For Fedora Kinoite, the sddm UID/GID is allocated during the ostree image build and depending on the order the packages are installed, the chosen UID/GID might change.
This is an issue for Kinoite as sddm persists state in /var/lib/sddm and rightfully expects that the UID/GID will not change. We currently have a workaround in place to fix the ownership on boot but this is of course not a long term solution.
For Silverblue, GDM has a fixed UID/GID: https://src.fedoraproject.org/rpms/gdm/blob/rawhide/f/gdm.spec#_166
I wonder: The linked snippet from gdm.spec refers to code that is 1) neither specific to Silverblue, and 2) has not been changed in 13 years, so it can't possibly have been introduced for OSTree based systems. What's going on? Did GDM ever request a static UID 42 or are they "just using it without asking"?
As far as I can tell, it's the latter.
We discussed this at todays meeting (https://meetbot.fedoraproject.org/fedora-meeting-1/2021-06-17/fpc.2021-06-17-16.01.txt) and approved the allocation.
Metadata Update from @james: - Issue close_status updated to: accepted - Issue status updated to: Closed (was: Open)
One thing I want to emphasize is that the uid/gid issue isn't specific to ostree (or rpm-ostree) really, it's a generic issue with anyone who wants to do "image based updates" of which ostree is just one approach. On the rpm-ostree side our long term goal is to move to sysusers https://github.com/coreos/rpm-ostree/issues/49 and basically revert to allocating uid/gid on the client side, but it's tricky.
The other, even better approach is to push as many things as possible to use systemd DynamicUser=yes.
DynamicUser=yes
Should I had the user/group to https://pagure.io/setup/blob/master/f/passwd or directly in the SDDM package?
Should I move the GDM user allocation to setup sources too and remove them from the GDM package?
setup
Thanks!
Should I had the user/group to https://pagure.io/setup/blob/master/f/passwd or directly in the SDDM package? Should I move the GDM user allocation to setup sources too and remove them from the GDM package? Thanks!
It's probably better to do static allocations via sysusers in the SDDM and GDM packages.
You can see an example of how to use sysusers in the frr package sources.
frr
OK. Any preference for the UID/GID? Should we re-use the one from GDM as essentially they share the same purpose and are not likely (also it is possible) to be installed at the same time? I'll have to check how well this is supported in systemd-sysusers.
s/also/although/
We should not reuse GDM's because they can be parallel installed.
Is there any existing place where these would be tracked? If not, we should make a page since we are the arbiters of this kind of thing. I know the setup package is canonical but it doesn't cover users created in individual packages.
We should probably have a page for this. Long-term, the transition to systemd-sysusers means that we're going to need a global reference somewhere documented.
I can add a table at the end of https://docs.fedoraproject.org/en-US/packaging-guidelines/UsersAndGroups/ and populate it with the values that we currently have for common packages.
That'd be great! :tada:
Offhand, I know that we have a static allocation for Mock that's not noted anywhere I can find either...
https://src.fedoraproject.org/rpms/gdm/pull-request/9
I've been chasing this recently and it looks like the list of all static UIDs and GIDs is at https://pagure.io/setup/blob/master/f/uidgid.
Login to comment on this ticket.