[03/10] package/systemd: remove unused user accounts

Message ID	20200206093633.251413-4-nolange79@gmail.com
State	Superseded
Headers	show Return-Path: <buildroot-bounces@busybox.net> From: Norbert Lange <nolange79@gmail.com> To: buildroot@buildroot.org Date: Thu, 6 Feb 2020 10:36:26 +0100 Message-Id: <20200206093633.251413-4-nolange79@gmail.com> In-Reply-To: <20200206093633.251413-1-nolange79@gmail.com> References: <20200206093633.251413-1-nolange79@gmail.com> MIME-Version: 1.0 Subject: [Buildroot] [PATCH 03/10] package/systemd: remove unused user accounts Precedence: list Cc: Norbert Lange <nolange79@gmail.com>, "Yann E. MORIN" <yann.morin.1998@free.fr>, Adam Duskett <aduskett@gmail.com>, Maxime Hadjinlian <maxime.hadjinlian@gmail.com> Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: buildroot-bounces@busybox.net Sender: "buildroot" <buildroot-bounces@busybox.net>
Series	Improvements to systemd \| expand [00/10] Improvements to systemd [01/10] package/systemd: move preset-all HOOK to fakeroot stage [02/10] package/systemd: add libnss-systemd to name resolution [03/10] package/systemd: remove unused user accounts [04/10] package/systemd: create "remote" user if the feature is enabled [05/10] package/systemd: cosmetic rearrange list of users [06/10] package/systemd: sync user comments to upstream [07/10] Makefile: Handle systemd catalogs in PURGE_LOCALES [08/10] package/systemd: add hook to update journalctl catalogs [09/10] package/systemd: option to delete all catalog files [10/10] package/systemd: invoke systemd-tmpfilesd on final image

Norbert Lange Feb. 6, 2020, 9:36 a.m. UTC

Since V235 the "gateway" and "upload" services use DynamicUsers,
requiring no entries in /etc/passwd.
This functionality requires option nss-systemd, which is always
enabled in buildroot.

The "bus-proxy" user was removed in V230

Signed-off-by: Norbert Lange <nolange79@gmail.com>
---
 package/systemd/systemd.mk | 3 ---
 1 file changed, 3 deletions(-)

Jérémy ROSEN Feb. 7, 2020, 9:11 a.m. UTC | #1

Yes...
Long term we should use systems-sysuser for that, so upstream trickles down
automatically

in the mean time,

Reviewed-by: Jérémy Rosen <jeremy.rosen@smile.fr>


Le jeu. 6 févr. 2020 à 10:37, Norbert Lange <nolange79@gmail.com> a écrit :

> Since V235 the "gateway" and "upload" services use DynamicUsers,
> requiring no entries in /etc/passwd.
> This functionality requires option nss-systemd, which is always
> enabled in buildroot.
>
> The "bus-proxy" user was removed in V230
>
> Signed-off-by: Norbert Lange <nolange79@gmail.com>
> ---
>  package/systemd/systemd.mk | 3 ---
>  1 file changed, 3 deletions(-)
>
> diff --git a/package/systemd/systemd.mk b/package/systemd/systemd.mk
> index a390cdd1a9..b46c4fd540 100644
> --- a/package/systemd/systemd.mk
> +++ b/package/systemd/systemd.mk
> @@ -431,10 +431,7 @@ define SYSTEMD_USERS
>         - - systemd-journal -1 * - - - Journal
>         - - render -1 * - - - DRI rendering nodes
>         - - kvm -1 * - - - kvm nodes
> -       systemd-bus-proxy -1 systemd-bus-proxy -1 * - - - Proxy D-Bus
> messages to/from a bus
> -       systemd-journal-gateway -1 systemd-journal-gateway -1 *
> /var/log/journal - - Journal Gateway
>         systemd-journal-remote -1 systemd-journal-remote -1 *
> /var/log/journal/remote - - Journal Remote
> -       systemd-journal-upload -1 systemd-journal-upload -1 * - - -
> Journal Upload
>         $(SYSTEMD_COREDUMP_USER)
>         $(SYSTEMD_NETWORKD_USER)
>         $(SYSTEMD_RESOLVED_USER)
> --
> 2.24.1
>
> _______________________________________________
> buildroot mailing list
> buildroot@busybox.net
> http://lists.busybox.net/mailman/listinfo/buildroot
>

Norbert Lange Feb. 7, 2020, 12:41 p.m. UTC | #2

Sure, but that could get tricky is you dont enable sysuser.d on the target,
then you would need to grab the files from the host installation and use
similar build-options as the target.

