Bug 1219765

Summary: Cannot set user uid gid with autoyast
Product: [openSUSE] openSUSE Distribution Reporter: Benoit Leveugle <benoit.leveugle>
Component: AutoYaSTAssignee: E-mail List <yast2-maintainers>
Status: RESOLVED INVALID QA Contact: E-mail List <qa-bugs>
Severity: Normal    
Priority: P5 - None CC: benoit.leveugle
Version: Leap 15.5   
Target Milestone: ---   
Hardware: x86-64   
OS: openSUSE Leap 15.5   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Benoit Leveugle 2024-02-09 10:55:54 UTC 
Dear OpenSuse team,

I am facing a bug with autoyast.

When I set my user this way:

  <!-- disable root password and add ssh keys to sudo user -->
  <users config:type="list">
    <user>
      <username>root</username>
      <user_password>!</user_password>
      <encrypted config:type="boolean">true</encrypted>
    </user>
    <user>
      <username>bluebanquise</username>
      <home>/var/lib/bluebanquise</home>
      <user_password>!</user_password>
      <encrypted config:type="boolean">true</encrypted>
      <authorized_keys config:type="list">
        <listentry>ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIALEdouDSUanbrm7Q7/hPaUKpYeEAyBRuMQYU828qzVk bluebanquise@localhost</listentry>
      </authorized_keys>
    </user>
  </users>

It works:

bluebanquise@mgt7:~> pwd
/var/lib/bluebanquise
bluebanquise@mgt7:~> id
uid=1000(bluebanquise) gid=100(users) groups=100(users)
bluebanquise@mgt7:~> 

But if I ask for uid/gid, even non system ones (I tried 377 and 3377):

  <!-- disable root password and add ssh keys to sudo user -->
  <users config:type="list">
    <user>
      <username>root</username>
      <user_password>!</user_password>
      <encrypted config:type="boolean">true</encrypted>
    </user>
    <user>
      <username>bluebanquise</username>
      <home>/var/lib/bluebanquise</home>
      <uid>377</uid>
      <gid>377</gid>
      <user_password>!</user_password>
      <encrypted config:type="boolean">true</encrypted>
      <authorized_keys config:type="list">
        <listentry>ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIALEdouDSUanbrm7Q7/hPaUKpYeEAyBRuMQYU828qzVk bluebanquise@localhost</listentry>
      </authorized_keys>
    </user>
  </users>

Then user is not created at all during installation.
I found these settings at https://doc.opensuse.org/projects/autoyast/#id-1.9.5.2.34.3.5

I cannot find anything in the installer logs once system is rebooted about what is happening.

My Ansible template that generates my autoyast files is the following: https://github.com/bluebanquise/bluebanquise/blob/master/collections/infrastructure/roles/pxe_stack/templates/Suse/autoyast.xml.j2

This could be a bug, but I am not sure, maybe I miss something :)

With my best regards

BenoƮt
Comment 1 Stefan Hundhammer 2024-02-09 18:24:28 UTC 
Just a shot into the dark: Did you check /etc/login.defs for the minimum and maximum values for normal vs. system users and groups?

On my Leap 15.5, I have:

UID_MIN	1000
UID_MAX	60000
SYS_UID_MIN	100
SYS_UID_MAX	499
SUB_UID_MIN	100000
SUB_UID_MAX	600100000
GID_MIN	1000
GID_MAX	60000
SYS_GID_MIN	100
SYS_GID_MAX	499
SUB_GID_MIN	100000
SUB_GID_MAX	600100000
Comment 2 Stefan Hundhammer 2024-02-12 09:56:38 UTC 
The code for actually creating the user is very straightforward:

https://github.com/yast/yast-users/blob/master/src/lib/y2users/linux/create_user_action.rb#L72-L148

> USERADD = "/usr/sbin/useradd".freeze
...
...
>  # Executes the command for creating the user, retrying in case of a recoverable error
>  def create_user
>    Yast::Execute.on_target!(USERADD, *useradd_options)
>  rescue Cheetah::ExecutionFailed => e
>    raise(e) unless e.status.exitstatus == USERADD_E_HOMEDIR
>
>    Yast::Execute.on_target!(USERADD, *useradd_options(skip_home: true))
>    issues << Y2Issues::Issue.new(
>      format(_("Failed to create home directory for user '%s'"), user.name)
>    )
>    log.warn("User '#{user.name}' created without home '#{user.home}'")
>  end
>
>  # Generates options for `useradd` according to the user
>  #
>  # @param skip_home [Boolean] whether the home creation should be explicitly skip
>  # @return [Array<String>]
>  def useradd_options(skip_home: false)
>    root_path_options + user_options + home_options(skip_home: skip_home) + [user.name]
>  end
>  
>  # Options from user attributes
>  #
>  # @return [Array<String>]
>  def user_options
>    opts = {
>      "--uid"     => user.uid,
>      "--gid"     => user.gid,
>      "--shell"   => user.shell,
>      "--comment" => user.gecos.join(","),
>      "--groups"  => user.secondary_groups_name.join(",")
>    }
>  
>    opts = opts.reject { |_, v| v.to_s.empty? }.flatten
>  
>    # user is already warned in advance
>    opts << "--non-unique" if user.uid
>  
>    opts << "--system" if user.system?
>  
>    opts
>  end


It uses the external 'useradd' command. It builds that command with its options in this code, and the executed command should be logged to /var/log/YaST2/y2log together with the exit code and any messages to stdout and stderr.

