We are currently trying to move our project to systemd-sysusers, away from manual useradd calls in the package's %pre script. The rpm manual claims

Rpm >= 4.19 has native support for declarative user and group creation through integration with systemd’s sysusers.d format. Packagers will only need to package a sysusers.d file for their custom users and groups in /usr/lib/sysusers.d and rpm will take care of the rest.

I tried that, and an initial version with a clean approach just adds %{_sysusersdir}/cockpit-ws.conf file to the rpm. The diff doesn't show the existing

attr(4750, root, cockpit-wsinstance) %{_libexecdir}/cockpit-session

in the spec which makes use of the dynamic group.

The rpm build does create the "magic" provides:

# rpm -q --provides cockpit-ws
cockpit-ws = 316.dev27+g1dc9d3b8f-1.fc40
cockpit-ws(x86-64) = 316.dev27+g1dc9d3b8f-1.fc40
config(cockpit-ws) = 316.dev27+g1dc9d3b8f-1.fc40
group(cockpit-ws)
group(cockpit-wsinstance)
user(cockpit-ws) = dSBjb2NrcGl0LXdzIC0gIlVzZXIgZm9yIGNvY2twaXQgd2ViIHNlcnZpY2UiIC0A
user(cockpit-wsinstance) = dSBjb2NrcGl0LXdzaW5zdGFuY2UgLSAiVXNlciBmb3IgY29ja3BpdC13cyBpbnN0YW5jZXMiIC0A

# echo dSBjb2NrcGl0LXdzIC0gIlVzZXIgZm9yIGNvY2twaXQgd2ViIHNlcnZpY2UiIC0A | base64 -d
u cockpit-ws - "User for cockpit web service" -

On install it does create the sysusers, but it tries to apply the %attr before creating the users:

# rpm -i --verbose /var/tmp/build/cockpit-ws-316.dev27+g1dc9d3b8f-1.fc40.x86_64.rpm 
Verifying packages...
Preparing packages...
cockpit-ws-316.dev27+g1dc9d3b8f-1.fc40.x86_64
warning: group cockpit-wsinstance does not exist - using root
Creating group 'cockpit-ws' with GID 979.
Creating user 'cockpit-ws' (User for cockpit web service) with UID 979 and GID 979.
Creating group 'cockpit-wsinstance' with GID 978.
Creating user 'cockpit-wsinstance' (User for cockpit-ws instances) with UID 978 and GID 978.

and after installation, /usr/libexec/cockpit-session has the wrong ownership (group root).

So for the docs to actually work, it needs to create the sysusers before unpacking (i.e. what a %pre script would do) from its "magic" provides or other internal .rpm metadata, or defer the %attr() application after the initial unpacking of the files and sysusers creation.

I suppose that is the reason why the Fedora packaging guidelines have a completely different, and very hackish approach -- that suggests to duplicate the sysusers file downstream in the packaging dist-git, and using %sysusers_create_compat to basically create some useradd shell script out of the sysusers.d file. But this is awkward, error prone, a bit hard to automate for releases. It also feels backwards -- the whole point is to move and standardize all of this upstream.

I didn't find any existing upstream or Fedora downstream (bugzilla) bug report, so filing this one.

Thanks!

CC: @travier

Why is this an rpmlint issue? This sounds like it belongs to RPM...

@pmatilai @dmnks @ffesti Can one of you transfer the issue to rpm? As I am not a member of the rpm-team, I cannot do it myself.

Erk sorry, stupid me. I'll just re-file it under rpm.