Some smart infrastructure work would be needed to not complicate things
between non-system, systemd with option x disabled,
and full systemd.

Am Fr., 7. Feb. 2020 um 10:11 Uhr schrieb Jérémy ROSEN <
jeremy.rosen@smile.fr>:

> Yes...
> Long term we should use systems-sysuser for that, so upstream trickles
> down automatically
>
> in the mean time,
>
> Reviewed-by: Jérémy Rosen <jeremy.rosen@smile.fr>
>
>
> Le jeu. 6 févr. 2020 à 10:37, Norbert Lange <nolange79@gmail.com> a
> écrit :
>
>> Since V235 the "gateway" and "upload" services use DynamicUsers,
>> requiring no entries in /etc/passwd.
>> This functionality requires option nss-systemd, which is always
>> enabled in buildroot.
>>
>> The "bus-proxy" user was removed in V230
>>
>> Signed-off-by: Norbert Lange <nolange79@gmail.com>
>> ---
>>  package/systemd/systemd.mk | 3 ---
>>  1 file changed, 3 deletions(-)
>>
>> diff --git a/package/systemd/systemd.mk b/package/systemd/systemd.mk
>> index a390cdd1a9..b46c4fd540 100644
>> --- a/package/systemd/systemd.mk
>> +++ b/package/systemd/systemd.mk
>> @@ -431,10 +431,7 @@ define SYSTEMD_USERS
>>         - - systemd-journal -1 * - - - Journal
>>         - - render -1 * - - - DRI rendering nodes
>>         - - kvm -1 * - - - kvm nodes
>> -       systemd-bus-proxy -1 systemd-bus-proxy -1 * - - - Proxy D-Bus
>> messages to/from a bus
>> -       systemd-journal-gateway -1 systemd-journal-gateway -1 *
>> /var/log/journal - - Journal Gateway
>>         systemd-journal-remote -1 systemd-journal-remote -1 *
>> /var/log/journal/remote - - Journal Remote
>> -       systemd-journal-upload -1 systemd-journal-upload -1 * - - -
>> Journal Upload
>>         $(SYSTEMD_COREDUMP_USER)
>>         $(SYSTEMD_NETWORKD_USER)
>>         $(SYSTEMD_RESOLVED_USER)
>> --
>> 2.24.1
>>
>> _______________________________________________
>> buildroot mailing list
>> buildroot@busybox.net
>> http://lists.busybox.net/mailman/listinfo/buildroot
>>
>
>
> --
> [image: SMILE]  <http://www.smile.eu/>
>
> 20 rue des Jardins
> 92600 Asnières-sur-Seine
> *Jérémy ROSEN*
> Architecte technique
>
> [image: email] jeremy.rosen@smile.fr
> [image: phone]  +33 6 88 25 87 42
> [image: url] http://www.smile.eu
>
> [image: Twitter] <https://twitter.com/GroupeSmile> [image: Facebook]
> <https://www.facebook.com/smileopensource> [image: LinkedIn]
> <https://www.linkedin.com/company/smile> [image: Github]
> <https://github.com/Smile-SA>
>
> [image: Découvrez l’univers Smile, rendez-vous sur smile.eu]
> <https://www.smile.eu/fr/publications/livres-blancs/yocto?utm_source=signature&utm_medium=email&utm_campaign=signature>
>

Jérémy ROSEN Feb. 7, 2020, 12:43 p.m. UTC | #3

That's already in place. We already build host-systemd whenever we build
systemd (host-sysuser is currently disabled but that's trivial to enable)

It's just a question of doing it, really... and teaching mkusers a few
trick to go with it

Le ven. 7 févr. 2020 à 13:41, Norbert Lange <nolange79@gmail.com> a écrit :

