[PATCH] systemd: create wheel sysuser group offline

[PATCH] systemd: create wheel sysuser group offline

[Andre McCurdy]

The default systemd-tmpfiles config file expects to be able to create
files etc belonging to the wheel system group. Currently the wheel
group is created at run time by systemd-sysusers, but that doesn't
happen if systemd-sysusers is disabled (as it currently is by default
when building with musl libc).

Signed-off-by: Andre McCurdy <armccurdy@gmail.com>
---
 meta/recipes-core/systemd/systemd_234.bb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta/recipes-core/systemd/systemd_234.bb b/meta/recipes-core/systemd/systemd_234.bb
index 81a9509..7fdb65f 100644
--- a/meta/recipes-core/systemd/systemd_234.bb
+++ b/meta/recipes-core/systemd/systemd_234.bb
@@ -333,7 +333,7 @@ USERADD_PARAM_${PN} += "${@bb.utils.contains('PACKAGECONFIG', 'networkd', '--sys
 USERADD_PARAM_${PN} += "${@bb.utils.contains('PACKAGECONFIG', 'coredump', '--system -d / -M --shell /bin/nologin systemd-coredump;', '', d)}"
 USERADD_PARAM_${PN} += "${@bb.utils.contains('PACKAGECONFIG', 'resolved', '--system -d / -M --shell /bin/nologin systemd-resolve;', '', d)}"
 USERADD_PARAM_${PN} += "${@bb.utils.contains('PACKAGECONFIG', 'polkit', '--system --no-create-home --user-group --home-dir ${sysconfdir}/polkit-1 polkitd;', '', d)}"
-GROUPADD_PARAM_${PN} = "-r lock; -r systemd-journal"
+GROUPADD_PARAM_${PN} = "-r lock; -r systemd-journal; -r wheel"
 USERADD_PARAM_${PN}-extra-utils += "--system -d / -M --shell /bin/nologin systemd-bus-proxy;"
 
 FILES_${PN}-analyze = "${bindir}/systemd-analyze"
-- 
1.9.1

Re: [PATCH] systemd: create wheel sysuser group offline

[Patrick Ohly]

On Thu, 2017-11-09 at 21:54 -0800, Andre McCurdy wrote:
> The default systemd-tmpfiles config file expects to be able to create
> files etc belonging to the wheel system group. Currently the wheel
> group is created at run time by systemd-sysusers, but that doesn't
> happen if systemd-sysusers is disabled (as it currently is by default
> when building with musl libc).

Isn't this something that the systemd_create_users rootfs postprocess
command in rootfs-postcommands.bbclass already takes care of?

I know that it is has issues (https://bugzilla.yoctoproject.org/show_bu
g.cgi?id=9789), but it should at least create the wheel group.

-- 
Best Regards, Patrick Ohly

The content of this message is my personal opinion only and although
I am an employee of Intel, the statements I make here in no way
represent Intel's position on the issue, nor am I authorized to speak
on behalf of Intel on this matter.

Re: [PATCH] systemd: create wheel sysuser group offline

[Andre McCurdy]

On Mon, Nov 13, 2017 at 6:48 AM, Patrick Ohly <patrick.ohly@intel.com> wrote:
> On Thu, 2017-11-09 at 21:54 -0800, Andre McCurdy wrote:
>> The default systemd-tmpfiles config file expects to be able to create
>> files etc belonging to the wheel system group. Currently the wheel
>> group is created at run time by systemd-sysusers, but that doesn't
>> happen if systemd-sysusers is disabled (as it currently is by default
>> when building with musl libc).
>
> Isn't this something that the systemd_create_users rootfs postprocess
> command in rootfs-postcommands.bbclass already takes care of?

systemd_create_users() does a build time pass over the
systemd-sysusers config files, but those files are not installed if
systemd is configured without sysusers support.