One caveat is that 'useradd' will use the settings from /etc/login.defs and /usr/default/useradd. If any of the command line arguments contradicts the settings there, the command will very likely fail with an error message.



man useradd:

>  -u, --uid UID
>     The numerical value of the user's ID. This value must be unique, unless the -o option
>     is used. The value must be non-negative. The default is to use the smallest ID value
>     greater than or equal to UID_MIN and greater than every other user.
>.  
>     See also the -r option and the UID_MAX description.

>  -r, --system
>     Create a system account.
>. 
>     System users will be created with no aging information in /etc/shadow, and their
>     numeric identifiers are chosen in the SYS_UID_MIN-SYS_UID_MAX range, defined in
>     /etc/login.defs, instead of UID_MIN-UID_MAX (and their GID counterparts for the
>     creation of groups).
> .
>     Note that useradd will not create a home directory for such a user, regardless of the
>     default setting in /etc/login.defs (CREATE_HOME). You have to specify the -m options
>     if you want a home directory for a system account to be created.


>  UID_MAX (number), UID_MIN (number)
>    Range of user IDs used for the creation of regular users by useradd or newusers.
>.
>    The default value for UID_MIN (resp. UID_MAX) is 1000 (resp. 60000).


Notice that your chosen UID 377 is below UID_MIN in the standard /etc/login.defs (see comment #1). This might be the problem.
Comment 3 Stefan Hundhammer 2024-02-12 10:03:06 UTC 
So, please check your /var/log/YaST2/y2log for messages from 'useradd' in the error case. They might have log-rotated away in the mean time, so please use

  zgrep -B 0 -A 10 "useradd" /var/log/YaST2/y2log*

If there is nothing anymore at all there, you can unpack the y2logs tarball just after the installation at /var/log/YaST2/yast-installation-logs.tar.xz and check there.


Please let us know what became of this; if my suspicion about UID < UID_MIN was correct, or if there were any other errors.

If this does not clarify the problem, please attach y2logs generated with the supplied 'save_y2logs' script and the complete AutoYaST profile (sanitized from any passwords; please replace them with something harmless like 'xxx').
Comment 4 Benoit Leveugle 2024-02-12 11:24:18 UTC 
Dear @Stefan Hundhammer

Many thanks for this help, and apologies for the late of my answer.

So indeed, code is straightforward, and I was not looking into the good log file.
To be honest, I am still not an expert on Suse, still learning it :)

Error is the following:

/var/log/YaST2/y2log-1.gz:2024-02-12 11:57:36 <1> mgt7(3938) [Ruby] lib/cheetah.rb(record_commands):160 Executing "/usr/sbin/useradd --uid 377 --gid 377 --non-unique --system --create-home --home-dir /var/lib/bluebanquise bluebanquise".
/var/log/YaST2/y2log-1.gz:2024-02-12 11:57:36 <3> mgt7(3938) [Ruby] lib/cheetah.rb(log_stream_line):208 Error output: useradd: group '377' does not exist
/var/log/YaST2/y2log-1.gz-2024-02-12 11:57:36 <3> mgt7(3938) [Ruby] lib/cheetah.rb(record_status):180 Status: 6
/var/log/YaST2/y2log-1.gz:2024-02-12 11:57:36 <3> mgt7(3938) [Ruby] linux/create_user_action.rb(rescue in run_action):65 Error creating user 'bluebanquise' - Execution of "/usr/sbin/useradd --uid 377 --gid 377 --non-unique --system --create-home --home-dir /var/lib/bluebanquise bluebanquise" failed with status 6: useradd: group '377' does not exist.

And this is my fault, as it is clearly written in the documentation:

'''
gid

    Number

    <gid>100</gid>

    Optional. Initial group ID. It must be a unique and non-negative number. Moreover it must refer to an existing group. 
'''

So I first have to create the group.

I will test it and come back with result.
Comment 5 Stefan Hundhammer 2024-02-12 12:20:26 UTC 
OK, that's good to hear; so we don't have a hidden landmine in that area. ;-)

I am confident that it's going to work when the group is explicitly added.
Comment 6 Benoit Leveugle 2024-02-12 15:28:56 UTC 
It worked :)

I simply added:

<groups config:type="list">
  <group>
    <gid>377</gid>
    <groupname>bluebanquise</groupname>
  </group>
</groups>

And when I ssh on the server:

$ ssh mgt7
Have a lot of fun...
bluebanquise@mgt7:~> pwd
/var/lib/bluebanquise
bluebanquise@mgt7:~> id
uid=377(bluebanquise) gid=377(bluebanquise) groups=377(bluebanquise)
bluebanquise@mgt7:~>

So its a simple fix for my code, and your autoyast code is clean.

I like Suse distribution, its a good balance between RHEL and Ubuntu/Debian, so I try to always keep it in my opensource tool. I just need to level up more on it.

Many thanks for your help, and apologies for the false bug! ;)
Comment 7 Benoit Leveugle 2024-02-12 15:29:36 UTC 
Closing as invalid.
Comment 8 Stefan Hundhammer 2024-02-12 16:54:12 UTC 
OK, glad to hear that it worked.

And nevermind the bug report; I very much prefer one that is easy to resolve to an unsolvable mystery that drags on forever without any result. ;-)