migrations: Add support for adding subuids and subgids to users

[EbonJaeger]

Adds a migration task to add subuids and subgids to users in a group, plus root. If the /etc/ files exist, the commands will not be executed.

Fixes #6

Tested in a fresh Solus VM that did not have the /etc/ subid files and noted that the files were created after migrations were run.

Signed-off-by: Evan Maddock [email protected]

[livingsilver94]

Before reviewing the code, I don't think I like the logic suggested in #6. What's been proposed here is to add a certain range of subuids/gids (I don't know where the value come from, but that's not relevant now), ignoring user's preferences in /etc/login.defs.

/etc/login.defs is under the total control of the user since it's /etc, and this file may specify (I'm copying what Fedora ships for reference):

SUB_GID_MIN                524288
SUB_GID_MAX             600100000
SUB_GID_COUNT               65536
SUB_UID_MIN                524288
SUB_UID_MAX             600100000
SUB_UID_COUNT               65536

Suppose COUNT is zero. Aren't we overriding what the user requested?

[ermo]

/etc/login.defs is a low-level, system-managed file in Solus.

It has just not been made stateless yet.

The goal is to ship a sane set of defaults, such that subuids and subgids just work ootb.

[TraceyC77]

FWIW Gentoo is doing similar to this

[livingsilver94]

FYI: I know it's not because of you, so just leaving a comment: a "context" is very C-like and not a great tool to make code readable, since organization-wise it's a stash you throw anything in. A "user" package would probably be better on topic.

[EbonJaeger]

Since past me was a jerk and didn't post a migration file anywhere, here is what I just re-created to test this with:

description = """
	Adds subuids and subgids to root and all users, if necessary.

	We typically want this to enable support for rootless container like solutions e.g. podman OOTB. The subgid/subuid files will only be created, and the commands adding the ids only run, if they are not already present. After creation, these files should be maintained by shadow.
"""

[[add-subids]]
group = "users"
range-start = 1000000
range-end = 1065535

Test plan

1. Build with make PREFIX=/usr
2. (Optional) Create or boot up a VM
3. Make sure the built qol-assist is executable (chmod +x qol-assist)
4. Move the built qol-assist to /usr/sbin/qol-assist
5. Save the above migration file to /usr/share/defaults/qol-assist.d/add-subids.toml
6. Run sudo qol-assist trigger
7. Reboot
8. Inspect the new /etc/subuid and /etc/subgid files

PEBKAC on my end

[ermo]

Now that I am copying in the new qol-assist binary to /usr/sbin (and not /usr/bin like before -- derp), things appear to work:

ermo@solus-xfce ~ $ ls -l /usr/{s,}bin/qol*
-rwxr-xr-x 1 root root 3201440 30 jun 14:37 /usr/bin/qol-assist
-rwxr-xr-x 1 root root 2152504  3 apr 16:55 /usr/sbin/qol-assist
ermo@solus-xfce ~ $ cd /usr/sbin
ermo@solus-xfce /usr/sbin $ sudo mv qol-assist qol-assist.org
[sudo] password for ermo:
ermo@solus-xfce /usr/sbin $ sudo mv ../bin/qol-assist .
ermo@solus-xfce /usr/sbin $ cd
ermo@solus-xfce ~ $ sudo qol-assist trigger -d
 ✚  Created trigger file at /var/lib/qol-assist/trigger
Migration will run on next boot.
ermo@solus-xfce ~ $ sudo qol-assist migrate -d
 ✚  Gathering system info...
 ✚  	Gathered active shells from /etc/shells
 ✚  	Gathered groups from /etc/groups
 ✚  	Gathered users from /etc/passwd
 🗲  System directory for migrations at /etc/qol-assist.d is unreadable, skipping
 ✚  Loading migrations from user directory /usr/share/defaults/qol-assist.d...
 ✚  	Loaded migration add-subids.toml
 ✚  	Loaded migration audio_group.toml
 ✚  	Loaded migration fuse_group.toml
 ✚  	Loaded migration plugdev_group.toml
 ✚  	Loaded migration sambashares_group_update.toml
 ✚  	Loaded migration scanner_group.toml
 ✚  	Loaded migration users_group_gid.toml
 ✚  	Loaded migration users_group_update.toml
 ✚  Running migration ...
 ✚  	Successfully added subuids to user ermo
 ✚  	Successfully added subuids to user root
 ✚  	Successfully added subgids to user ermo
 ✚  	Successfully added subgids to user root
 ✚  Running migration audio_group.toml...
 ✚  	User ermo already has group audio, skipping
 ✚  Running migration fuse_group.toml...
 ✚  	User ermo already has group fuse, skipping
 ✚  Running migration plugdev_group.toml...
 ✚  	User ermo already has group plugdev, skipping
 ✚  Running migration sambashares_group_update.toml...
 ✚  	User ermo already has group sambashares, skipping
 ✚  Running migration scanner_group.toml...
 ✚  	User ermo already has group scanner, skipping
 ✚  Running migration users_group_gid.toml...
 ✚  	Successfully updated group with name users to new GID 100
 ✚  Running migration users_group_update.toml...
 ✚  	User ermo already has group users, skipping
Migrations complete.
ermo@solus-xfce ~ $ ls -l /etc/sub*
-rw-r--r-- 1 root root 38 30 jun 17:12 /etc/subgid
-rw-r--r-- 1 root root 19 30 jun 17:12 /etc/subgid-
-rw-r--r-- 1 root root 38 30 jun 17:12 /etc/subuid
-rw-r--r-- 1 root root 19 30 jun 17:12 /etc/subuid-
ermo@solus-xfce ~ $ 

[silkeh]

LGTM, thanks! Maybe squash the commits though? (can also be done on merge if preferred)