Update UID/GID

New groups and users: -g - kvm: added by libvirt [2] -g - render: added by systemd, after boot-up introduced in [1] Removed groups and users: -g and u - systemd-resolve and systemd-network: both were only kept for backward compatibility, not needed anymore -g - lock: systemd_246.9.bb no longer adds it in GROUPADD_PARAM, unlike systemd version on 2.4.0-2 -g and u - polkitd: systemd_246.9.bb no longer adds polkit in PACKAGECONFIG -g and u - ntp: meta-enea-virtualization/recipes-enea/ntp-user-stub/\ ntp-user-stub_1.0.bb removed -g - netdev: dbus_1.12.20.bb no longer adds netdev in GROUPADD_PARAM Added systemd_246.9.bbappend to overwrite basic.conf.in and add 'render' using GROUPADD_PARAM at build-time instead on boot-time Add new groups/users in basic.conf.in using fixed ids, in sync with <layer>/files/{group,passwd} [1] https://github.com/systemd/systemd/commit/4e15a7343cb [2] https://git.yoctoproject.org/cgit/cgit.cgi/meta-virtualization/\ commit/recipes-extended/libvirt?h=gatesgarth&id=b5b5defc78ea03c8 Change-Id: If1768a544c53552bf2eff1d8051830975ae0ed2f Signed-off-by: Matei Valeanu <Matei.Valeanu@enea.com>
author: Matei Valeanu <Matei.Valeanu@enea.com> 2021-06-24 17:29:04 +0200
committer: Alexandru Avadanii <Alexandru.Avadanii@enea.com> 2021-06-30 06:35:36 +0200
commit: eea99925d3bef32434653aa6c2fabe6de24be950 (patch)
tree: 758367825ddfa8eeb214d1531ad796e6d199081a /recipes-core
parent: 7ede3bf0c747d741994e85230e8d9e529b33c9ab (diff)
download: meta-el-nfv-access-eea99925d3bef32434653aa6c2fabe6de24be950.tar.gz
2 files changed, 69 insertions, 0 deletions
diff --git a/recipes-core/systemd/files/basic.conf.in b/recipes-core/systemd/files/basic.conf.in
new file mode 100644
index 0000000..6532f64
--- /dev/null
+++ b/recipes-core/systemd/files/basic.conf.in
@@ -0,0 +1,50 @@
+#  This file is part of systemd.
+#
+#  systemd is free software; you can redistribute it and/or modify it
+#  under the terms of the GNU Lesser General Public License as published by
+#  the Free Software Foundation; either version 2.1 of the License, or
+#  (at your option) any later version.
+# The superuser
+u root    0     "Super User" /root
+# Administrator group: can *see* more than normal users
+g adm     -     -            -
+# Access to certain kernel and userspace facilities
+g kmem    -     -            -
+g tty     @TTY_GID@     -            -
+g utmp    -     -            -
+# Hardware access groups
+g audio   -     -            -
+g cdrom   -     -            -
+g dialout -     -            -
+g disk    -     -            -
+g input   -     -            -
+g lp      -     -            -
+g tape    -     -            -
+g video   -     -            -
+# Default group for normal users
+g users   @USERS_GID@     -            -
+## ENEA_start ##
+# Handle systemd-sysusers hardcoded users/groups interfering with OSTree upgrades:
+# - nothing in NFVA uses the wheel group, do not create it;
+# - the 'nobody' group was automatically created for the existing 'nobody' user,
+#   which is not necessary, NFVA already has 'nogroup' (GID 65534);
+#
+# Administrator group: can *do* more than normal users
+# g wheel   -     -            -
+# The nobody user for NFS file systems
+# u @NOBODY_USER_NAME@  65534 "Nobody"     -
+#
+# Keep the next users/groups in sync with those in <layer>/files/{passwd,group}
+# If an upgrade updates /etc/{passwd,group} then the next users and groups already exist
+# and the next lines will do nothing. If the upgrade did not update /etc/{passwd,group}
+# we must dynamically add them, with fixed ids. Ids are the same as in
+# <layer>/files/{passwd,group}
+g kvm     47       -      -
+m qemu    kvm
+g render  983      -      -
+## ENEA_end ##
diff --git a/recipes-core/systemd/systemd_247.6.bbappend b/recipes-core/systemd/systemd_247.6.bbappend
new file mode 100644
index 0000000..871da64
--- /dev/null
+++ b/recipes-core/systemd/systemd_247.6.bbappend
@@ -0,0 +1,19 @@
+FILESEXTRAPATHS_prepend := "${THISDIR}/files:"
+SRC_URI_append_sota = " file://basic.conf.in"
+GROUPADD_PARAM_${PN}_append_sota = "; -r render"
+# systemd uses certain groups unless configured not to (e.g. journal logs are more
+# broadly available to the 'wheel' group unless told otherwise), while some resources
+# are using to the 'nobody' group. Configure systemd to:
+# - not use the 'wheel' group (journal access will be restriced to root user);
+# - use the proper group for 'nobody', which should have GID 65534 (for NFVA 'nogroup');
+EXTRA_OEMESON += " \
+    -Dwheel-group=false \
+    -Dnobody-group=nogroup \
+"
+do_configure_prepend_sota() {
+    cp ${WORKDIR}/basic.conf.in ${S}/sysusers.d/basic.conf.in
+}
author	Matei Valeanu <Matei.Valeanu@enea.com>	2021-06-24 17:29:04 +0200
committer	Alexandru Avadanii <Alexandru.Avadanii@enea.com>	2021-06-30 06:35:36 +0200
commit	eea99925d3bef32434653aa6c2fabe6de24be950 (patch)
tree	758367825ddfa8eeb214d1531ad796e6d199081a /recipes-core
parent	7ede3bf0c747d741994e85230e8d9e529b33c9ab (diff)
download	meta-el-nfv-access-eea99925d3bef32434653aa6c2fabe6de24be950.tar.gz

