Re: [xcat-user] uid/gid problem inside stateless image

[Jean-Baptiste Denis]

Issue https://github.com/xcat2/xcat-core/issues/6774

On 7/15/20 12:05 PM, Jean-Baptiste Denis wrote:

I've removed chrony and others from the pkglist used during the genimage stage. One problem remain on my CentOS 8 stateless image with the "unbound" user:

$ grep unbound /etc/passwd
unbound:x:997:995:Unbound DNS resolver:/etc/unbound:/sbin/nologin

$ ROOTIMG=/install/image/netboot/cpu/netboot-cpu-centos8.1/img/rootimg
$ grep unbound $ROOTIMG/etc/passwd
unbound:x:998:996:Unbound DNS resolver:/etc/unbound:/sbin/nologin

$ ls -dn $ROOTIMG/var/lib/unbound/
drwxr-xr-x 2 997 995 22 Jul 15 11:28 
/install/image/netboot/cpu/netboot-cpu-centos8.1/img/rootimg/var/lib/unbound/

$ ls -dn $ROOTIMG/var/lib/unbound/root.key
-rw-r--r-- 1 997 995 832 May 14  2019 
/install/image/netboot/cpu/netboot-cpu-centos8.1/img/rootimg/var/lib/unbound/root.key

Inside the rootimg, unbound files have bad ownership (uid/gid from /etc/passwd).

unbound user and associated files are coming from unbound-libs packages 
installation, which is a dependencies of dnf.

I can workaround this in a postinstall script of course. But the general problem of using yum --installroot at the genimage stage looks like a real problem that should be adressed at the xcat level.

Jean-Baptiste

On 7/15/20 7:14 AM, Jean-Baptiste Denis wrote:

Hi,

thank you for the suggestion and the postintall template.

We are doing a similar things with slurm/munge and others to ensure that we've 
got the same uid/gid on every node, using
ansible in a chroot context.

I don't want to freeze every system uid/gid. I think I'll shrink my pkglist to 
the absolutely strict necessary -insand
do most of my package installation in the chroot context, without using 
--installroot.

Jean-Baptiste

On 7/15/20 5:55 AM, Carl wrote:

Hi,

Chrony seems to pickup the correct file ownership for our environment,
so I cant really comment on where it might be going wrong for you.

However, I can provide a workaround. The code below is based on the
compute.postinstall template and what we use to setup SLURM. So it
would be trivial to adapt to your situation.

Cheers,

Carl.

----
#

installroot=$1
osver=$2
arch=$3
profile=$4
workdir=$5

# Create the munge user and group
cat << EOF | chroot $installroot
/usr/sbin/groupadd -r -g 900 munge
/usr/sbin/useradd -r -u 900 -g munge -d /var/run/munge -s
/sbin/nologin -c "Runs Uid 'N' Gid Emporium" munge
/usr/sbin/groupadd -r -g 901 slurm
/usr/sbin/useradd -r -u 901 -g slurm -d /var/run/slurm -s
/sbin/nologin -c "SLURM resource manager" slurm
EOF

# Install munge
/usr/bin/yum --installroot=$installroot -y localinstall
/install/post/otherpkgs/centos7/x86_64/munge*
/usr/bin/rsync -a /etc/munge $installroot/etc/

# Setup slurmd
cp -f /usr/local/src/SLURM/current/etc/slurmd.service
$installroot/usr/lib/systemd/system/

# Enable munge and slurm services to start on boot
cat << EOF | chroot $installroot
/usr/bin/systemctl enable munge
/usr/bin/systemctl enable slurmd
EOF
----

On Wed, 15 Jul 2020 at 01:06, Jean-Baptiste Denis <jbde...@pasteur.fr> wrote:

Tedious indeed. Here is the list of users with different uid/gid between xcat 
server and my stateless image:

# join -j 1 <(awk -F: '{print $1" "$3":"$4}'
/install/image/netboot/cpu/netboot-cpu-centos8.1/img/rootimg/etc/passwd|sort) <(awk -F: '{print 
$1" "$3":"$4}'
/etc/passwd | sort) | column -t | awk '{ if ($2!=$3) { print $0} }'
chrony            994:990      995:992
pcp               997:994      400:399
polkitd           998:995      998:996
sssd              995:991      996:993
unbound           996:993      997:995

I need to think about the best way to handle this. I can't say if there is a 
solution on the xcat side though, aside of
not using yum --installroot and run yum in the chroot context ?

Jean-Baptiste

On 7/14/20 1:15 PM, Jean-Baptiste Denis wrote:

Details here:

https://bugzilla.redhat.com/show_bug.cgi?id=1718146
https://github.com/rpm-software-management/rpm/issues/882

I was not aware of this behavior, but it makes sense.

The only viable solution seems to remove all the xcat pkglist packages that are 
creating user and directories during
installation. That's doable, but it's quite tedious.

Jean-Baptiste

On 7/14/20 1:01 PM, Jean-Baptiste Denis wrote:

In fact, I can reproduce the problem only using yum:

$ yum --installroot /tmp/chronytest install chrony

The resulting /tmp/chronytest/var/lib/chrony has the uid/gid of the chrony user 
of /etc/passwd, not
/tmp/chronytest/etc/passwd.

Jean-Baptiste

On 7/14/20 12:41 PM, Jean-Baptiste Denis wrote:

Hello,

I've got a problem regarding some uid inside a stateless image.

I've got my xcat server with chrony installed:

$ grep chrony /etc/passwd
chrony:x:995:992::/var/lib/chrony:/sbin/nologin

The chrony user has uid 995 and gid 992 on the xcat server.

Inside the stateless image, just after the genimage (chrony is installed using a pkglist), the chrony user has uid 994

and gid 990:

$ grep chrony 
/install/image/netboot/cpu/netboot-cpu-centos8.1/img/rootimg/etc/passwd
chrony:x:994:990::/var/lib/chrony:/sbin/nologin

The problem is that the chrony package installation is creating a 
/var/lib/chrony directory in the rootimg directory
using the chrony user from the xcat host and not the one from the image:

$ ls -nd 
/install/image/netboot/cpu/netboot-cpu-centos8.1/img/rootimg/var/lib/chrony/
drwxr-xr-x 2 995 992 6 Nov 19  2019 
/install/image/netboot/cpu/netboot-cpu-centos8.1/img/rootimg/var/lib/chrony/

It should be 994:990.

This is problematic, because when I boot on the image, the /var/lib/chrony 
directory owner is 'sssd' and group is

'systemd-coredump'. I've only spotted this specific problem, but it could potentially concerns other users/groups. I'd

rather not just 'fixing' the owner/group of this directory. One solution could 
be to remove all packages that create
users from the pkglist and install them after directory in the chroot.

It seems to me quite difficult to synchronize *system* user/group on the xcat server and within the images. It basically

depends on the package order installation.

So I was wondering if I was doing something wrong here ? Maybe I missed 
something.

Thank you,

Jean-Baptiste


_______________________________________________
xCAT-user mailing list
xCAT-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/xcat-user

_______________________________________________
xCAT-user mailing list
xCAT-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/xcat-user

_______________________________________________
xCAT-user mailing list
xCAT-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/xcat-user

_______________________________________________
xCAT-user mailing list
xCAT-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/xcat-user

_______________________________________________
xCAT-user mailing list
xCAT-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/xcat-user

_______________________________________________
xCAT-user mailing list
xCAT-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/xcat-user

_______________________________________________
xCAT-user mailing list
xCAT-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/xcat-user