e4bba 100644 --- a/tools/meson.build +++ b/tools/meson.build @@ -123,6 +123,13 @@ if conf.has('WITH_LOGIN_SHELL') ) install_data('virt-login-shell.conf', install_dir: sysconfdir / 'libvirt') + + # Install the sysuser config for the setgid binary + install_data( + 'libvirt-login-shell.sysusers.conf', + install_dir: sysusersdir, + rename: [ 'libvirt-login-shell.conf' ], + ) endif if host_machine.system() == 'windows' -- 2.47.1
On Thu, Jan 30, 2025 at 15:21:30 +0000, Daniel P. Berrangé wrote:
We previously added a sysusers file, but missed the 'virtlogin' group. This group is used to make the virt-login-shell binary setgid, so we shoudl be registering that too. It must be done in a separate sysusers file, however, since it is packaged separately from the daemons.
Fixes: a2c3e390f7bedf36f4ddc544d09fe3b8772c5c6f Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> --- libvirt.spec.in | 3 +++ tools/libvirt-login-shell.sysusers.conf | 1 + tools/meson.build | 7 +++++++ 3 files changed, 11 insertions(+) create mode 100644 tools/libvirt-login-shell.sysusers.conf
Reviewed-by: Jiri Denemark <jdenemar@redhat.com>
In Fedora >= 42, support for user/group account creation based on sysusers files has been enabled in RPM. Manually running useradd/ groupadd is thus obsolete. Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> --- libvirt.spec.in | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/libvirt.spec.in b/libvirt.spec.in index 5825de7cf1..be91fa6bb4 100644 --- a/libvirt.spec.in +++ b/libvirt.spec.in @@ -44,6 +44,12 @@ %define with_qemu_kvm 0 %endif +%if 0%{?fedora} >= 42 + %define with_account_add 0 +%else + %define with_account_add 1 +%endif + %define with_qemu_tcg %{with_qemu} # RHEL disables TCG on all architectures @@ -535,8 +541,10 @@ Requires(posttrans): /usr/bin/systemctl Requires(preun): /usr/bin/systemctl # libvirtd depends on 'messagebus' service Requires: dbus +%if %{with_account_add} # For uid creation during pre Requires(pre): shadow-utils +%endif # Needed by /usr/libexec/libvirt-guests.sh script. %if 0%{?fedora} Requires: gettext-runtime @@ -1095,8 +1103,10 @@ Wireshark dissector plugin for better analysis of libvirt RPC traffic. %package login-shell Summary: Login shell for connecting users to an LXC container Requires: libvirt-libs = %{version}-%{release} +%if %{with_account_add} # For uid creation during pre Requires(pre): shadow-utils +%endif %description login-shell Provides the set-uid virt-login-shell binary that is used to @@ -1796,10 +1806,12 @@ export VIR_TEST_DEBUG=1 %pre daemon-common %libvirt_sysconfig_pre libvirt-guests %libvirt_systemd_oneshot_pre libvirt-guests +%if %{with_account_add} # 'libvirt' group is just to allow password-less polkit access to libvirt # daemons. The uid number is irrelevant, so we use dynamic allocation. getent group libvirt >/dev/null || groupadd -r libvirt exit 0 +%endif %posttrans daemon-common %libvirt_sysconfig_posttrans libvirt-guests @@ -1922,6 +1934,7 @@ exit 0 %libvirt_sysconfig_pre virtqemud %libvirt_systemd_unix_pre virtqemud +%if %{with_account_add} # We want soft static allocation of well-known ids, as disk images # are commonly shared across NFS mounts by id rather than name. # See https://docs.fedoraproject.org/en-US/packaging-guidelines/UsersAndGroups/ @@ -1937,6 +1950,7 @@ if ! getent passwd 'qemu' >/dev/null; then fi fi exit 0 +%endif %posttrans daemon-driver-qemu %libvirt_sysconfig_posttrans virtqemud @@ -2063,8 +2077,10 @@ done %if %{with_lxc} %pre login-shell +%if %{with_account_add} getent group virtlogin >/dev/null || groupadd -r virtlogin exit 0 +%endif %endif %endif -- 2.47.1
On Thu, Jan 30, 2025 at 15:21:31 +0000, Daniel P. Berrangé wrote:
In Fedora >= 42, support for user/group account creation based on sysusers files has been enabled in RPM. Manually running useradd/ groupadd is thus obsolete.
Do you have any pointer to how this actually works? So far users/groups defined in sysusers were created at the end of transaction, which was pretty useless. Is the change in Fedora about creating the users/groups after each package is installed or even before? In other words, will the following still work or will installation complain that the user/groups do not exist? %attr(0755, %{qemu_user}, %{qemu_group}) %attr(4750, root, virtlogin) Jirka
On Thu, Jan 30, 2025 at 04:56:07PM +0100, Jiri Denemark wrote:
On Thu, Jan 30, 2025 at 15:21:31 +0000, Daniel P. Berrangé wrote:
In Fedora >= 42, support for user/group account creation based on sysusers files has been enabled in RPM. Manually running useradd/ groupadd is thus obsolete.
Do you have any pointer to how this actually works? So far users/groups defined in sysusers were created at the end of transaction, which was pretty useless. Is the change in Fedora about creating the users/groups after each package is installed or even before? In other words, will the following still work or will installation complain that the user/groups do not exist?
%attr(0755, %{qemu_user}, %{qemu_group}) %attr(4750, root, virtlogin)
That should do the right thing https://fedoraproject.org/wiki/Changes/RPMSuportForSystemdSysusers IIUC, RPM should see the sysusers files in the package and take care to create the user accounts before deploying the files. With regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
On Thu, Jan 30, 2025 at 17:05:05 +0000, Daniel P. Berrangé wrote:
On Thu, Jan 30, 2025 at 04:56:07PM +0100, Jiri Denemark wrote:
On Thu, Jan 30, 2025 at 15:21:31 +0000, Daniel P. Berrangé wrote:
In Fedora >= 42, support for user/group account creation based on sysusers files has been enabled in RPM. Manually running useradd/ groupadd is thus obsolete.
Do you have any pointer to how this actually works? So far users/groups defined in sysusers were created at the end of transaction, which was pretty useless. Is the change in Fedora about creating the users/groups after each package is installed or even before? In other words, will the following still work or will installation complain that the user/groups do not exist?
%attr(0755, %{qemu_user}, %{qemu_group}) %attr(4750, root, virtlogin)
That should do the right thing
https://fedoraproject.org/wiki/Changes/RPMSuportForSystemdSysusers
IIUC, RPM should see the sysusers files in the package and take care to create the user accounts before deploying the files.
Great, sysusers is finally becoming a useful thing :-) Reviewed-by: Jiri Denemark <jdenemar@redhat.com>
participants (2)
-
Daniel P. Berrangé -
Jiri Denemark