diff --git a/recipes-core/systemd/files/basic.conf.in b/recipes-core/systemd/files/basic.conf.in new file mode 100644 index 0000000..6532f64 --- /dev/null +++ b/recipes-core/systemd/files/basic.conf.in
@@ -0,0 +1,50 @@
	1	# This file is part of systemd.
	2	#
	3	# systemd is free software; you can redistribute it and/or modify it
	4	# under the terms of the GNU Lesser General Public License as published by
	5	# the Free Software Foundation; either version 2.1 of the License, or
	6	# (at your option) any later version.
	7
	8	# The superuser
	9	u root 0 "Super User" /root
	10
	11	# Administrator group: can see more than normal users
	12	g adm - - -
	13
	14	# Access to certain kernel and userspace facilities
	15	g kmem - - -
	16	g tty @TTY_GID@ - -
	17	g utmp - - -
	18
	19	# Hardware access groups
	20	g audio - - -
	21	g cdrom - - -
	22	g dialout - - -
	23	g disk - - -
	24	g input - - -
	25	g lp - - -
	26	g tape - - -
	27	g video - - -
	28
	29	# Default group for normal users
	30	g users @USERS_GID@ - -
	31	## ENEA_start ##
	32	# Handle systemd-sysusers hardcoded users/groups interfering with OSTree upgrades:
	33	# - nothing in NFVA uses the wheel group, do not create it;
	34	# - the 'nobody' group was automatically created for the existing 'nobody' user,
	35	# which is not necessary, NFVA already has 'nogroup' (GID 65534);
	36	#
	37	# Administrator group: can do more than normal users
	38	# g wheel - - -
	39	# The nobody user for NFS file systems
	40	# u @NOBODY_USER_NAME@ 65534 "Nobody" -
	41	#
	42	# Keep the next users/groups in sync with those in <layer>/files/{passwd,group}
	43	# If an upgrade updates /etc/{passwd,group} then the next users and groups already exist
	44	# and the next lines will do nothing. If the upgrade did not update /etc/{passwd,group}
	45	# we must dynamically add them, with fixed ids. Ids are the same as in
	46	# <layer>/files/{passwd,group}
	47	g kvm 47 - -
	48	m qemu kvm
	49	g render 983 - -
	50	## ENEA_end ##


diff --git a/recipes-core/systemd/systemd_247.6.bbappend b/recipes-core/systemd/systemd_247.6.bbappend new file mode 100644 index 0000000..871da64 --- /dev/null +++ b/recipes-core/systemd/systemd_247.6.bbappend
@@ -0,0 +1,19 @@
	1	FILESEXTRAPATHS_prepend := "${THISDIR}/files:"
	2
	3	SRC_URI_append_sota = " file://basic.conf.in"
	4
	5	GROUPADD_PARAM_${PN}_append_sota = "; -r render"
	6
	7	# systemd uses certain groups unless configured not to (e.g. journal logs are more
	8	# broadly available to the 'wheel' group unless told otherwise), while some resources
	9	# are using to the 'nobody' group. Configure systemd to:
	10	# - not use the 'wheel' group (journal access will be restriced to root user);
	11	# - use the proper group for 'nobody', which should have GID 65534 (for NFVA 'nogroup');
	12	EXTRA_OEMESON += " \
	13	-Dwheel-group=false \
	14	-Dnobody-group=nogroup \
	15	"
	16
	17	do_configure_prepend_sota() {
	18	cp ${WORKDIR}/basic.conf.in ${S}/sysusers.d/basic.conf.in
	19	}