> Sure, but that could get tricky is you dont enable sysuser.d on the target,
> then you would need to grab the files from the host installation and use
> similar build-options as the target.
>
> Some smart infrastructure work would be needed to not complicate things
> between non-system, systemd with option x disabled,
> and full systemd.
>
> Am Fr., 7. Feb. 2020 um 10:11 Uhr schrieb Jérémy ROSEN <
> jeremy.rosen@smile.fr>:
>
>> Yes...
>> Long term we should use systems-sysuser for that, so upstream trickles
>> down automatically
>>
>> in the mean time,
>>
>> Reviewed-by: Jérémy Rosen <jeremy.rosen@smile.fr>
>>
>>
>> Le jeu. 6 févr. 2020 à 10:37, Norbert Lange <nolange79@gmail.com> a
>> écrit :
>>
>>> Since V235 the "gateway" and "upload" services use DynamicUsers,
>>> requiring no entries in /etc/passwd.
>>> This functionality requires option nss-systemd, which is always
>>> enabled in buildroot.
>>>
>>> The "bus-proxy" user was removed in V230
>>>
>>> Signed-off-by: Norbert Lange <nolange79@gmail.com>
>>> ---
>>>  package/systemd/systemd.mk | 3 ---
>>>  1 file changed, 3 deletions(-)
>>>
>>> diff --git a/package/systemd/systemd.mk b/package/systemd/systemd.mk
>>> index a390cdd1a9..b46c4fd540 100644
>>> --- a/package/systemd/systemd.mk
>>> +++ b/package/systemd/systemd.mk
>>> @@ -431,10 +431,7 @@ define SYSTEMD_USERS
>>>         - - systemd-journal -1 * - - - Journal
>>>         - - render -1 * - - - DRI rendering nodes
>>>         - - kvm -1 * - - - kvm nodes
>>> -       systemd-bus-proxy -1 systemd-bus-proxy -1 * - - - Proxy D-Bus
>>> messages to/from a bus
>>> -       systemd-journal-gateway -1 systemd-journal-gateway -1 *
>>> /var/log/journal - - Journal Gateway
>>>         systemd-journal-remote -1 systemd-journal-remote -1 *
>>> /var/log/journal/remote - - Journal Remote
>>> -       systemd-journal-upload -1 systemd-journal-upload -1 * - - -
>>> Journal Upload
>>>         $(SYSTEMD_COREDUMP_USER)
>>>         $(SYSTEMD_NETWORKD_USER)
>>>         $(SYSTEMD_RESOLVED_USER)
>>> --
>>> 2.24.1
>>>
>>> _______________________________________________
>>> buildroot mailing list
>>> buildroot@busybox.net
>>> http://lists.busybox.net/mailman/listinfo/buildroot
>>>
>>
>>
>> --
>> [image: SMILE]  <http://www.smile.eu/>
>>
>> 20 rue des Jardins
>> 92600 Asnières-sur-Seine
>> *Jérémy ROSEN*
>> Architecte technique
>>
>> [image: email] jeremy.rosen@smile.fr
>> [image: phone]  +33 6 88 25 87 42
>> [image: url] http://www.smile.eu
>>
>> [image: Twitter] <https://twitter.com/GroupeSmile> [image: Facebook]
>> <https://www.facebook.com/smileopensource> [image: LinkedIn]
>> <https://www.linkedin.com/company/smile> [image: Github]
>> <https://github.com/Smile-SA>
>>
>> [image: Découvrez l’univers Smile, rendez-vous sur smile.eu]
>> <https://www.smile.eu/fr/publications/livres-blancs/yocto?utm_source=signature&utm_medium=email&utm_campaign=signature>
>>
>

Norbert Lange Feb. 7, 2020, 12:52 p.m. UTC | #4

I mean if you dont enable host target sysuser, systemd and other packages
might not install the config files (these are after all just used for
preparing a system).
if you for example enable journal-remote and not sysuser on the target, you
would need to enable  journal-remote and sysuser on the host, then grab the
config files from the host.

Sure, everything can be solved somehow, but it would be easier to figure
out the correct way *before* someone begins hacking ( see
https://github.com/systemd/systemd/issues/14806 ).

For ex. you could always enable sysuser on the target and just offer an
option to remove those files in the rootfs image afterwards.

