Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

migrations: Add support for adding subuids and subgids to users #7

Merged
merged 1 commit into from
Jul 2, 2024
Merged

migrations: Add support for adding subuids and subgids to users #7

merged 1 commit into from
Jul 2, 2024

Conversation

EbonJaeger
Copy link
Member

Adds a migration task to add subuids and subgids to users in a group, plus root. If the /etc/ files exist, the commands will not be executed.

Fixes #6

Tested in a fresh Solus VM that did not have the /etc/ subid files and noted that the files were created after migrations were run.

Signed-off-by: Evan Maddock [email protected]

@EbonJaeger EbonJaeger linked an issue Dec 6, 2023 that may be closed by this pull request
Enable support to retroactively add users to /etc/subuid and /etc/subgid files #6
Closed
@silkeh silkeh self-requested a review May 3, 2024 17:58
@livingsilver94
Copy link
Member

Before reviewing the code, I don't think I like the logic suggested in #6. What's been proposed here is to add a certain range of subuids/gids (I don't know where the value come from, but that's not relevant now), ignoring user's preferences in /etc/login.defs.

/etc/login.defs is under the total control of the user since it's /etc, and this file may specify (I'm copying what Fedora ships for reference):

SUB_GID_MIN                524288
SUB_GID_MAX             600100000
SUB_GID_COUNT               65536
SUB_UID_MIN                524288
SUB_UID_MAX             600100000
SUB_UID_COUNT               65536

Suppose COUNT is zero. Aren't we overriding what the user requested?

@ermo
Copy link
Contributor

ermo commented May 7, 2024
edited
Loading

/etc/login.defs is a low-level, system-managed file in Solus.

It has just not been made stateless yet.

The goal is to ship a sane set of defaults, such that subuids and subgids just work ootb.

@TraceyC77
Copy link

FWIW Gentoo is doing similar to this

livingsilver94
livingsilver94 reviewed May 8, 2024
View reviewed changes
core/context.go
@@ -85,6 +85,47 @@ func (c *Context) FilterUsers(filters ...string) (filtered []User) {
return filtered
}

// GetRootUser gets the root user
func (c *Context) GetRootUser() User {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

FYI: I know it's not because of you, so just leaving a comment: a "context" is very C-like and not a great tool to make code readable, since organization-wise it's a stash you throw anything in. A "user" package would probably be better on topic.

livingsilver94
livingsilver94 reviewed May 8, 2024
View reviewed changes
silkeh
silkeh requested changes May 23, 2024
View reviewed changes
@silkeh silkeh requested review from livingsilver94 and silkeh May 29, 2024 11:42
@EbonJaeger
Copy link
Member Author

Since past me was a jerk and didn't post a migration file anywhere, here is what I just re-created to test this with:

description = """
	Adds subuids and subgids to root and all users, if necessary.

	We typically want this to enable support for rootless container like solutions e.g. podman OOTB. The subgid/subuid files will only be created, and the commands adding the ids only run, if they are not already present. After creation, these files should be maintained by shadow.
"""

[[add-subids]]
group = "users"
range-start = 1000000
range-end = 1065535

Test plan

  1. Build with make PREFIX=/usr
  2. (Optional) Create or boot up a VM
  3. Make sure the built qol-assist is executable (chmod +x qol-assist)
  4. Move the built qol-assist to /usr/sbin/qol-assist
  5. Save the above migration file to /usr/share/defaults/qol-assist.d/add-subids.toml
  6. Run sudo qol-assist trigger
  7. Reboot
  8. Inspect the new /etc/subuid and /etc/subgid files

@ermo ermo added the enhancement New feature or request label Jun 27, 2024
ermo

This comment was marked as resolved.