> I know that it is has issues (https://bugzilla.yoctoproject.org/show_bu
> g.cgi?id=9789), but it should at least create the wheel group.
>
> --
> Best Regards, Patrick Ohly

Re: [PATCH] systemd: create wheel sysuser group offline

[Patrick Ohly]

On Mon, 2017-11-13 at 12:18 -0800, Andre McCurdy wrote:
> On Mon, Nov 13, 2017 at 6:48 AM, Patrick Ohly <patrick.ohly@intel.com
> > wrote:
> > On Thu, 2017-11-09 at 21:54 -0800, Andre McCurdy wrote:
> > > The default systemd-tmpfiles config file expects to be able to
> > > create
> > > files etc belonging to the wheel system group. Currently the
> > > wheel
> > > group is created at run time by systemd-sysusers, but that
> > > doesn't
> > > happen if systemd-sysusers is disabled (as it currently is by
> > > default
> > > when building with musl libc).
> > 
> > Isn't this something that the systemd_create_users rootfs
> > postprocess
> > command in rootfs-postcommands.bbclass already takes care of?
> 
> systemd_create_users() does a build time pass over the
> systemd-sysusers config files, but those files are not installed if
> systemd is configured without sysusers support.

I didn't know that this is optional. To me it sounds like an invalid
(or let's say, unexpected) configuration to install tmpfiles config
files but not the sysusers files, because as you said, the tmpfiles may
depend on the sysusers.

Anyway, I just wanted to know because I was wondering whether it is
really necessary to duplicate the user creation information in the
systemd recipe.

-- 
Best Regards, Patrick Ohly

The content of this message is my personal opinion only and although
I am an employee of Intel, the statements I make here in no way
represent Intel's position on the issue, nor am I authorized to speak
on behalf of Intel on this matter.

Re: [PATCH] systemd: create wheel sysuser group offline

[Andre McCurdy]

On Mon, Nov 13, 2017 at 12:26 PM, Patrick Ohly <patrick.ohly@intel.com> wrote:
> On Mon, 2017-11-13 at 12:18 -0800, Andre McCurdy wrote:
>> On Mon, Nov 13, 2017 at 6:48 AM, Patrick Ohly <patrick.ohly@intel.com
>> > wrote:
>> > On Thu, 2017-11-09 at 21:54 -0800, Andre McCurdy wrote:
>> > > The default systemd-tmpfiles config file expects to be able to
>> > > create
>> > > files etc belonging to the wheel system group. Currently the
>> > > wheel
>> > > group is created at run time by systemd-sysusers, but that
>> > > doesn't
>> > > happen if systemd-sysusers is disabled (as it currently is by
>> > > default
>> > > when building with musl libc).
>> >
>> > Isn't this something that the systemd_create_users rootfs
>> > postprocess
>> > command in rootfs-postcommands.bbclass already takes care of?
>>
>> systemd_create_users() does a build time pass over the
>> systemd-sysusers config files, but those files are not installed if
>> systemd is configured without sysusers support.
>
> I didn't know that this is optional. To me it sounds like an invalid
> (or let's say, unexpected) configuration to install tmpfiles config
> files but not the sysusers files, because as you said, the tmpfiles may
> depend on the sysusers.

In the current recipe, there's no control of tmpfiles (so it will
always be enabled) and sysusers is controlled by PACKAGECONFIG
(enabled by default - but only when building with glibc), so the
recipe does allow that combination.

> Anyway, I just wanted to know because I was wondering whether it is
> really necessary to duplicate the user creation information in the
> systemd recipe.
>

Re: [PATCH] systemd: create wheel sysuser group offline

[Andre McCurdy]

