Update UID/GID

New groups and users: -g - kvm: added by libvirt [2] -g - render: added by systemd, after boot-up introduced in [1] Removed groups and users: -g and u - systemd-resolve and systemd-network: both were only kept for backward compatibility, not needed anymore -g - lock: systemd_246.9.bb no longer adds it in GROUPADD_PARAM, unlike systemd version on 2.4.0-2 -g and u - polkitd: systemd_246.9.bb no longer adds polkit in PACKAGECONFIG -g and u - ntp: meta-enea-virtualization/recipes-enea/ntp-user-stub/\ ntp-user-stub_1.0.bb removed -g - netdev: dbus_1.12.20.bb no longer adds netdev in GROUPADD_PARAM Added systemd_246.9.bbappend to overwrite basic.conf.in and add 'render' using GROUPADD_PARAM at build-time instead on boot-time Add new groups/users in basic.conf.in using fixed ids, in sync with <layer>/files/{group,passwd} [1] https://github.com/systemd/systemd/commit/4e15a7343cb [2] https://git.yoctoproject.org/cgit/cgit.cgi/meta-virtualization/\ commit/recipes-extended/libvirt?h=gatesgarth&id=b5b5defc78ea03c8 Change-Id: If1768a544c53552bf2eff1d8051830975ae0ed2f Signed-off-by: Matei Valeanu <Matei.Valeanu@enea.com>
author: Matei Valeanu <Matei.Valeanu@enea.com> 2021-06-24 17:29:04 +0200
committer: Alexandru Avadanii <Alexandru.Avadanii@enea.com> 2021-06-30 06:35:36 +0200
commit: eea99925d3bef32434653aa6c2fabe6de24be950 (patch)
tree: 758367825ddfa8eeb214d1531ad796e6d199081a
parent: 7ede3bf0c747d741994e85230e8d9e529b33c9ab (diff)
download: meta-el-nfv-access-eea99925d3bef32434653aa6c2fabe6de24be950.tar.gz
4 files changed, 71 insertions, 12 deletions
diff --git a/files/group b/files/group
index cc37138..ffb9c82 100644
--- a/files/group
+++ b/files/group
@@ -34,24 +34,19 @@ utmp:x:43:
 video:x:44:
 sasl:x:45:
 plugdev:x:46:
+kvm:x:47:qemu
 staff:x:50:
 games:x:60:
 shutdown:x:70:
 users:x:100:
-dhcpcd:x:984:
+render:x:983:
 systemd-bus-proxy:x:985:
-systemd-resolve:x:986:
-systemd-network:x:987:
 systemd-timesync:x:988:
 systemd-journal:x:989:
-lock:x:990:
 sshd:x:991:
 qemu:x:992:
-polkitd:x:993:
-ntp:x:994:
 docker:x:995:
 messagebus:x:996:
-netdev:x:997:
 bind:x:998:
 _apt:x:999:
 nogroup:x:65534:
diff --git a/files/passwd b/files/passwd
index 5a26de4..2b3f831 100644
--- a/files/passwd
+++ b/files/passwd
@@ -15,15 +15,10 @@ backup:x:34:34:backup:/var/backups:/bin/sh
 list:x:38:38:Mailing List Manager:/var/list:/bin/sh
 irc:x:39:39:ircd:/var/run/ircd:/bin/sh
 gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
-dhcpcd:x:988:984::/var/lib/dhcpcd:/bin/false
 systemd-bus-proxy:x:989:985::/:/bin/nologin
-systemd-resolve:x:990:986::/:/bin/nologin
-systemd-network:x:991:987::/:/bin/nologin
 systemd-timesync:x:992:988::/:/bin/nologin
 sshd:x:993:991::/var/run/sshd:/bin/false
 qemu:x:994:992::/home/qemu:/bin/sh
-polkitd:x:995:993::/etc/polkit-1:/bin/sh
-ntp:x:996:994::/var/lib/ntp:/bin/false
 messagebus:x:997:996::/var/lib/dbus:/bin/false
 bind:x:998:998::/var/cache/bind:/bin/sh
 _apt:x:999:999::/nonexistent:/bin/false
diff --git a/recipes-core/systemd/files/basic.conf.in b/recipes-core/systemd/files/basic.conf.in
new file mode 100644
index 0000000..6532f64
--- /dev/null
+++ b/recipes-core/systemd/files/basic.conf.in
@@ -0,0 +1,50 @@
+#  This file is part of systemd.
+#
+#  systemd is free software; you can redistribute it and/or modify it
+#  under the terms of the GNU Lesser General Public License as published by
+#  the Free Software Foundation; either version 2.1 of the License, or
+#  (at your option) any later version.
+# The superuser
+u root    0     "Super User" /root
+# Administrator group: can *see* more than normal users
+g adm     -     -            -
+# Access to certain kernel and userspace facilities
+g kmem    -     -            -
+g tty     @TTY_GID@     -            -
+g utmp    -     -            -
+# Hardware access groups
+g audio   -     -            -
+g cdrom   -     -            -
+g dialout -     -            -
+g disk    -     -            -
+g input   -     -            -
+g lp      -     -            -
+g tape    -     -            -
+g video   -     -            -
+# Default group for normal users
+g users   @USERS_GID@     -            -
+## ENEA_start ##
+# Handle systemd-sysusers hardcoded users/groups interfering with OSTree upgrades:
+# - nothing in NFVA uses the wheel group, do not create it;
+# - the 'nobody' group was automatically created for the existing 'nobody' user,
+#   which is not necessary, NFVA already has 'nogroup' (GID 65534);
+#
+# Administrator group: can *do* more than normal users
+# g wheel   -     -            -
+# The nobody user for NFS file systems
+# u @NOBODY_USER_NAME@  65534 "Nobody"     -
+#
+# Keep the next users/groups in sync with those in <layer>/files/{passwd,group}
+# If an upgrade updates /etc/{passwd,group} then the next users and groups already exist
+# and the next lines will do nothing. If the upgrade did not update /etc/{passwd,group}
+# we must dynamically add them, with fixed ids. Ids are the same as in
+# <layer>/files/{passwd,group}
+g kvm     47       -      -
+m qemu    kvm
+g render  983      -      -
+## ENEA_end ##
diff --git a/recipes-core/systemd/systemd_247.6.bbappend b/recipes-core/systemd/systemd_247.6.bbappend
new file mode 100644
index 0000000..871da64
--- /dev/null
+++ b/recipes-core/systemd/systemd_247.6.bbappend
@@ -0,0 +1,19 @@
+FILESEXTRAPATHS_prepend := "${THISDIR}/files:"
+SRC_URI_append_sota = " file://basic.conf.in"
+GROUPADD_PARAM_${PN}_append_sota = "; -r render"
+# systemd uses certain groups unless configured not to (e.g. journal logs are more
+# broadly available to the 'wheel' group unless told otherwise), while some resources
+# are using to the 'nobody' group. Configure systemd to:
+# - not use the 'wheel' group (journal access will be restriced to root user);
+# - use the proper group for 'nobody', which should have GID 65534 (for NFVA 'nogroup');
+EXTRA_OEMESON += " \
+    -Dwheel-group=false \
+    -Dnobody-group=nogroup \
+"
+do_configure_prepend_sota() {
+    cp ${WORKDIR}/basic.conf.in ${S}/sysusers.d/basic.conf.in
+}
author	Matei Valeanu <Matei.Valeanu@enea.com>	2021-06-24 17:29:04 +0200
committer	Alexandru Avadanii <Alexandru.Avadanii@enea.com>	2021-06-30 06:35:36 +0200
commit	eea99925d3bef32434653aa6c2fabe6de24be950 (patch)
tree	758367825ddfa8eeb214d1531ad796e6d199081a
parent	7ede3bf0c747d741994e85230e8d9e529b33c9ab (diff)
download	meta-el-nfv-access-eea99925d3bef32434653aa6c2fabe6de24be950.tar.gz