Sign in to view

@ermo ermo dismissed their stale review June 30, 2024 15:11

PEBKAC on my end

@ermo
Copy link
Contributor

ermo commented Jun 30, 2024

Now that I am copying in the new qol-assist binary to /usr/sbin (and not /usr/bin like before -- derp), things appear to work:

ermo@solus-xfce ~ $ ls -l /usr/{s,}bin/qol*
-rwxr-xr-x 1 root root 3201440 30 jun 14:37 /usr/bin/qol-assist
-rwxr-xr-x 1 root root 2152504  3 apr 16:55 /usr/sbin/qol-assist
ermo@solus-xfce ~ $ cd /usr/sbin
ermo@solus-xfce /usr/sbin $ sudo mv qol-assist qol-assist.org
[sudo] password for ermo:
ermo@solus-xfce /usr/sbin $ sudo mv ../bin/qol-assist .
ermo@solus-xfce /usr/sbin $ cd
ermo@solus-xfce ~ $ sudo qol-assist trigger -d
 ✚  Created trigger file at /var/lib/qol-assist/trigger
Migration will run on next boot.
ermo@solus-xfce ~ $ sudo qol-assist migrate -d
 ✚  Gathering system info...
 ✚  	Gathered active shells from /etc/shells
 ✚  	Gathered groups from /etc/groups
 ✚  	Gathered users from /etc/passwd
 🗲  System directory for migrations at /etc/qol-assist.d is unreadable, skipping
 ✚  Loading migrations from user directory /usr/share/defaults/qol-assist.d...
 ✚  	Loaded migration add-subids.toml
 ✚  	Loaded migration audio_group.toml
 ✚  	Loaded migration fuse_group.toml
 ✚  	Loaded migration plugdev_group.toml
 ✚  	Loaded migration sambashares_group_update.toml
 ✚  	Loaded migration scanner_group.toml
 ✚  	Loaded migration users_group_gid.toml
 ✚  	Loaded migration users_group_update.toml
 ✚  Running migration ...
 ✚  	Successfully added subuids to user ermo
 ✚  	Successfully added subuids to user root
 ✚  	Successfully added subgids to user ermo
 ✚  	Successfully added subgids to user root
 ✚  Running migration audio_group.toml...
 ✚  	User ermo already has group audio, skipping
 ✚  Running migration fuse_group.toml...
 ✚  	User ermo already has group fuse, skipping
 ✚  Running migration plugdev_group.toml...
 ✚  	User ermo already has group plugdev, skipping
 ✚  Running migration sambashares_group_update.toml...
 ✚  	User ermo already has group sambashares, skipping
 ✚  Running migration scanner_group.toml...
 ✚  	User ermo already has group scanner, skipping
 ✚  Running migration users_group_gid.toml...
 ✚  	Successfully updated group with name users to new GID 100
 ✚  Running migration users_group_update.toml...
 ✚  	User ermo already has group users, skipping
Migrations complete.
ermo@solus-xfce ~ $ ls -l /etc/sub*
-rw-r--r-- 1 root root 38 30 jun 17:12 /etc/subgid
-rw-r--r-- 1 root root 19 30 jun 17:12 /etc/subgid-
-rw-r--r-- 1 root root 38 30 jun 17:12 /etc/subuid
-rw-r--r-- 1 root root 19 30 jun 17:12 /etc/subuid-
ermo@solus-xfce ~ $

silkeh
silkeh approved these changes Jul 1, 2024
View reviewed changes
Copy link
Member

@silkeh silkeh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thanks! Maybe squash the commits though? (can also be done on merge if preferred)

@EbonJaeger @ermo
migrations: Add support for adding subuids and subgids to users
27e7f19 
Ensure that we use atomic file operations for subgid and subuid files.

Signed-off-by: Evan Maddock <[email protected]>
@ermo ermo force-pushed the 6-enable-support-to-retroactively-add-users-to-etcsubuid-and-etcsubgid-files branch from edf6acd to 27e7f19 Compare July 2, 2024 13:24
@ermo ermo merged commit a99a922 into master Jul 2, 2024
@ermo ermo deleted the 6-enable-support-to-retroactively-add-users-to-etcsubuid-and-etcsubgid-files branch July 2, 2024 13:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@silkeh silkeh silkeh approved these changes

@ermo ermo ermo left review comments

@livingsilver94 livingsilver94 Awaiting requested review from livingsilver94

Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Enable support to retroactively add users to /etc/subuid and /etc/subgid files
5 participants
@EbonJaeger @livingsilver94 @ermo @TraceyC77 @silkeh