Re: [PATCH 1/1] image.bbclass: add a method to add/delete/modify user/group settings

[Mark Hatle <mark.hatle@windriver.com>]

On 7/8/13 2:31 PM, Martin Jansa wrote:
> On Mon, Jul 08, 2013 at 01:01:48PM -0500, Mark Hatle wrote:
>> On 7/8/13 12:27 PM, Martin Jansa wrote:
>>> On Mon, Jul 08, 2013 at 12:15:40PM -0500, Mark Hatle wrote:
>>>> On 7/5/13 3:39 AM, Martin Jansa wrote:
>>>>> On Fri, Jul 05, 2013 at 02:07:28PM +0800, Qi.Chen@windriver.com wrote:
>>>>>> From: Chen Qi <Qi.Chen@windriver.com>
>>>>>>
>>>>>> We may want to add a user or group which does not logically belong to
>>>>>> any specific package. For example, we may want to add a user with the
>>>>>> name 'tester' to our image. Besides, we may want to delete or modify
>>>>>> user/group in our image.
>>>>>>
>>>>>> This patch adds a variable, USER_GROUP_SETTINGS, which is dedicated
>>>>>> to these tasks. The configuration format is detailed in the local.conf.
>>>>>> sample.extended file.
>>>>>>
>>>>>> This patch also adds a function, set_user_group, which happens at
>>>>>> the end of the ROOTFS_POSTPROCESS_COMMAND. It handles the settings
>>>>>> in the USER_GROUP_SETTINGS variable.
>>>>>
>>>>> Why not use extra package just with user?
>>>>>
>>>>> See "[PATCH v3 0/5] Allow xuser to shutdown (cover letter only)"
>>>>
>>>> The issue is that the users don't want extra (empty) packages to just add
>>>> standard users/groups.  What they want is a post image-generation
>>>> "configuration" mechanism.
>>>>
>>>> Adding users/groups is one of the basic items that they want/need.  This really
>>>> has to be considered to be an administrative activity vs a distribution
>>>> activity.  (I.e. difference between creating a package and performing some kind
>>>> of post-image action.)
>>>>
>>>> The other issue with a package based approach is it then mandates changes occur
>>>> by having to rebuild/reinstall packages.  This is onerous in my experience, for
>>>> something basic like this.  It's really outside of the package manager's control.
>>>
>>> We can have all users in one package
>>> base-users (like we have base-files)
>>>
>>> It can allow someone to just define DEFAULT_USERS = "a b c" in
>>> local.conf and let base-users recipe to create all 3 automatically.
>>>
>>> Post image-generation mechanism doesn't allow to add new required users
>>> in "upgrade" or installing packages from binary feed with all required
>>> users accounts.
>>>
>>
>> That is exactly it..  these are not users that will -ever- be upgraded or worked
>> on via packages.
>>
>> This is equivalent to saying "I'd like users bob, tracy and alice on this image
>> I'm generating."
>>
>> It's NOT saying, all systems generated with this package feed will include bob,
>> tracy and alice.
>
> IMAGE_INSTALL += "base-user-bob base-user-tracy base-user-alice"
>
>> If the user wants to add john, after the initial image is generated, they would
>> do so using the adduser functionality of the system (or modifying the
>> passwd/group files.)
>
> And what if john-the-ripper package in the feed needs john as system
> user and the same system user is also used by thc-hydra package?

These are not system users.. these are -actual- users, people who are going to 
log into this instance and do "something".

> Should both include addusers/addgroup postinsts (like connman,
> xserver-nodm-init do without latest patchset)?

Each package that requires a non-standard system user should add it themselves 
via the existing postinst scripts.

--Mark

>> The fundamental problem is that the package feeds and district from the image
>> itself.  The image is nothing more then an installer that happens to be running
>> on the build machine itself.  Things that are part of the distribution belong in
>> the feed, things that are instance/image specific belong as part of the
>> installation process.
>>
>> --Mark
>