On Mon, Nov 13, 2017 at 12:59 PM, Andre McCurdy <armccurdy@gmail.com> wrote:
> On Mon, Nov 13, 2017 at 12:26 PM, Patrick Ohly <patrick.ohly@intel.com> wrote:
>> On Mon, 2017-11-13 at 12:18 -0800, Andre McCurdy wrote:
>>> On Mon, Nov 13, 2017 at 6:48 AM, Patrick Ohly <patrick.ohly@intel.com
>>> > wrote:
>>> > On Thu, 2017-11-09 at 21:54 -0800, Andre McCurdy wrote:
>>> > > The default systemd-tmpfiles config file expects to be able to
>>> > > create
>>> > > files etc belonging to the wheel system group. Currently the
>>> > > wheel
>>> > > group is created at run time by systemd-sysusers, but that
>>> > > doesn't
>>> > > happen if systemd-sysusers is disabled (as it currently is by
>>> > > default
>>> > > when building with musl libc).
>>> >
>>> > Isn't this something that the systemd_create_users rootfs
>>> > postprocess
>>> > command in rootfs-postcommands.bbclass already takes care of?
>>>
>>> systemd_create_users() does a build time pass over the
>>> systemd-sysusers config files, but those files are not installed if
>>> systemd is configured without sysusers support.
>>
>> I didn't know that this is optional. To me it sounds like an invalid
>> (or let's say, unexpected) configuration to install tmpfiles config
>> files but not the sysusers files, because as you said, the tmpfiles may
>> depend on the sysusers.
>
> In the current recipe, there's no control of tmpfiles (so it will
> always be enabled) and sysusers is controlled by PACKAGECONFIG
> (enabled by default - but only when building with glibc), so the
> recipe does allow that combination.
>
>> Anyway, I just wanted to know because I was wondering whether it is
>> really necessary to duplicate the user creation information in the
>> systemd recipe.
>>

Ping.

Ross, it looks like you've started to stage the later systemd + musl
cleanups in mut. This fix is needed too.

Re: [PATCH] systemd: create wheel sysuser group offline

[Yi Zhao]

在 2017年11月10日 13:54, Andre McCurdy 写道:
> The default systemd-tmpfiles config file expects to be able to create
> files etc belonging to the wheel system group. Currently the wheel
> group is created at run time by systemd-sysusers, but that doesn't
> happen if systemd-sysusers is disabled (as it currently is by default
> when building with musl libc).

For sysvinit, we follow the Debian rule which doesn't have wheel group 
in the system. Should we have to break this rule for systemd? Is this 
necessary to use this group in systemd?

//Yi

>
> Signed-off-by: Andre McCurdy <armccurdy@gmail.com>
> ---
>   meta/recipes-core/systemd/systemd_234.bb | 2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/meta/recipes-core/systemd/systemd_234.bb b/meta/recipes-core/systemd/systemd_234.bb
> index 81a9509..7fdb65f 100644
> --- a/meta/recipes-core/systemd/systemd_234.bb
> +++ b/meta/recipes-core/systemd/systemd_234.bb
> @@ -333,7 +333,7 @@ USERADD_PARAM_${PN} += "${@bb.utils.contains('PACKAGECONFIG', 'networkd', '--sys
>   USERADD_PARAM_${PN} += "${@bb.utils.contains('PACKAGECONFIG', 'coredump', '--system -d / -M --shell /bin/nologin systemd-coredump;', '', d)}"
>   USERADD_PARAM_${PN} += "${@bb.utils.contains('PACKAGECONFIG', 'resolved', '--system -d / -M --shell /bin/nologin systemd-resolve;', '', d)}"
>   USERADD_PARAM_${PN} += "${@bb.utils.contains('PACKAGECONFIG', 'polkit', '--system --no-create-home --user-group --home-dir ${sysconfdir}/polkit-1 polkitd;', '', d)}"
> -GROUPADD_PARAM_${PN} = "-r lock; -r systemd-journal"
> +GROUPADD_PARAM_${PN} = "-r lock; -r systemd-journal; -r wheel"
>   USERADD_PARAM_${PN}-extra-utils += "--system -d / -M --shell /bin/nologin systemd-bus-proxy;"
>   
>   FILES_${PN}-analyze = "${bindir}/systemd-analyze"

Re: [PATCH] systemd: create wheel sysuser group offline

[Andre McCurdy]

On Thu, Dec 7, 2017 at 10:44 PM, Yi Zhao <yi.zhao@windriver.com> wrote:
> 在 2017年11月10日 13:54, Andre McCurdy 写道:
>>
>> The default systemd-tmpfiles config file expects to be able to create
>> files etc belonging to the wheel system group. Currently the wheel
>> group is created at run time by systemd-sysusers, but that doesn't
>> happen if systemd-sysusers is disabled (as it currently is by default
>> when building with musl libc).
>
> For sysvinit, we follow the Debian rule which doesn't have wheel group in
> the system. Should we have to break this rule for systemd? Is this necessary
> to use this group in systemd?

