Hi I'm maintaining some packages in the server:monitoring repository and want to make my live a bit easier in the future (and I hope that also our users will benefit from it)... At the moment, we follow upstream very close regarding the names of the users and groups used for monitoring related packages (and especially daemons): Package | User(s) | Group(s) ------------------------------------------------ icinga | icinga | icinga, icingacmd naemon | naemon | naemon nagios | nagios | nagios, nagcmd shinken | shinken | shinken zabbix | zabbix, zabbixs | zabbix, zabbixs Please note that at least icinga, naemon, nagios and shinken are very similar and even their configuration is more or less compatible. So you can easily migrate between the different daemons without too much administration overhead. While - from a security stand point - the current approach to use the upstream users/groups is very smart, as it allows you to run multiple daemons on a single host that can not influence each other, it becomes more and more a nightmare from a packaging (and customer) view: A lot of 3rd party applications want to get access to sockets, directories or other parts, that belong to the corresponding daemon (check_mk*, pnp4nagios, BPView, {nagios-,icinga-www} - as both can run also on the other core, nagiosgrapher, nagiosgraph, nagserv, nsca, ... just to name a few). As result, there have to be either "permission" files to change the ownerships after installation of sucha 3rd party application - or even separate $pkg-$daemon sub-packages that come with the correct owner:group setup for the $daemon part. The problem with "permissions": * there is a small, but important time frame between installing a package update and executing "chkstat --system --set" on the host to correct the ownerships again * it needs additional openSUSE specific READMEs and support for users that are not aware of the fact that they might need to edit a file, that is not mentioned upstream, before the application works * our security team does not seem to like the approach ;-) The problem with a separate sub-package: * Some (older?) openSUSE distribution checks had problems with files and directories that were packaged in multiple sub-packages (even if the sub-packages conflicted with each other). Which made it impossible to get the package in Factory at all. * Even with "supplements" and "suggests", people might have to choose their sub-package manually, if there is just a small mistake. * it becomes a packagers nightmare to adapt all the available plugins and 3rd party apps for all the possible monitoring daemons... So instead of maintaining a growing list of packages that require more and more time for packaging and maintenance (to support users by providing help to install 3rd party app X together with daemon Y), I like to get your feedback about the following approach: * use only the following users - at least for the packages icinga, nagios, naemon and shinken: monitoring * use only the following main group: monitoring * use only the following sub-group: monitorcmd That would allow the 3rd party applications/packages to use the same user/group without any modifications. From a security stand point, this might be a nightmare, correct. But please think how often a user is running more than one monitoring solution in parallel on the same machine? Instead: how often might it be that a user wants to migrate from one monitoring solution to another and has to go through a lot of config files and filesystem permissions before he can start with the real migration? We need to document the new "generic/default monitoring user/group on openSUSE", of course. But we also would need more and more documentation if we follow the current approach - so I do not see this as negative impact. An alternative might be to reduce the available monitoring packages for openSUSE to get more time for packaging and documentation if we stay on the current system. But I like freedome, so I do not like this point ;-) As far as I found out (but I did only a small research), other distributions like Debian are using also just one set of monitoring users/groups for the compatible monitoring applications. If someone knows more, I would be very happy to hear. So my question is: what is your opinion? CU, Lars -- To unsubscribe, e-mail: opensuse-packaging+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-packaging+owner@opensuse.org