Users and Groups
Rpm >= 4.19 has native support for declarative user and group creation
through integration with systemd’s
sysusers.d.
Packagers will only need to package a sysusers.d file for their custom users
and groups in /usr/lib/sysusers.d
and rpm will take care of the rest.
It’s also possible to declare sysusers.d entries manually with
%add_sysuser
macro in the context of the (sub-)package. The macro
simply takes a sysusers.d line as arguments, such as
%add_sysuser g mygroup 515
. Using this method is not recommended on
native systemd distributions.
Note that for certain types of systemd services (eg. transient and socket activated services) it may be possible to avoid package level user/group allocation altogether by using dynamic users.
Dependencies
Any non-root ownership in %files
section (through %attr()
or %defattr()
)
generates an automatic dependency on the named user and/or group. Similarly,
packaged sysusers.d files create provides for the users and/or groups they
create. This ensures correct installation when a package relies
on user/group from another package.
By default the dependencies are hard requirements, but as this can be
problematic when upgrading an existing distribution to rpm 4.19, it’s possible
to weaken these into recommends-dependencies by setting
%_use_weak_usergroup_deps
macro to 1
during package builds.
Limitations
At this time, rpm only supports the u
and g
directives of sysusers.d
format and ignores others. If other directives are needed, the package
will need to call systemd-sysusers with the correct arguments manually.
Technical details
As the sysusers.d data is needed before it’s unpacked from the payload
during installation, rpm encodes the relevant parts into the EVR string
of generated user() and group() provides: the sysusers.d line is base64
encoded, with the input \0-padded as needed to avoid base64 ‘=’ padding
in the output, which would be illegal in the EVR string. These are
decoded and fed into systemd-sysusers during installation, passing
--replace <path>
and --root <path>
as appropriate.
For example, the following sysusers.d line:
u dnsmasq - "Dnsmasq DHCP and DNS server" /var/lib/dnsmasq
…emits the following provides attached to the originating file:
user(dnsmasq) = dSBkbnNtYXNxIC0gIkRuc21hc3EgREhDUCBhbmQgRE5TIHNlcnZlciIgL3Zhci9saWIvZG5zbWFzcQAA
group(dnsmasq)
As systemd-sysusers implicitly creates a matching group for any created users, the group provide does not have an EVR here, only explicitly created groups will have the encoded sysusers.d line as EVR.
Non-systemd operating systems
On non-systemd platforms, it’s possible to use either
systemd-standalone-sysusers as a drop-in solution, or rpm can be configured
to use a custom script instead of systemd-sysusers for user and group
creation by overriding %__systemd_sysusers
macro in the main rpm
configuration.
Such a script needs to read sysusers.d lines from the standard input
and interpret these into calls native user and group creation tools as
appropriate. The script needs to handle --root <path>
argument for
chroot installations - the script runs from outside of any possible chroot,
and care must be taken to avoid changing the host in such a case.