Added fleet user and group and polkit rule #1579
Conversation
|
Needs to bump the revision of the fleet ebuild. once the baselayout change is merged also add the bump of the baselayout ebuild to this PR. |
kayrus
force-pushed
the
kayrus/fleet_group
branch
from
06732ab
to
d992053
Compare
|
@marineam Bumped revision to r2 and added policy rule mentioned in coreos/baselayout#38 |
kayrus
changed the title
| @@ -0,0 +1,6 @@ | |||
| polkit.addRule(function(action, subject) { | |||
There was a problem hiding this comment.
I think this makes more sense to install with fleet.
There was a problem hiding this comment.
For clarity, from a distro packager's point of view the ideal package just ships upstream code and doesn't need distro specific hacks/patches. So given that fleet depends on systemd but not the other way around fleet related policy would be weird for systemd itself to ship.
There was a problem hiding this comment.
Moved into fleet ebuild directory
kayrus
force-pushed
the
kayrus/fleet_group
branch
from
d992053
to
3fcc734
Compare
|
Added tmpfiles fleet.conf and moved polkit rule into fleet ebuild directory. |
|
@kayrus if fleet does not run as root, how can it write into /run? |
|
@mischief because I've added tmpfiles.d: |
This wiki page is outdated http://www.freedesktop.org/wiki/Software/systemd/dbus/ Polkit rule was already implemented in this PR: coreos/coreos-overlay#1579
kayrus
force-pushed
the
kayrus/fleet_group
branch
from
3fcc734
to
22cc847
Compare
|
Can one of the admins verify this patch? |
kayrus
force-pushed
the
kayrus/fleet_group
branch
2 times, most recently
from
63cd3c4
to
5b42aee
Compare
This wiki page is outdated http://www.freedesktop.org/wiki/Software/systemd/dbus/ Polkit rule was already implemented in this PR: coreos/coreos-overlay#1579
This wiki page is outdated http://www.freedesktop.org/wiki/Software/systemd/dbus/ Polkit rule was already implemented in this PR: coreos/coreos-overlay#1579
This wiki page is outdated http://www.freedesktop.org/wiki/Software/systemd/dbus/ Polkit rule was already implemented in this PR: coreos/coreos-overlay#1579
This wiki page is outdated http://www.freedesktop.org/wiki/Software/systemd/dbus/ Polkit rule was already implemented in this PR: coreos/coreos-overlay#1579
This wiki page is outdated http://www.freedesktop.org/wiki/Software/systemd/dbus/ Polkit rule was already implemented in this PR: coreos/coreos-overlay#1579
|
LGTM |
| @@ -0,0 +1,4 @@ | |||
| # create fleet group | |||
| g fleet 253 - - | |||
There was a problem hiding this comment.
@marineam are we intentionally allocating 253 to the fleet group in coreos?
There was a problem hiding this comment.
253 is available, although since the ebuild doesn't set the ownership of anything or run tmpfiles in advance I think we can set it to - and let systemd allocate the id on first boot. Static ids should only be needed when maintaining compatibility with the old scheme in baselayout or the pre-built filesystems have ownership set for some reason.
There was a problem hiding this comment.
s/^g/u/ as well, you need both a user and a group, not just a group.
|
Just one question about the magic number used for the fleet group, generally looks good to me, not that I'm familiar with polkit rules. |
| @@ -4,4 +4,6 @@ PartOf=fleet.service | |||
|
|
|||
| [Socket] | |||
| ListenStream=/var/run/fleet.sock | |||
|
|
|||
| SocketMode=0660 | |||
| SocketUser=fleet | |||
There was a problem hiding this comment.
sysusers isn't creating a fleet user, should it?
kayrus
force-pushed
the
kayrus/fleet_group
branch
from
5b42aee
to
5c67fcd
Compare
|
@marineam fixed |
|
@marineam ping |
| @@ -0,0 +1,4 @@ | |||
| # create fleet user and group | |||
There was a problem hiding this comment.
Can you move this into files/sysusers.d/fleet.conf?
| @@ -0,0 +1 @@ | |||
| d /var/run/fleet 0750 fleet fleet - - | |||
There was a problem hiding this comment.
Can you move this into files/tmpfiles.d/fleet.conf?
|
Two more suggestions, otherwise LGTM. |
|
LGTM |
kayrus
force-pushed
the
kayrus/fleet_group
branch
from
5c67fcd
to
b711494
Compare
app-admin/fleet: add fleet user, group, and polkit rules
This wiki page is outdated http://www.freedesktop.org/wiki/Software/systemd/dbus/ Polkit rule was already implemented in this PR: coreos/coreos-overlay#1579
This wiki page is outdated http://www.freedesktop.org/wiki/Software/systemd/dbus/ Polkit rule was already implemented in this PR: coreos/coreos-overlay#1579
This wiki page is outdated http://www.freedesktop.org/wiki/Software/systemd/dbus/ Polkit rule was already implemented in this PR: coreos/coreos-overlay#1579
/cc @philips @marineam
relates to coreos/baselayout#38