diff --git a/files/group b/files/group index cc37138..ffb9c82 100644 --- a/files/group +++ b/files/group
@@ -34,24 +34,19 @@ utmp:x:43:
34	video:x:44:	34	video:x:44:
35	sasl:x:45:	35	sasl:x:45:
36	plugdev:x:46:	36	plugdev:x:46:
		37	kvm:x:47:qemu
37	staff:x:50:	38	staff:x:50:
38	games:x:60:	39	games:x:60:
39	shutdown:x:70:	40	shutdown:x:70:
40	users:x:100:	41	users:x:100:
41	dhcpcd:x:984:	42	render:x:983:
42	systemd-bus-proxy:x:985:	43	systemd-bus-proxy:x:985:
43	systemd-resolve:x:986:
44	systemd-network:x:987:
45	systemd-timesync:x:988:	44	systemd-timesync:x:988:
46	systemd-journal:x:989:	45	systemd-journal:x:989:
47	lock:x:990:
48	sshd:x:991:	46	sshd:x:991:
49	qemu:x:992:	47	qemu:x:992:
50	polkitd:x:993:
51	ntp:x:994:
52	docker:x:995:	48	docker:x:995:
53	messagebus:x:996:	49	messagebus:x:996:
54	netdev:x:997:
55	bind:x:998:	50	bind:x:998:
56	_apt:x:999:	51	_apt:x:999:
57	nogroup:x:65534:	52	nogroup:x:65534:


diff --git a/files/passwd b/files/passwd index 5a26de4..2b3f831 100644 --- a/files/passwd +++ b/files/passwd
@@ -15,15 +15,10 @@ backup:x:34:34:backup:/var/backups:/bin/sh
15	list:x:38:38:Mailing List Manager:/var/list:/bin/sh	15	list:x:38:38:Mailing List Manager:/var/list:/bin/sh
16	irc:x:39:39:ircd:/var/run/ircd:/bin/sh	16	irc:x:39:39:ircd:/var/run/ircd:/bin/sh
17	gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh	17	gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
18	dhcpcd:x:988:984::/var/lib/dhcpcd:/bin/false
19	systemd-bus-proxy:x:989:985::/:/bin/nologin	18	systemd-bus-proxy:x:989:985::/:/bin/nologin
20	systemd-resolve:x:990:986::/:/bin/nologin
21	systemd-network:x:991:987::/:/bin/nologin
22	systemd-timesync:x:992:988::/:/bin/nologin	19	systemd-timesync:x:992:988::/:/bin/nologin
23	sshd:x:993:991::/var/run/sshd:/bin/false	20	sshd:x:993:991::/var/run/sshd:/bin/false
24	qemu:x:994:992::/home/qemu:/bin/sh	21	qemu:x:994:992::/home/qemu:/bin/sh
25	polkitd:x:995:993::/etc/polkit-1:/bin/sh
26	ntp:x:996:994::/var/lib/ntp:/bin/false
27	messagebus:x:997:996::/var/lib/dbus:/bin/false	22	messagebus:x:997:996::/var/lib/dbus:/bin/false
28	bind:x:998:998::/var/cache/bind:/bin/sh	23	bind:x:998:998::/var/cache/bind:/bin/sh
29	_apt:x:999:999::/nonexistent:/bin/false	24	_apt:x:999:999::/nonexistent:/bin/false


diff --git a/recipes-core/systemd/files/basic.conf.in b/recipes-core/systemd/files/basic.conf.in new file mode 100644 index 0000000..6532f64 --- /dev/null +++ b/recipes-core/systemd/files/basic.conf.in
@@ -0,0 +1,50 @@
		1	# This file is part of systemd.
		2	#
		3	# systemd is free software; you can redistribute it and/or modify it
		4	# under the terms of the GNU Lesser General Public License as published by
		5	# the Free Software Foundation; either version 2.1 of the License, or
		6	# (at your option) any later version.
		7
		8	# The superuser
		9	u root 0 "Super User" /root
		10
		11	# Administrator group: can see more than normal users
		12	g adm - - -
		13
		14	# Access to certain kernel and userspace facilities
		15	g kmem - - -
		16	g tty @TTY_GID@ - -
		17	g utmp - - -
		18
		19	# Hardware access groups
		20	g audio - - -
		21	g cdrom - - -
		22	g dialout - - -
		23	g disk - - -
		24	g input - - -
		25	g lp - - -
		26	g tape - - -
		27	g video - - -
		28
		29	# Default group for normal users
		30	g users @USERS_GID@ - -
		31	## ENEA_start ##
		32	# Handle systemd-sysusers hardcoded users/groups interfering with OSTree upgrades:
		33	# - nothing in NFVA uses the wheel group, do not create it;
		34	# - the 'nobody' group was automatically created for the existing 'nobody' user,
		35	# which is not necessary, NFVA already has 'nogroup' (GID 65534);
		36	#
		37	# Administrator group: can do more than normal users
		38	# g wheel - - -
		39	# The nobody user for NFS file systems
		40	# u @NOBODY_USER_NAME@ 65534 "Nobody" -
		41	#
		42	# Keep the next users/groups in sync with those in <layer>/files/{passwd,group}
		43	# If an upgrade updates /etc/{passwd,group} then the next users and groups already exist
		44	# and the next lines will do nothing. If the upgrade did not update /etc/{passwd,group}
		45	# we must dynamically add them, with fixed ids. Ids are the same as in
		46	# <layer>/files/{passwd,group}
		47	g kvm 47 - -
		48	m qemu kvm
		49	g render 983 - -
		50	## ENEA_end ##


diff --git a/recipes-core/systemd/systemd_247.6.bbappend b/recipes-core/systemd/systemd_247.6.bbappend new file mode 100644 index 0000000..871da64 --- /dev/null +++ b/recipes-core/systemd/systemd_247.6.bbappend
@@ -0,0 +1,19 @@
		1	FILESEXTRAPATHS_prepend := "${THISDIR}/files:"
		2
		3	SRC_URI_append_sota = " file://basic.conf.in"
		4
		5	GROUPADD_PARAM_${PN}_append_sota = "; -r render"
		6
		7	# systemd uses certain groups unless configured not to (e.g. journal logs are more
		8	# broadly available to the 'wheel' group unless told otherwise), while some resources
		9	# are using to the 'nobody' group. Configure systemd to:
		10	# - not use the 'wheel' group (journal access will be restriced to root user);
		11	# - use the proper group for 'nobody', which should have GID 65534 (for NFVA 'nogroup');
		12	EXTRA_OEMESON += " \
		13	-Dwheel-group=false \
		14	-Dnobody-group=nogroup \
		15	"
		16
		17	do_configure_prepend_sota() {
		18	cp ${WORKDIR}/basic.conf.in ${S}/sysusers.d/basic.conf.in
		19	}