In Fedora >= 42, support for user/group account creation based on
sysusers files has been enabled in RPM. Manually running useradd/
groupadd is thus obsolete.
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
libvirt.spec.in | 16 ++++++++++++++++
1 file changed, 16 insertions(+)
diff --git a/libvirt.spec.in b/libvirt.spec.in
index 5825de7cf1..be91fa6bb4 100644
--- a/libvirt.spec.in
+++ b/libvirt.spec.in
@@ -44,6 +44,12 @@
%define with_qemu_kvm 0
%endif
+%if 0%{?fedora} >= 42
+ %define with_account_add 0
+%else
+ %define with_account_add 1
+%endif
+
%define with_qemu_tcg %{with_qemu}
# RHEL disables TCG on all architectures
@@ -535,8 +541,10 @@ Requires(posttrans): /usr/bin/systemctl
Requires(preun): /usr/bin/systemctl
# libvirtd depends on 'messagebus' service
Requires: dbus
+%if %{with_account_add}
# For uid creation during pre
Requires(pre): shadow-utils
+%endif
# Needed by /usr/libexec/libvirt-guests.sh script.
%if 0%{?fedora}
Requires: gettext-runtime
@@ -1095,8 +1103,10 @@ Wireshark dissector plugin for better analysis of libvirt RPC traffic.
%package login-shell
Summary: Login shell for connecting users to an LXC container
Requires: libvirt-libs = %{version}-%{release}
+%if %{with_account_add}
# For uid creation during pre
Requires(pre): shadow-utils
+%endif
%description login-shell
Provides the set-uid virt-login-shell binary that is used to
@@ -1796,10 +1806,12 @@ export VIR_TEST_DEBUG=1
%pre daemon-common
%libvirt_sysconfig_pre libvirt-guests
%libvirt_systemd_oneshot_pre libvirt-guests
+%if %{with_account_add}
# 'libvirt' group is just to allow password-less polkit access to libvirt
# daemons. The uid number is irrelevant, so we use dynamic allocation.
getent group libvirt >/dev/null || groupadd -r libvirt
exit 0
+%endif
%posttrans daemon-common
%libvirt_sysconfig_posttrans libvirt-guests
@@ -1922,6 +1934,7 @@ exit 0
%libvirt_sysconfig_pre virtqemud
%libvirt_systemd_unix_pre virtqemud
+%if %{with_account_add}
# We want soft static allocation of well-known ids, as disk images
# are commonly shared across NFS mounts by id rather than name.
# See https://docs.fedoraproject.org/en-US/packaging-guidelines/UsersAndGroups/
@@ -1937,6 +1950,7 @@ if ! getent passwd 'qemu' >/dev/null; then
fi
fi
exit 0
+%endif
%posttrans daemon-driver-qemu
%libvirt_sysconfig_posttrans virtqemud
@@ -2063,8 +2077,10 @@ done
%if %{with_lxc}
%pre login-shell
+%if %{with_account_add}
getent group virtlogin >/dev/null || groupadd -r virtlogin
exit 0
+%endif
%endif
%endif
--
2.47.1On Thu, Jan 30, 2025 at 15:21:31 +0000, Daniel P. Berrangé wrote:
> In Fedora >= 42, support for user/group account creation based on
> sysusers files has been enabled in RPM. Manually running useradd/
> groupadd is thus obsolete.
Do you have any pointer to how this actually works? So far users/groups
defined in sysusers were created at the end of transaction, which was
pretty useless. Is the change in Fedora about creating the users/groups
after each package is installed or even before? In other words, will the
following still work or will installation complain that the user/groups
do not exist?
%attr(0755, %{qemu_user}, %{qemu_group})
%attr(4750, root, virtlogin)
Jirka
On Thu, Jan 30, 2025 at 04:56:07PM +0100, Jiri Denemark wrote:
> On Thu, Jan 30, 2025 at 15:21:31 +0000, Daniel P. Berrangé wrote:
> > In Fedora >= 42, support for user/group account creation based on
> > sysusers files has been enabled in RPM. Manually running useradd/
> > groupadd is thus obsolete.
>
> Do you have any pointer to how this actually works? So far users/groups
> defined in sysusers were created at the end of transaction, which was
> pretty useless. Is the change in Fedora about creating the users/groups
> after each package is installed or even before? In other words, will the
> following still work or will installation complain that the user/groups
> do not exist?
>
> %attr(0755, %{qemu_user}, %{qemu_group})
> %attr(4750, root, virtlogin)
That should do the right thing
https://fedoraproject.org/wiki/Changes/RPMSuportForSystemdSysusers
IIUC, RPM should see the sysusers files in the package and take care
to create the user accounts before deploying the files.
With regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
On Thu, Jan 30, 2025 at 17:05:05 +0000, Daniel P. Berrangé wrote:
> On Thu, Jan 30, 2025 at 04:56:07PM +0100, Jiri Denemark wrote:
> > On Thu, Jan 30, 2025 at 15:21:31 +0000, Daniel P. Berrangé wrote:
> > > In Fedora >= 42, support for user/group account creation based on
> > > sysusers files has been enabled in RPM. Manually running useradd/
> > > groupadd is thus obsolete.
> >
> > Do you have any pointer to how this actually works? So far users/groups
> > defined in sysusers were created at the end of transaction, which was
> > pretty useless. Is the change in Fedora about creating the users/groups
> > after each package is installed or even before? In other words, will the
> > following still work or will installation complain that the user/groups
> > do not exist?
> >
> > %attr(0755, %{qemu_user}, %{qemu_group})
> > %attr(4750, root, virtlogin)
>
> That should do the right thing
>
> https://fedoraproject.org/wiki/Changes/RPMSuportForSystemdSysusers
>
> IIUC, RPM should see the sysusers files in the package and take care
> to create the user accounts before deploying the files.
Great, sysusers is finally becoming a useful thing :-)
Reviewed-by: Jiri Denemark <jdenemar@redhat.com>
© 2016 - 2025 Red Hat, Inc.