All of lore.kernel.org
 help / color / mirror / Atom feed
From: Tim Serong <tserong@suse.com>
To: Sage Weil <sweil@redhat.com>
Cc: Gaudenz Steinlin <gaudenz@debian.org>,
	Ken Dreyer <kdreyer@redhat.com>,
	ceph-devel@vger.kernel.org, cjwatson@debian.org,
	ceph-maintainers@ceph.com, timm@fnal.gov,
	Owen Synge <osynge@suse.com>
Subject: Re: [Ceph-maintainers] statically allocated uid/gid for ceph
Date: Thu, 14 May 2015 22:16:06 +1000	[thread overview]
Message-ID: <55549206.3040008@suse.com> (raw)
In-Reply-To: <alpine.DEB.2.00.1504270901250.5458@cobra.newdream.net>

On 04/28/2015 02:02 AM, Sage Weil wrote:
>> much progress on the SUSE front.  I did suggest everyone just do what
>> Debian does ;) but both Fedora and SUSE people pointed out that the 64K
>> range isn't safe to claim, what with not being specifically reserved.
>>
>> I did make one small bit of progress - I've added the ceph user and
>> group to rpmlint on openSUSE Factory
>> (https://build.opensuse.org/request/show/303537) so at least the SUSE
>> build won't bitch if files specified in any of the packages are owned by
>> ceph:ceph.

It is my sad duty to report that I've been unable to get a static
UID/GID allocated for SLES or openSUSE.

TL;DR:

* There's nothing free in the reserved static range 0-99.
* We can't take something from the unreserved ranges (500-999,
60001-64K) and hope for the best due to potential conflicts with old
systems, LDAP users on those ranges, customers, etc. etc.

Consequently I would like to propose the following as a least-worst
fallback/workaround:

1) Add functionality to ceph-deploy to create the user and group during
`ceph-deploy install`.  This would happen iff new (optional) --ceph-uid
and --ceph-gid arguments[1] were passed to `ceph-deploy install`, and
would happen before any ceph packages are installed.  This would allow
individual sites to choose the UID/GID so they know it doesn't conflict
with anything already in use.

2) Add a guard to the %pre script in the RPM so it only invokes `useradd
and `groupadd` if the ceph user and group don't already exist.

If the UID and GID aren't specified during `ceph-deploy install`, then
it'll fall back to "next available" in the system range when
useradd/groupadd are invoked in the rpm %pre script.

The above should have no impact on other distros where a fixed UID/GID
is already set in the package.

Does this sound viable?

Regards,

Tim

[1] Or, possibly, it should force both UID and GID to the same number,
meaning we only need one argument, say --ceph-uidgid?
-- 
Tim Serong
Senior Clustering Engineer
SUSE
tserong@suse.com

  reply	other threads:[~2015-05-14 12:16 UTC|newest]

Thread overview: 21+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <alpine.DEB.2.00.1412061245410.18213@cobra.newdream.net>
     [not found] ` <5488919E.4090109@redhat.com>
2014-12-10 18:48   ` [Ceph-maintainers] statically allocated uid/gid for ceph Sage Weil
2014-12-11  2:07     ` Tim Serong
2014-12-11 22:47       ` John Spray
2015-04-14  1:02       ` Sage Weil
2015-04-14  1:05       ` Sage Weil
2015-04-14  4:03         ` Tim Serong
2015-04-14 15:21           ` Sage Weil
2015-04-14 16:12             ` Ken Dreyer
2015-04-15 17:14               ` Gaudenz Steinlin
2015-04-27  9:56                 ` Tim Serong
2015-04-27 11:29                   ` HEWLETT, Paul (Paul)** CTR **
2015-04-28  5:00                     ` Tim Serong
2015-04-27 16:02                   ` Sage Weil
2015-05-14 12:16                     ` Tim Serong [this message]
2015-05-14 13:53                       ` Ken Dreyer
2015-05-14 16:08                       ` Sage Weil
     [not found]                         ` <CAANLjFpgivwxMhFLy4OcCxnJ_k5ssORCUm2r+BgtU+LEPQmvPw@mail.gmail.com>
2015-05-14 16:20                           ` Robert LeBlanc
2015-05-14 16:41                           ` Sage Weil
2015-05-15  3:27                             ` Tim Serong
2015-05-15 10:25                 ` Colin Watson
2015-04-15 10:32             ` Tim Serong

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=55549206.3040008@suse.com \
    --to=tserong@suse.com \
    --cc=ceph-devel@vger.kernel.org \
    --cc=ceph-maintainers@ceph.com \
    --cc=cjwatson@debian.org \
    --cc=gaudenz@debian.org \
    --cc=kdreyer@redhat.com \
    --cc=osynge@suse.com \
    --cc=sweil@redhat.com \
    --cc=timm@fnal.gov \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.