systemd: Use systemd-sysusers to create cockpit-wsinstance user

Add a sysusers config file for our remaining system user. Arch was already using sysusers, replace the packaging specific one with the upstream one. For Debian, run dh_installsysusers (compat level 14 will do that automatically in the future). RPM 4.19 has native support for sysusers in principle [1], but it's not currently enabled/working [2]. Fedora rather wants packages to do an overcomplicated process which keeps a downstream copy of the sysusers file in the packaging dist-git [3], which is error prone and ugly to automate. So keep the tried-and-tested current approach of creating the user directly in the spec's `%pre` script for the time being (which is necessary anyway for CentOS/RHEL 9). [1] https://rpm-software-management.github.io/rpm/manual/users_and_groups.html [2] rpm-software-management/rpm#3073 [3] https://docs.fedoraproject.org/en-US/packaging-guidelines/UsersAndGroups/#_dynamic_allocation
cockpit-project · May 8, 2024 · 46fe9f5 · 46fe9f5
1 parent 4747086
commit 46fe9f5
Show file tree

Hide file tree

Showing 8 changed files with 15 additions and 9 deletions.
diff --git a/src/systemd/Makefile.am b/src/systemd/Makefile.am
@@ -34,6 +34,9 @@ install-exec-hook::
 tmpfilesconfdir = $(prefix)/lib/tmpfiles.d
 nodist_tmpfilesconf_DATA = src/systemd/tmpfiles.d/cockpit-ws.conf
 
+sysusersconfdir = $(prefix)/lib/sysusers.d
+dist_sysusersconf_DATA = src/systemd/sysusers.d/cockpit-wsinstance.conf
+
 # we can't generate these with config.status because,
 # eg. it does "@libexecdir@" -> "${exec_prefix}/libexec"
 src/systemd/%: src/systemd/%.in

diff --git a/src/systemd/sysusers.d/cockpit-wsinstance.conf b/src/systemd/sysusers.d/cockpit-wsinstance.conf
@@ -0,0 +1 @@
+u cockpit-wsinstance - "User for cockpit-ws instances" -
diff --git a/tools/arch/PKGBUILD b/tools/arch/PKGBUILD
@@ -15,11 +15,9 @@ makedepends=(krb5 libssh accountsservice json-glib glib-networking
              git intltool gtk-doc gobject-introspection networkmanager xmlto npm pcp
              python-build python-installer python-wheel)
 source=("cockpit-${pkgver}.tar.xz"
-        "cockpit.pam"
-        "cockpit-wsinstance.sysuser.conf")
+        "cockpit.pam")
 sha256sums=('SKIP'
-            '079bb6751214e642673f9e1212df2a17fed1a3cc6cfdd6375af2b68ed6ddd340'
-            '46ee8ecad7bc97ba588ab9471dde76e41c00daf40658902425626c3a1938b438')
+            '079bb6751214e642673f9e1212df2a17fed1a3cc6cfdd6375af2b68ed6ddd340')
 
 prepare() {
   cd cockpit-$pkgver
@@ -59,7 +57,6 @@ package_cockpit() {
   make DESTDIR="$pkgdir" install
   rm -rf "$pkgdir"/usr/{src,lib/firewalld}
   install -Dm644 "$srcdir"/cockpit.pam "$pkgdir"/etc/pam.d/cockpit
-  install -Dm644 "$srcdir"/cockpit-wsinstance.sysuser.conf "$pkgdir"/usr/lib/sysusers.d/cockpit-wsinstance.conf
 
   echo "z /usr/lib/cockpit/cockpit-session - - cockpit-wsinstance -" >> "$pkgdir"/usr/lib/tmpfiles.d/cockpit-ws.conf
 

diff --git a/tools/arch/cockpit-wsinstance.sysuser.conf b/tools/arch/cockpit-wsinstance.sysuser.conf
diff --git a/tools/cockpit.spec b/tools/cockpit.spec
@@ -402,6 +402,7 @@ authentication via sssd/FreeIPA.
 %{_unitdir}/[email protected]
 %{_unitdir}/system-cockpithttps.slice
 %{_prefix}/%{__lib}/tmpfiles.d/cockpit-ws.conf
+%{_sysusersdir}/cockpit-wsinstance.conf
 %{pamdir}/pam_ssh_add.so
 %{pamdir}/pam_cockpit_cert.so
 %{_libexecdir}/cockpit-ws
@@ -420,6 +421,8 @@ authentication via sssd/FreeIPA.
 %ghost %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{name}
 
 %pre ws
+# HACK: old RPM and even Fedora's current RPM don't properly support sysusers
+# https://github.com/rpm-software-management/rpm/issues/3073
 getent group cockpit-wsinstance >/dev/null || groupadd -r cockpit-wsinstance
 getent passwd cockpit-wsinstance >/dev/null || useradd -r -g cockpit-wsinstance -d /nonexisting -s /sbin/nologin -c "User for cockpit-ws instances" cockpit-wsinstance
 

diff --git a/tools/debian/cockpit-ws.install b/tools/debian/cockpit-ws.install
@@ -15,6 +15,7 @@ ${env:deb_systemdsystemunitdir}/system-cockpithttps.slice
 ${env:deb_pamlibdir}/security/pam_ssh_add.so
 ${env:deb_pamlibdir}/security/pam_cockpit_cert.so
 usr/lib/tmpfiles.d/cockpit-ws.conf
+usr/lib/sysusers.d/cockpit-wsinstance.conf
 usr/lib/cockpit/cockpit-session
 usr/lib/cockpit/cockpit-ws
 usr/lib/cockpit/cockpit-wsinstance-factory

diff --git a/tools/debian/cockpit-ws.postinst b/tools/debian/cockpit-ws.postinst
@@ -1,14 +1,12 @@
 #!/bin/sh
 set -e
 
-adduser --system --group --home /nonexistent --no-create-home --quiet cockpit-wsinstance
+#DEBHELPER#
 
 if ! dpkg-statoverride --list /usr/lib/cockpit/cockpit-session >/dev/null; then
     dpkg-statoverride --update --add root cockpit-wsinstance 4750 /usr/lib/cockpit/cockpit-session
 fi
 
-#DEBHELPER#
-
 # restart cockpit.service on package upgrades, if it's already running
 if [ -d /run/systemd/system ] && [ -n "$2" ]; then
     deb-systemd-invoke try-restart cockpit.service >/dev/null || true

diff --git a/tools/debian/rules b/tools/debian/rules
@@ -67,3 +67,7 @@ else
 	pytest -vv -k 'not linter and not test_descriptions' -opythonpath=$$(ls -d debian/cockpit-bridge/usr/lib/python3*/dist-packages)
 endif
 endif
+
+# dh compat 14 does that automatically, remove when upgrading
+execute_before_dh_installtmpfiles:
+	dh_installsysusers
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		u cockpit-wsinstance - "User for cockpit-ws instances" -