[systemd-devel] new user/group population on bootup
Lennart Poettering
lennart at poettering.net
Fri Jun 13 09:51:52 PDT 2014
On Fri, 13.06.14 06:37, Colin Walters (walters at verbum.org) wrote:
>
> On Fri, Jun 13, 2014, at 05:36 AM, Colin Walters wrote:
>
> > My high level takeaway right now is that this looks OK for nspawn
> > containers, but it's not clear to me it's viable or right for the host
> > OS, at least for general purpose systems.
>
> That was wrongly stated - basically I'm just skeptical of seeing an
> empty /etc on general purpose systems in the next few years, at least
> without lots of non-upstream patches and hacks. A good example is this:
>
>https://github.com/coreos/baselayout/commit/98c6211c45c8c53d84df1657776314cc5f5f9ec1
For cases like this I would simply ask:
a) the upstream developers to always check some file in /usr/ somewhere
as fallback, if the file they are looking for in /etc doesn't exist. For
sudo this means: check /etc/sudoers first, and use that if it exists as
only source. If it doesn't, fallback to /usr/lib/sudo/sudoers or so,
which is some vendor supplied default. Alternatively, in many cases
instead of such a fallback it might also be a good choice to just build
some defaults into the code itself (for example, that's what logind does
if /etc/systemd/logind.conf is missing, it will not consult
anything else).
b) for packagers that need a quick solution, or where upstream cannot or
will not make such a change I'd recommend to simply drop in some
tmpfiles snippet that copies the absolute minimum over from
/usr/share/etc to /etc, but only the absolute minimum necessary. To
make this easy, I will add a new tmpfiles directive for easy copying
of files /usr/share/etc → /etc. Note however, that not even this
sounds necessary for things like apache for example. After all apache
is something that inherently needs configuration. It is kinda useless
without. If apache fails to start after a factory reset, then that
appears quite OK, until you actually dropped in configuration
again...
> The other stuff like update-done.service looks useful, though lately
> I've been thinking that we should try to do as much as possible before
> reboot as well - stuff like journalctl --update-catalog already supports
> --root, which will work for OSTree because it has a separate root.
Well, in our model, where we want one golden master /usr of which we
want to boot one 100 containers, we need the ability to apply changes to
/etc and /var "offline", and hence after rebooting. If you just change
the golden master tree, and that fixes the master's /etc and /var, then
that's not too useful because those directories will not be replicated
to the instances...
Lennart
--
Lennart Poettering, Red Hat
More information about the systemd-devel
mailing list