[#INSTRM-592] Pin down pfs and pfs-data uid/gids before shipping to Subaru.

[INSTRM-592] Pin down pfs and pfs-data uid/gids before shipping to Subaru. Created: 11/Jan/19 Updated: 15/Jan/19
Status:	Open
Project:	Instrument control development
Component/s:	None
Affects Version/s:	None
Fix Version/s:	None

Type:

Task

Priority:

Normal

Reporter:

cloomis

Assignee:

Unassigned

Resolution:

Unresolved

Votes:

Labels:

None

Remaining Estimate:

Not Specified

Time Spent:

Not Specified

Original Estimate:

Not Specified

Issue Links:

Relates
relates to	INSTRM-321	Define BEE system image ansible role	Open
relates to	~~INSTRM-22~~	[ICD] Standard configuration (uid/gid...	Done

Description

~~INSTRM-22~~ lists some OS conventions for ICS machines and software, and was written before PFS computers started being integrated at Subaru. LAM and JHU had settled on the pfs and pfs-data accounts having uid/gids of 1000 and 1001, respectively. But at Subaru user accounts are managed through a central LDAP server, and the two accounts were assigned 2085 and 2087. The ids will conflict when we deliver the SM1 BEEs.

I can think of four solutions:

renumber existing accounts at JHU and LAM. Ugh, especially at LAM.
use NFSv4 id mapping. NFSv4 uses user@domain names, and has mechanisms for mapping those to ids. We can try/test how well this works.
do not treat the pfs and pfs-data accounts as LDAP-managed accounts at Subaru, and leave them at 1000/1001.
reconfigure the ids just on the BEEs on arrival at Subaru, or re-image them. We might be able to convince ourselves this is safe, testing-wise.

I think that re-imaging is the right choice. If not that, renumbering. We still need to build a decent way to re-image the BEEs in any case, and being able to set the user ids dynamically would be a modest requirement.

fmadec? Kiaina Schubert?

Comments

Comment by fmadec [ 15/Jan/19 ]

I do not have strong opinion.

renumbering is bit painful but acceptable. As you said, only bee is concerned because we do not deliver computer to SUBARU (of course ids have to match on each site).

why do you need to re-image the bees in any case?

Comment by cloomis [ 15/Jan/19 ]

We do not need to re-image before delivery, but we do need to have/provide a good scheme to create/install an image in the first place. Currently we PXE boot to a rescue disk and tftp/dd a premade image right onto the disk device. Crude, and if I were at Subaru barely or not acceptable.

If that were to be redone properly, allowing for specifying uid/gids would not be much extra work.

If LAM and JHU were to renumber, we might have to renumber more than just the BEE ids, unless we used NFSv4 id mapping. Stuff in /software and /data, programs which are reading from /data, etc. Yes, we probably only need to renumber pfs-data everywhere, and to be careful on other machines, but it might leak: we would be writing into /data with pfs gid=2085.

Generated at Sat Feb 10 16:26:37 JST 2024 using Jira 8.3.4#803005-sha1:1f96e09b3c60279a408a2ae47be3c745f571388b.

[INSTRM-592] Pin down pfs and pfs-data uid/gids before shipping to Subaru. Created: 11/Jan/19 Updated: 15/Jan/19