Norbert

Am Fr., 7. Feb. 2020 um 13:44 Uhr schrieb Jérémy ROSEN <
jeremy.rosen@smile.fr>:

> That's already in place. We already build host-systemd whenever we build
> systemd (host-sysuser is currently disabled but that's trivial to enable)
>
> It's just a question of doing it, really... and teaching mkusers a few
> trick to go with it
>
> Le ven. 7 févr. 2020 à 13:41, Norbert Lange <nolange79@gmail.com> a
> écrit :
>
>> Sure, but that could get tricky is you dont enable sysuser.d on the
>> target,
>> then you would need to grab the files from the host installation and use
>> similar build-options as the target.
>>
>> Some smart infrastructure work would be needed to not complicate things
>> between non-system, systemd with option x disabled,
>> and full systemd.
>>
>> Am Fr., 7. Feb. 2020 um 10:11 Uhr schrieb Jérémy ROSEN <
>> jeremy.rosen@smile.fr>:
>>
>>> Yes...
>>> Long term we should use systems-sysuser for that, so upstream trickles
>>> down automatically
>>>
>>> in the mean time,
>>>
>>> Reviewed-by: Jérémy Rosen <jeremy.rosen@smile.fr>
>>>
>>>
>>> Le jeu. 6 févr. 2020 à 10:37, Norbert Lange <nolange79@gmail.com> a
>>> écrit :
>>>
>>>> Since V235 the "gateway" and "upload" services use DynamicUsers,
>>>> requiring no entries in /etc/passwd.
>>>> This functionality requires option nss-systemd, which is always
>>>> enabled in buildroot.
>>>>
>>>> The "bus-proxy" user was removed in V230
>>>>
>>>> Signed-off-by: Norbert Lange <nolange79@gmail.com>
>>>> ---
>>>>  package/systemd/systemd.mk | 3 ---
>>>>  1 file changed, 3 deletions(-)
>>>>
>>>> diff --git a/package/systemd/systemd.mk b/package/systemd/systemd.mk
>>>> index a390cdd1a9..b46c4fd540 100644
>>>> --- a/package/systemd/systemd.mk
>>>> +++ b/package/systemd/systemd.mk
>>>> @@ -431,10 +431,7 @@ define SYSTEMD_USERS
>>>>         - - systemd-journal -1 * - - - Journal
>>>>         - - render -1 * - - - DRI rendering nodes
>>>>         - - kvm -1 * - - - kvm nodes
>>>> -       systemd-bus-proxy -1 systemd-bus-proxy -1 * - - - Proxy D-Bus
>>>> messages to/from a bus
>>>> -       systemd-journal-gateway -1 systemd-journal-gateway -1 *
>>>> /var/log/journal - - Journal Gateway
>>>>         systemd-journal-remote -1 systemd-journal-remote -1 *
>>>> /var/log/journal/remote - - Journal Remote
>>>> -       systemd-journal-upload -1 systemd-journal-upload -1 * - - -
>>>> Journal Upload
>>>>         $(SYSTEMD_COREDUMP_USER)
>>>>         $(SYSTEMD_NETWORKD_USER)
>>>>         $(SYSTEMD_RESOLVED_USER)
>>>> --
>>>> 2.24.1
>>>>
>>>> _______________________________________________
>>>> buildroot mailing list
>>>> buildroot@busybox.net
>>>> http://lists.busybox.net/mailman/listinfo/buildroot
>>>>
>>>
>>>
>>> --
>>> [image: SMILE]  <http://www.smile.eu/>
>>>
>>> 20 rue des Jardins
>>> 92600 Asnières-sur-Seine
>>> *Jérémy ROSEN*
>>> Architecte technique
>>>
>>> [image: email] jeremy.rosen@smile.fr
>>> [image: phone]  +33 6 88 25 87 42
>>> [image: url] http://www.smile.eu
>>>
>>> [image: Twitter] <https://twitter.com/GroupeSmile> [image: Facebook]
>>> <https://www.facebook.com/smileopensource> [image: LinkedIn]
>>> <https://www.linkedin.com/company/smile> [image: Github]
>>> <https://github.com/Smile-SA>
>>>
>>> [image: Découvrez l’univers Smile, rendez-vous sur smile.eu]
>>> <https://www.smile.eu/fr/publications/livres-blancs/yocto?utm_source=signature&utm_medium=email&utm_campaign=signature>
>>>
>>
>
> --
> [image: SMILE]  <http://www.smile.eu/>
>
> 20 rue des Jardins
> 92600 Asnières-sur-Seine
> *Jérémy ROSEN*
> Architecte technique
>
> [image: email] jeremy.rosen@smile.fr
> [image: phone]  +33 6 88 25 87 42
> [image: url] http://www.smile.eu
>
> [image: Twitter] <https://twitter.com/GroupeSmile> [image: Facebook]
> <https://www.facebook.com/smileopensource> [image: LinkedIn]
> <https://www.linkedin.com/company/smile> [image: Github]
> <https://github.com/Smile-SA>
>
> [image: Découvrez l’univers Smile, rendez-vous sur smile.eu]
> <https://www.smile.eu/fr/publications/livres-blancs/yocto?utm_source=signature&utm_medium=email&utm_campaign=signature>
>

