On Mon, Nov 28, 2016 at 8:21 AM, William L. Thomson Jr. <wlt...@o-sinc.com> wrote:
> On Friday, November 25, 2016 11:39:15 PM EST Daniel Campbell wrote: > > > > I could see a use-case for someone wanting to install a given daemon or > > server with a specific user and/or group. I'm not sure this is the right > > approach (nor do I know what is), but I think we have room to think > > about a solution; ideally one that is dead-simple to implement and > > doesn't have a ton of edge-cases. > > > > What is QA's current policy on user/group creation, btw? > > Years ago there was talk/discussion of having some list/database of > UID/GID[1] > [2], so that we have consistent assignment. Arch seems to be the only > distro > thus far who has produced such a list[1], but seems to be outdated and not > maintained. Also seems to deviate from some UID/GID numbers RedHat uses for > example[2]. Arch 78 for KVM group, RedHat uses 36. > > While there are many reasons people do not care about UID/GID, and > arguments > could be made that it might be better to have them vary on systems and be > unique. Though some things there are already common UID/GID across distros. > > I think in the long run, surely for anyone managing lots of systems. It is > far > better to have a consistent standard list of UID/GID including names. Maybe > other distro's will adopt and become more of a standard. > Generally speaking as a fellow who maintained thousands of systems (many of which ran various operating systems.) You cannot rely on all OS vendors to synchronize uid / gid. You cannot even rely on some single vendors to synchronize uid / gids between releases of their own products. If you build your fleet maintenance with this premise in mind; most folks I've seen come up with a way to manage it. Often it means things like: 1) Adding shared accounts to a database and using nsswitch to forward lookups. 2) Adding configuration management rules to add named accounts to every machine. 3) Building your fleet such as local uid / gid doesn't matter so much (often this means the demise of shared filesystems or other bolt-on authentication / authorization mechanisms. Typically since most folks building a fleet have to synchronize uid / gid of actual human users anyway (so people can login / access files / etc) and so the burden just becomes "give me a list of accounts I should add to my 'syncer' so they are auto-populated on all machines'. The uids and gids don't matter so much (I can assign them myself, often I need to inter-operate with other systems where names are already in use, etc.) But just having a list of "these system accounts are important" is probably useful on its own. -A > > 1. http://marc.info/?l=gentoo-dev&w=2&r=1&s=Assigning+ > unique+system+uid%2Fgid > +for+new+&q=b > 2. http://marc.info/?t=117034194400005&r=1&w=2 > 3. https://wiki.archlinux.org/index.php?title=DeveloperWiki: > UID_/_GID_Database > 4. https://access.redhat.com/documentation/en-US/ > Red_Hat_Enterprise_Virtualization/3.5/html/Installation_Guide/sect- > System_Accounts.html > > -- > William L. Thomson Jr. >
