Page MenuHomePhabricator

Define a fleetwide uid and gid mappings for the Netmon instances containing LibreNMS and Rancid.
Closed, ResolvedPublic

Description

As of now, we don't have standardized fleetwide uid and gid mappings for the Netmon instances. This can cause issues like T314972 where one instances uid is different than the other instances uid causing commands like rsync to write files with a different USER:GROUP mapping.

Ex. For the netmon1002 instance the uid 496 is mapped to the`librenms` user and in the netmon1003 instance the uid 496 is mapped to the deploy-librenms.


  • Ensure that the the UID/GID for the 'librenms' user are consistent across the 'netmon' instances.
    • Update the UID/GID of the 'librenms' user in the 'netmon1003' instance.
    • Update the UID/GID of the 'librenms' user in the 'netmon1002' instance.
    • Update the UID/GID of the 'librenms' user in the 'netmon2001' instance.
  • Ensure that the UID/GID of the files belonging to the 'librenms' user are consistent across the 'netmon' instances.
    • Update UID/GID of the files in the 'netmon1003' instance.
    • Update UID/GID of the files in the 'netmon1002' instance.
    • Update UID/GID of the files in the 'netmon2001' instance.
  • netmon: Reserve UID/GID for the LibreNMS system user.
  • netmon: Use systemd::sysuser and reserve id for the LibreNMS user.
  • Add the LibreNMS UID/GID to the Reserved UIDs & GIDs documentation.

Event Timeline

@andrea.denisse I ran into this a bunch of times before. If you want to "reserve" a UID but also fix the existing servers without reimaging.. I have done something like this before, and it turned out to be easier than even getting into the rsync options and chroot and bug discussion that normally follows:

  • was lucky that the "target UID" it _should_ have was not already taken by another user
  • directly edited /etc/passwd to adjust UID
  • find / -uid .. -exec chown .. {} \; to find all files owned by old UID and give them to new UID
  • the end (because it only mattered once after setting up a new machine which happens probably in 2 years or more)

my 2 cents because we have been there..just sharing

Change 826427 had a related patch set uploaded (by Andrea Denisse; author: Andrea Denisse):

[operations/puppet@production] librenms: Reserve UID/GID for the LibreNMS system user.

https://gerrit.wikimedia.org/r/826427

Change 826429 had a related patch set uploaded (by Andrea Denisse; author: Andrea Denisse):

[operations/puppet@production] librenms: Reserve id for the LibreNMS user; Use systemd::sysuser instead of user.

https://gerrit.wikimedia.org/r/826429

Change 826431 had a related patch set uploaded (by Andrea Denisse; author: Andrea Denisse):

[operations/puppet@production] netmon: Use systemd::sysuser and reserve id for the LibreNMS user.

https://gerrit.wikimedia.org/r/826431

Change 826429 abandoned by Andrea Denisse:

[operations/puppet@production] netmon: Use systemd::sysuser and reserve id for the LibreNMS user.

Reason:

https://gerrit.wikimedia.org/r/826429

andrea.denisse changed the task status from Open to In Progress.Aug 25 2022, 6:42 AM
andrea.denisse updated the task description. (Show Details)

This is the process I followed to update the UID/GID:

  1. Backup /etc/passwd in case something breaks, ex. sudo cp /etc/passwd /etc/passwd.bak.
  2. Ensure the desired UID/GID are not taken by any user or groups, ex. sudo grep "921" /etc/passwd should print an empty line.
  3. See which process are ran by the user that will have it's ID modified, ex. ps aux | grep librenms.
  4. Stop daemons ran by that user ex. sudo systemctl stop librenms-syslog.
  5. Change UID and GID respectively: sudo usermod -u 921 librenms and sudo groupmod -g 921 librenms.
  6. Ensure the user has the desired UID and GID, ex. sudo grep "921" /etc/passwd should print: librenms:x:921:921::/nonexistent:/bin/false.
  7. List a directory/file that belongs to the user, it belongs to a dangling UID/GID that doesn't map to any user, ex. ls -l /var/log/librenms/librenms.log prints -rw-rw---- 1 496 1001 0 Aug 24 04:17 /var/log/librenms/librenms.log.
  8. Run the puppet agent to update the UID and GID of the files belonging to the user: sudo run-puppet-agent.
  9. List a folder/file that belongs to the user, it should show a matching UID/GID ex. ls -l /var/log/librenms/librenms.log should print -rw-rw---- 1 librenms librenms 0 Aug 26 09:38 librenms.log.
  10. There may be some files that were not managed by Puppet and don't get their UID/GID updated, to solve this retrieve the previous UID/GID, ex. sudo grep "librenms" /etc/passwd.bak prints librenms:x:496:1001::/nonexistent:/bin/false.
  11. Change the GID of the files files, ex. sudo find / -group 1001 -exec chgrp --no-dereference librenms {} \;.
  12. Change the UID of the dangling files, ex. sudo find / -user 496 -exec chown --no-dereference librenms {} \;.
  13. Ensure that daemons stopped in the step #4 are started again, ex. sudo systemctl start librenms-syslog.
  14. Ensure all services are operational, ex. sudo systemctl list-units --type=service.

Change 826431 merged by Andrea Denisse:

[operations/puppet@production] netmon: Use systemd::sysuser and reserve id for the LibreNMS user.

https://gerrit.wikimedia.org/r/826431

andrea.denisse updated the task description. (Show Details)
andrea.denisse updated the task description. (Show Details)

Change 826427 merged by Dzahn:

[operations/puppet@production] netmon: Reserve UID/GID for the LibreNMS system user.

https://gerrit.wikimedia.org/r/826427