The default systemd-tmpfiles config file expects to be able to create
files etc belonging to the wheel system group. Unless we patch or
over-ride the default systemd-tmpfiles config file to change that then
yes, the wheel group appears to be necessary for systemd.

Re: [PATCH] systemd: create wheel sysuser group offline

[Andre McCurdy]

On Fri, Dec 8, 2017 at 11:36 AM, Andre McCurdy <armccurdy@gmail.com> wrote:
> On Thu, Dec 7, 2017 at 10:44 PM, Yi Zhao <yi.zhao@windriver.com> wrote:
>> 在 2017年11月10日 13:54, Andre McCurdy 写道:
>>>
>>> The default systemd-tmpfiles config file expects to be able to create
>>> files etc belonging to the wheel system group. Currently the wheel
>>> group is created at run time by systemd-sysusers, but that doesn't
>>> happen if systemd-sysusers is disabled (as it currently is by default
>>> when building with musl libc).
>>
>> For sysvinit, we follow the Debian rule which doesn't have wheel group in
>> the system. Should we have to break this rule for systemd? Is this necessary
>> to use this group in systemd?
>
> The default systemd-tmpfiles config file expects to be able to create
> files etc belonging to the wheel system group. Unless we patch or
> over-ride the default systemd-tmpfiles config file to change that then
> yes, the wheel group appears to be necessary for systemd.

Ping.

This is needed for rocko (assuming systemd with musl is expected to
work with rocko?) so unless there are still strong objections I
recommend merging as-is.

More significant re-work (e.g. preventing systemd-tmpfiles from being
enabled without systemd-sysusers or patching systemd to remove any
dependency on the wheel group) would not be suitable for rocko, so
should be considered separately.

Re: [PATCH] systemd: create wheel sysuser group offline

[Andre McCurdy]

On Mon, Dec 11, 2017 at 6:09 PM, Andre McCurdy <armccurdy@gmail.com> wrote:
> On Fri, Dec 8, 2017 at 11:36 AM, Andre McCurdy <armccurdy@gmail.com> wrote:
>> On Thu, Dec 7, 2017 at 10:44 PM, Yi Zhao <yi.zhao@windriver.com> wrote:
>>> 在 2017年11月10日 13:54, Andre McCurdy 写道:
>>>>
>>>> The default systemd-tmpfiles config file expects to be able to create
>>>> files etc belonging to the wheel system group. Currently the wheel
>>>> group is created at run time by systemd-sysusers, but that doesn't
>>>> happen if systemd-sysusers is disabled (as it currently is by default
>>>> when building with musl libc).
>>>
>>> For sysvinit, we follow the Debian rule which doesn't have wheel group in
>>> the system. Should we have to break this rule for systemd? Is this necessary
>>> to use this group in systemd?
>>
>> The default systemd-tmpfiles config file expects to be able to create
>> files etc belonging to the wheel system group. Unless we patch or
>> over-ride the default systemd-tmpfiles config file to change that then
>> yes, the wheel group appears to be necessary for systemd.
>
> Ping.
>
> This is needed for rocko (assuming systemd with musl is expected to
> work with rocko?) so unless there are still strong objections I
> recommend merging as-is.
>
> More significant re-work (e.g. preventing systemd-tmpfiles from being
> enabled without systemd-sysusers or patching systemd to remove any
> dependency on the wheel group) would not be suitable for rocko, so
> should be considered separately.

Ping again.