Jérémy ROSEN Feb. 7, 2020, 12:57 p.m. UTC | #5

Le ven. 7 févr. 2020 à 13:52, Norbert Lange <nolange79@gmail.com> a écrit :

>
> I mean if you dont enable host target sysuser, systemd and other packages
> might not install the config files (these are after all just used for
> preparing a system).
>

hmm... interesting point.
How can a package detect if sysuser is enabled ? is there a pkg-config
option for that ?



> if you for example enable journal-remote and not sysuser on the target,
> you would need to enable  journal-remote and sysuser on the host, then grab
> the config files from the host.
>
> yes, I see your point
maybe it would be simpler to configure with sysuser both for target and
host and remove the binary from the target ?

Thinking out-lout at this point. I'm not sure if that's a good idea.



> Sure, everything can be solved somehow, but it would be easier to figure
> out the correct way *before* someone begins hacking ( see
> https://github.com/systemd/systemd/issues/14806 ).
>
> For ex. you could always enable sysuser on the target and just offer an
> option to remove those files in the rootfs image afterwards.
>
>
Right.... Those files never make sense on the target anyway.
Buildroot philosophy is that you can't install software after the fact on
the target and it's ok to remove tools that are only used to install stuff
after the fact
(that's why the rules files for hwdb are never on the target)

so in a way... we always need sysuser on the host and we never use it on
the target.
This all needs more thinking. but there is no emergency. that's for a
future patch.


