Hello, i'm packaging cassandra and I'd like to have reserved UID/GID for user and group the package requires. It is a database package and as the others it stores some files. Users might want to access files from remote storage where cassandra is running and therefore the the files need to be owned by the same UID. I hope the explanation is comprehensive. Thank you!
By "access files from remote storage" I assume you mean some sort of network filesystem. I can't imagine that you'd be restricted to (un-kerberized) NFSv3 between these modern Fedora machines, so I'm not understanding why a fixed UID is necessary. What modern network filesystem without UID mapping support did you have in mind for this use case? Why can't the admin in this rather special case just fix a UID for this purpose?
Replying to [comment:1 tibbs]:
So what is the purpose of [https://fedoraproject.org/wiki/Packaging:UsersAndGroups?rd=Packaging/UsersAndGroups UserAndGroups] guidelines? Why other databases MySQL, PostgreSQL and MongoDB have preallocated UID and GID?
From guideline:
"Any package can use dynamic allocation; it is especially appropriate for packages that use separate identities only for privilege separation and don't create any files owned by that group/user account."
"Soft static allocation is only appropriate for packages where the UID or GID values are shared between computers. For instance, if the package creates files with the assigned UID or GID that are likely to be shared over NFS."
To move some of the stuff we discussed in the meeting over to this ticket:
I was wrong, NFS still doesn't do UID mapping by default, even though it pretty much requires that you have nfsidmapd running. I've no idea why.
We weren't at all sure what "cassandra" even is. Eventually someone mentioned it's a database. I added language to https://fedoraproject.org/wiki/Packaging_Committee to at least try to make it more obvious that you're going to have a better response to your ticket if you give us complete information.
I did a quick search for "cassandra database NFS" and found an article on cassandra anti-patterns which basically says "do not try to do cassandra on NFS". So... we're still confused.
I'm going to tighten up the language on the "requesting exceptions page" a bit to mention that "users might do something" isn't really sufficient justification.
Even after all of this, some of us are still either to the +1 stage or could be there if a slightly expanded justification were made.
But there hasn't been any response from the submitter to this ticket, so I may be talking into the æther at this point.
I'll move to needinfo now and hope I don't manage to forget about stuff I'm supposed to do here.
We discussed this at this weeks meeting (http://meetbot.fedoraproject.org/fedora-meeting-1/2016-06-23/fpc.2016-06-23-16.00.txt):
...or what tibbs said, sorry being late with the minutes.
Well thanks for discussing the topic.
From what I understand using NFS is not recommended only from performance point of view. When it comes to backup/restore scenario NFS is used as in [1]. Another use case requiring constant UID/GID is in containers (Docker). If one would like to connect an existing database into a container, the owner should be the same. Constant UID is also handy when transferring between containers or updating versions.
[1] http://techblog.constantcontact.com/devops/cassandra-and-backups/
We discussed this at this weeks meeting (http://meetbot.fedoraproject.org/fedora-meeting-1/2016-06-30/fpc.2016-06-30-16.00.txt):
According to [1] you should have allocated a number for cassandra and also should have added is to the list [2]. Can you please do that? Thanks.
[1] https://fedoraproject.org/wiki/Packaging:UsersAndGroups?rd=Packaging/UsersAndGroups#Soft_static_allocation [2] https://git.fedorahosted.org/cgit/setup.git/tree/uidgid
Hmm, that's odd. In the past that's been left up to the setup maintainer, and FPC hasn't done anything besides approve the request. I don't know why that text is in the guidelines; I don't think we even have this is something the setup maintainer should do. FPC has never actually assigned the UID numbers, nor does any committee number actually have access to the setup repository on Fedorahosted.
I'll fix up the guideline to not say any of that. I'm not sure what the proper procedure should be. I suppose that filing a ticket against the setup repository (while trac still exists) would be the right thing to do, and I guess it would make sense for someone on FPC to do it.
https://fedorahosted.org/setup/ticket/8
We discussed this at this weeks meeting (http://meetbot.fedoraproject.org/fedora-meeting-1/2016-09-15/fpc.2016-09-15-16.01.txt):
...mostly just let tibbs do it.
I had made the discussed changes to the guideline page ages ago; it no longer says that we'll assign numbers and such.
We'll just need to file bugzilla tickets against the setup package when we approve something, and make sure to provide sufficient information.
Metadata Update from @trepik: - Issue assigned to tibbs
Login to comment on this ticket.