[SOLVED] bitten by dynamic UID/GID allocation change

[deej]

Hi all,
I could use a bit of help if someone has a moment.

Prior to release 6, dynamic allocation of UID/GID numbers were from the bottom of the range going up, for example service accounts created by RPM packages. With release 6, the dynamic allocation starts from the top of the range going down, meaning that UIDs are now starting at 499. Well, of course, my site already has some accounts at the upper end of the 400 range which is causing a conflict.

We are unable to change the site accounts at this time, so I'm trying to figure out how to change the behaviour of the dynamic allocation. Once a release 6 system is up and running, we can edit /etc/login.defs and add:
SYS_UID_MAX 399
SYS_GID_MAX 399
which will cause new accounts and groups to be created at 399 and down from there.

The problem is that several accounts are created during the initial OS installation.

I've rebuilt the shadow-utils RPM package to include my modified login.defs file, and now I need to replace the package in the installation media. Since I'm installing from a web server, it is easy to replace the package itself, but the problem is that the installer complains that the package is corrupt, which I believe is related to the new rpm package not being signed properly.

My question is basically, how do I properly replace a package in the install media such that the installer will use it for the initial OS installation?

Alternatively, if there are suggestions for another method to solve our UID/GID collisions, we are open to those as well, bearing in mind that we are not able to change the existing site accounts at this time.

Thanks,

-Dj

[TrevorH]

Did you rebuild the repo after replacing the package? The repodata directory has several files in it that contain checksums of the RPMs

[pschaff]

[quote]
deej wrote:
...
My question is basically, how do I properly replace a package in the install media such that the installer will use it for the initial OS installation?
...
[/quote]
I'd try an approach like this. Create your new package with a higher EVR than the CentOS package. Put it in a local repo and add the repo to your kickstart. Your package should then replace the CentOS package. Untested theory.

[deej]

[quote]
TrevorH wrote:
Did you rebuild the repo after replacing the package? The repodata directory has several files in it that contain checksums of the RPMs[/quote]

Hi Trevor,
I forgot to mention it in my original post, but yes I did try that. I obviously did not do it correctly, though, since my efforts resulted in the installer just hanging with a message similar to "Retrying Download" and didn't progress beyond that.

The web reference I found said to run "createrepo --update -g repodata/repomd.xml ." from the top level of the install directory. This command did complete successfully, but apparently did not produce the desired results.

Is there a tutorial somewhere online that describes how I might do this properly?

Thanks,

-Dj

[TrevorH]

I am pretty sure that your groups file is repodata/comps.xml but I've never rebuilt the DVD repo so am not sure if anything else is required.

[deej]

[quote]
TrevorH wrote:
I am pretty sure that your groups file is repodata/comps.xml but I've never rebuilt the DVD repo so am not sure if anything else is required.[/quote]

There isn't a comps.xml file by itself, but there is a
2a7e0c1da38a40e2961c0cec6acca8b8446d974b1fc055216ebde88bb4a19eb9-c6-x86_64-comps.xml file.

I'll try that.

Thanks,

-Dj

-rw-r--r-- 1 deej root 1210055 Jul 9 12:53 2a7e0c1da38a40e2961c0cec6acca8b8446d974b1fc055216ebde88bb4a19eb9-c6-x86_64-comps.xml
-rw-r--r-- 1 deej root 2470810 Jul 9 12:53 419f44d9f4e345e677c6ab519b62e2228cbcdf9c523d01d6a029fa4f02f66406-primary.xml.gz
-rw-r--r-- 1 deej root 2409110 Jul 9 12:53 5abe055f4bf7a1670d7b48a8172bec678861f2bcb8bc001ec3afa934638edc91-other.sqlite.bz2
-rw-r--r-- 1 deej root 5201743 Jul 9 12:53 c3797545a90f38e0738506e2b19c9a61e465f777156e0e1418a094d9ee08f23a-filelists.xml.gz
-rw-r--r-- 1 deej root 212410 Jul 9 12:53 c89fe3615797af0f5fcf9f53ebb36a605e713680139da34f71c4fe198ba9699e-c6-x86_64-comps.xml.gz
-rw-r--r-- 1 deej root 5772387 Jul 9 12:53 d30e7a407b0f019826c949cbc814944e6d178242abcadb5e79a891002cfb0107-filelists.sqlite.bz2
-rw-r--r-- 1 deej root 2634277 Jul 9 12:53 d4b0b37148f088ff02731d7c5d12af279fc6bfa1bde26aa2c4ccf18f2ac0d493-other.xml.gz
-rw-r--r-- 1 deej root 212402 Jul 9 12:19 e601759c6eed524aa4d8c5267f087f6c72491e3d811b3c937438e7a9b0747130-c6-x86_64-comps.xml.gz
-rw-r--r-- 1 deej root 4375882 Jul 9 12:53 ffb0e227e2cdd8a2b3609b65d7f38f6c1e756b437405b2918d6d36ebe59a0cb4-primary.sqlite.bz2
-rw-r--r-- 1 deej root 4137 Jul 9 12:53 repomd.xml
-r--r--r-- 1 deej root 2874 Jul 9 12:53 TRANS.TBL

[deej]

createrepo --update -g repodata/2a7e0c1da38a40e2961c0cec6acca8b8446d974b1fc055216ebde88bb4a19eb9-c6-x86_64-comps.xml .

worked like a dream.

In a nutshell, I installed a generic release 6 machine, downloaded the source code for shadow-utils, edited the SRPM login.defs file to contain:
SYS_UID_MAX 399
SYS_GID_MAX 399

Recompiled the rpm, copied the new rpm over the one in the install tree in the Packages directory, and rebuilt the repo using the above command.

My test machine installed fine, and all the new service accounts were created starting at UID 399 and decrementing from there, as well as group GIDs.

Thanks for the assist!

Long term solution will be to move the local created service accounts to another UID/GID range, but this will at least get us going in the meantime.

-Dj

[AlanBartlett]

Thank you for reporting back.

For posterity, this thread is marked [SOLVED].