Norbert
>
> Am Fr., 7. Feb. 2020 um 13:44 Uhr schrieb Jérémy ROSEN <
> jeremy.rosen@smile.fr>:
>
>> That's already in place. We already build host-systemd whenever we build
>> systemd (host-sysuser is currently disabled but that's trivial to enable)
>>
>> It's just a question of doing it, really... and teaching mkusers a few
>> trick to go with it
>>
>> Le ven. 7 févr. 2020 à 13:41, Norbert Lange <nolange79@gmail.com> a
>> écrit :
>>
>>> Sure, but that could get tricky is you dont enable sysuser.d on the
>>> target,
>>> then you would need to grab the files from the host installation and use
>>> similar build-options as the target.
>>>
>>> Some smart infrastructure work would be needed to not complicate things
>>> between non-system, systemd with option x disabled,
>>> and full systemd.
>>>
>>> Am Fr., 7. Feb. 2020 um 10:11 Uhr schrieb Jérémy ROSEN <
>>> jeremy.rosen@smile.fr>:
>>>
>>>> Yes...
>>>> Long term we should use systems-sysuser for that, so upstream trickles
>>>> down automatically
>>>>
>>>> in the mean time,
>>>>
>>>> Reviewed-by: Jérémy Rosen <jeremy.rosen@smile.fr>
>>>>
>>>>
>>>> Le jeu. 6 févr. 2020 à 10:37, Norbert Lange <nolange79@gmail.com> a
>>>> écrit :
>>>>
>>>>> Since V235 the "gateway" and "upload" services use DynamicUsers,
>>>>> requiring no entries in /etc/passwd.
>>>>> This functionality requires option nss-systemd, which is always
>>>>> enabled in buildroot.
>>>>>
>>>>> The "bus-proxy" user was removed in V230
>>>>>
>>>>> Signed-off-by: Norbert Lange <nolange79@gmail.com>
>>>>> ---
>>>>>  package/systemd/systemd.mk | 3 ---
>>>>>  1 file changed, 3 deletions(-)
>>>>>
>>>>> diff --git a/package/systemd/systemd.mk b/package/systemd/systemd.mk
>>>>> index a390cdd1a9..b46c4fd540 100644
>>>>> --- a/package/systemd/systemd.mk
>>>>> +++ b/package/systemd/systemd.mk
>>>>> @@ -431,10 +431,7 @@ define SYSTEMD_USERS
>>>>>         - - systemd-journal -1 * - - - Journal
>>>>>         - - render -1 * - - - DRI rendering nodes
>>>>>         - - kvm -1 * - - - kvm nodes
>>>>> -       systemd-bus-proxy -1 systemd-bus-proxy -1 * - - - Proxy D-Bus
>>>>> messages to/from a bus
>>>>> -       systemd-journal-gateway -1 systemd-journal-gateway -1 *
>>>>> /var/log/journal - - Journal Gateway
>>>>>         systemd-journal-remote -1 systemd-journal-remote -1 *
>>>>> /var/log/journal/remote - - Journal Remote
>>>>> -       systemd-journal-upload -1 systemd-journal-upload -1 * - - -
>>>>> Journal Upload
>>>>>         $(SYSTEMD_COREDUMP_USER)
>>>>>         $(SYSTEMD_NETWORKD_USER)
>>>>>         $(SYSTEMD_RESOLVED_USER)
>>>>> --
>>>>> 2.24.1
>>>>>
>>>>> _______________________________________________
>>>>> buildroot mailing list
>>>>> buildroot@busybox.net
>>>>> http://lists.busybox.net/mailman/listinfo/buildroot
>>>>>
>>>>
>>>>
>>>> --
>>>> [image: SMILE]  <http://www.smile.eu/>
>>>>
>>>> 20 rue des Jardins
>>>> 92600 Asnières-sur-Seine
>>>> *Jérémy ROSEN*
>>>> Architecte technique
>>>>
>>>> [image: email] jeremy.rosen@smile.fr
>>>> [image: phone]  +33 6 88 25 87 42
>>>> [image: url] http://www.smile.eu
>>>>
>>>> [image: Twitter] <https://twitter.com/GroupeSmile> [image: Facebook]
>>>> <https://www.facebook.com/smileopensource> [image: LinkedIn]
>>>> <https://www.linkedin.com/company/smile> [image: Github]
>>>> <https://github.com/Smile-SA>
>>>>
>>>> [image: Découvrez l’univers Smile, rendez-vous sur smile.eu]
>>>> <https://www.smile.eu/fr/publications/livres-blancs/yocto?utm_source=signature&utm_medium=email&utm_campaign=signature>
>>>>
>>>
>>
>> --
>> [image: SMILE]  <http://www.smile.eu/>
>>
>> 20 rue des Jardins
>> 92600 Asnières-sur-Seine
>> *Jérémy ROSEN*
>> Architecte technique
>>
>> [image: email] jeremy.rosen@smile.fr
>> [image: phone]  +33 6 88 25 87 42
>> [image: url] http://www.smile.eu
>>
>> [image: Twitter] <https://twitter.com/GroupeSmile> [image: Facebook]
>> <https://www.facebook.com/smileopensource> [image: LinkedIn]
>> <https://www.linkedin.com/company/smile> [image: Github]
>> <https://github.com/Smile-SA>
>>
>> [image: Découvrez l’univers Smile, rendez-vous sur smile.eu]
>> <https://www.smile.eu/fr/publications/livres-blancs/yocto?utm_source=signature&utm_medium=email&utm_campaign=signature>
>>
>

Norbert Lange Feb. 7, 2020, 1:07 p.m. UTC | #6

Am Fr., 7. Feb. 2020 um 13:58 Uhr schrieb Jérémy ROSEN <
jeremy.rosen@smile.fr>:

>
>
> Le ven. 7 févr. 2020 à 13:52, Norbert Lange <nolange79@gmail.com> a
> écrit :
>
>>
>> I mean if you dont enable host target sysuser, systemd and other packages
>> might not install the config files (these are after all just used for
>> preparing a system).
>>
>
> hmm... interesting point.
> How can a package detect if sysuser is enabled ? is there a pkg-config
> option for that ?
>

No idea, its a recent addition so that's a hypothetical, its however
already true for systemd.
You could for ex. write checks for folders or the sysuser utility.


