ryantimwilson / rpms / systemd

Forked from rpms/systemd 2 months ago
Clone
f2f90a
From 07fd822c59e29b4f5e7dab029ea1186c1b862e3e Mon Sep 17 00:00:00 2001
f2f90a
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
f2f90a
Date: Tue, 9 Jan 2024 11:28:04 +0100
f2f90a
Subject: [PATCH] journal: again create user journals for users with high uids
f2f90a
f2f90a
This effectively reverts a change in 115d5145a257c1a27330acf9f063b5f4d910ca4d
f2f90a
'journald: move uid_for_system_journal() to uid-alloc-range.h', which slipped
f2f90a
in an additional check of uid_is_container(uid). The problem is that that change
f2f90a
is not backwards-compatible at all and very hard for users to handle.
f2f90a
There is no common agreement on mappings of high-range uids. Systemd declares
f2f90a
ownership of a large range for container uids in https://systemd.io/UIDS-GIDS/,
f2f90a
but this is only a recent change and various sites allocated those ranges
f2f90a
in a different way, in particular FreeIPA uses (used?) uids from this range
f2f90a
for human users. On big sites with lots of users changing uids is obviously a
f2f90a
hard problem. We generally assume that uids cannot be "freed" and/or changed
f2f90a
and/or reused safely, so we shouldn't demand the same from others.
f2f90a
f2f90a
This is somewhat similar to the situation with SYSTEM_ALLOC_UID_MIN /
f2f90a
SYSTEM_UID_MAX, which we tried to define to a fixed value in our code, causing
f2f90a
huge problems for existing systems with were created with a different
f2f90a
definition and couldn't be easily updated. For that case, we added a
f2f90a
configuration time switch and we now parse /etc/login.defs to actually use the
f2f90a
value that is appropriate for the local system.
f2f90a
f2f90a
Unfortunately, login.defs doesn't have a concept of container allocation ranges
f2f90a
(and we don't have code to parse and use those nonexistent names either), so we
f2f90a
can't tell users to adjust logind.defs to work around the changed definition.
f2f90a
f2f90a
login.defs has SUB_UID_{MIN,MAX}, but those aren't really the same thing,
f2f90a
because they are used to define where the add allocations for subuids, which is
f2f90a
generally a much smaller range. Maybe we should talk with other folks about
f2f90a
the appropriate allocation ranges and define some new settings in login.defs.
f2f90a
But this would require discussion and coordination with other projects first.
f2f90a
f2f90a
Actualy, it seems that this change was needed at all. The code in the container
f2f90a
does not log to the outside journal. It talks to its own journald, which does
f2f90a
journal splitting using its internal logic based on shifted uids. So let's
f2f90a
revert the change to fix user systems.
f2f90a
f2f90a
Fixes https://bugzilla.redhat.com/show_bug.cgi?id=2251843.
f2f90a
---
f2f90a
 src/basic/uid-alloc-range.c | 2 +-
f2f90a
 1 file changed, 1 insertion(+), 1 deletion(-)
f2f90a
f2f90a
diff --git a/src/basic/uid-alloc-range.c b/src/basic/uid-alloc-range.c
f2f90a
index 669cb6d56f7be..7b724b7959f60 100644
f2f90a
--- a/src/basic/uid-alloc-range.c
f2f90a
+++ b/src/basic/uid-alloc-range.c
f2f90a
@@ -127,5 +127,5 @@ bool uid_for_system_journal(uid_t uid) {
f2f90a
 
f2f90a
         /* Returns true if the specified UID shall get its data stored in the system journal. */
f2f90a
 
f2f90a
-        return uid_is_system(uid) || uid_is_dynamic(uid) || uid == UID_NOBODY || uid_is_container(uid);
f2f90a
+        return uid_is_system(uid) || uid_is_dynamic(uid) || uid == UID_NOBODY;
f2f90a
 }