>
>
>
>> if you for example enable journal-remote and not sysuser on the target,
>> you would need to enable  journal-remote and sysuser on the host, then grab
>> the config files from the host.
>>
>> yes, I see your point
> maybe it would be simpler to configure with sysuser both for target and
> host and remove the binary from the target ?
>
> Thinking out-lout at this point. I'm not sure if that's a good idea.
>

I think that's actually the best way. run the tool, then remove the folders
and the tool from the target.
Think of an overlayfs that defines users with sysuser configs and the
folders/files/permissions with tmpfiles configs.


>
>
>
>> Sure, everything can be solved somehow, but it would be easier to figure
>> out the correct way *before* someone begins hacking ( see
>> https://github.com/systemd/systemd/issues/14806 ).
>>
>> For ex. you could always enable sysuser on the target and just offer an
>> option to remove those files in the rootfs image afterwards.
>>
>>
> Right.... Those files never make sense on the target anyway.
> Buildroot philosophy is that you can't install software after the fact on
> the target and it's ok to remove tools that are only used to install stuff
> after the fact
> (that's why the rules files for hwdb are never on the target)
>
> so in a way... we always need sysuser on the host and we never use it on
> the target.
> This all needs more thinking. but there is no emergency. that's for a
> future patch.
>

The guy in the bug report supposedly (plans to) work on it. From
experience, iterations on this list can take a long time.

>
>
> Norbert
>>
>> Am Fr., 7. Feb. 2020 um 13:44 Uhr schrieb Jérémy ROSEN <
>> jeremy.rosen@smile.fr>:
>>
>>> That's already in place. We already build host-systemd whenever we build
>>> systemd (host-sysuser is currently disabled but that's trivial to enable)
>>>
>>> It's just a question of doing it, really... and teaching mkusers a few
>>> trick to go with it
>>>
>>> Le ven. 7 févr. 2020 à 13:41, Norbert Lange <nolange79@gmail.com> a
>>> écrit :
>>>
>>>> Sure, but that could get tricky is you dont enable sysuser.d on the
>>>> target,
>>>> then you would need to grab the files from the host installation and
>>>> use similar build-options as the target.
>>>>
>>>> Some smart infrastructure work would be needed to not complicate things
>>>> between non-system, systemd with option x disabled,
>>>> and full systemd.
>>>>
>>>> Am Fr., 7. Feb. 2020 um 10:11 Uhr schrieb Jérémy ROSEN <
>>>> jeremy.rosen@smile.fr>:
>>>>
>>>>> Yes...
>>>>> Long term we should use systems-sysuser for that, so upstream trickles
>>>>> down automatically
>>>>>
>>>>> in the mean time,
>>>>>
>>>>> Reviewed-by: Jérémy Rosen <jeremy.rosen@smile.fr>
>>>>>
>>>>>
>>>>> Le jeu. 6 févr. 2020 à 10:37, Norbert Lange <nolange79@gmail.com> a
>>>>> écrit :
>>>>>
>>>>>> Since V235 the "gateway" and "upload" services use DynamicUsers,
>>>>>> requiring no entries in /etc/passwd.
>>>>>> This functionality requires option nss-systemd, which is always
>>>>>> enabled in buildroot.
>>>>>>
>>>>>> The "bus-proxy" user was removed in V230
>>>>>>
>>>>>> Signed-off-by: Norbert Lange <nolange79@gmail.com>
>>>>>> ---
>>>>>>  package/systemd/systemd.mk | 3 ---
>>>>>>  1 file changed, 3 deletions(-)
>>>>>>
>>>>>> diff --git a/package/systemd/systemd.mk b/package/systemd/systemd.mk
>>>>>> index a390cdd1a9..b46c4fd540 100644
>>>>>> --- a/package/systemd/systemd.mk
>>>>>> +++ b/package/systemd/systemd.mk
>>>>>> @@ -431,10 +431,7 @@ define SYSTEMD_USERS
>>>>>>         - - systemd-journal -1 * - - - Journal
>>>>>>         - - render -1 * - - - DRI rendering nodes
>>>>>>         - - kvm -1 * - - - kvm nodes
>>>>>> -       systemd-bus-proxy -1 systemd-bus-proxy -1 * - - - Proxy D-Bus
>>>>>> messages to/from a bus
>>>>>> -       systemd-journal-gateway -1 systemd-journal-gateway -1 *
>>>>>> /var/log/journal - - Journal Gateway
>>>>>>         systemd-journal-remote -1 systemd-journal-remote -1 *
>>>>>> /var/log/journal/remote - - Journal Remote
>>>>>> -       systemd-journal-upload -1 systemd-journal-upload -1 * - - -
>>>>>> Journal Upload
>>>>>>         $(SYSTEMD_COREDUMP_USER)
>>>>>>         $(SYSTEMD_NETWORKD_USER)
>>>>>>         $(SYSTEMD_RESOLVED_USER)
>>>>>> --
>>>>>> 2.24.1
>>>>>>
>>>>>> _______________________________________________
>>>>>> buildroot mailing list
>>>>>> buildroot@busybox.net
>>>>>> http://lists.busybox.net/mailman/listinfo/buildroot
>>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> [image: SMILE]  <http://www.smile.eu/>
>>>>>
>>>>> 20 rue des Jardins
>>>>> 92600 Asnières-sur-Seine
>>>>> *Jérémy ROSEN*
>>>>> Architecte technique
>>>>>
>>>>> [image: email] jeremy.rosen@smile.fr
>>>>> [image: phone]  +33 6 88 25 87 42
>>>>> [image: url] http://www.smile.eu
>>>>>
>>>>> [image: Twitter] <https://twitter.com/GroupeSmile> [image: Facebook]
>>>>> <https://www.facebook.com/smileopensource> [image: LinkedIn]
>>>>> <https://www.linkedin.com/company/smile> [image: Github]
>>>>> <https://github.com/Smile-SA>
>>>>>
>>>>> [image: Découvrez l’univers Smile, rendez-vous sur smile.eu]
>>>>> <https://www.smile.eu/fr/publications/livres-blancs/yocto?utm_source=signature&utm_medium=email&utm_campaign=signature>
>>>>>
>>>>
>>>
>>> --
>>> [image: SMILE]  <http://www.smile.eu/>
>>>
>>> 20 rue des Jardins
>>> 92600 Asnières-sur-Seine
>>> *Jérémy ROSEN*
>>> Architecte technique
>>>
>>> [image: email] jeremy.rosen@smile.fr
>>> [image: phone]  +33 6 88 25 87 42
>>> [image: url] http://www.smile.eu
>>>
>>> [image: Twitter] <https://twitter.com/GroupeSmile> [image: Facebook]
>>> <https://www.facebook.com/smileopensource> [image: LinkedIn]
>>> <https://www.linkedin.com/company/smile> [image: Github]
>>> <https://github.com/Smile-SA>
>>>
>>> [image: Découvrez l’univers Smile, rendez-vous sur smile.eu]
>>> <https://www.smile.eu/fr/publications/livres-blancs/yocto?utm_source=signature&utm_medium=email&utm_campaign=signature>
>>>
>>
>
> --
> [image: SMILE]  <http://www.smile.eu/>
>
> 20 rue des Jardins
> 92600 Asnières-sur-Seine
> *Jérémy ROSEN*
> Architecte technique
>
> [image: email] jeremy.rosen@smile.fr
> [image: phone]  +33 6 88 25 87 42
> [image: url] http://www.smile.eu
>
> [image: Twitter] <https://twitter.com/GroupeSmile> [image: Facebook]
> <https://www.facebook.com/smileopensource> [image: LinkedIn]
> <https://www.linkedin.com/company/smile> [image: Github]
> <https://github.com/Smile-SA>
>
> [image: Découvrez l’univers Smile, rendez-vous sur smile.eu]
> <https://www.smile.eu/fr/publications/livres-blancs/yocto?utm_source=signature&utm_medium=email&utm_campaign=signature>
>

[03/10] package/systemd: remove unused user accounts

Commit Message

Comments

Patch