Update our user/group account handling to use sysusers.d when possible. #21162

Ferroin · 2025-10-16T15:50:45Z

Summary

Systemd provides a mechanism called sysusers to define system users/groups (and group membership, though we are not utilizing that for a couple of reasons) in a declarative manner and then bring the system into a state consistent with those declarations. This is more portable on systemd-based systems than adduser/useradd and similar tools, and it also provides some assurance that the Netdata accounts will exist when we try to run the agent.

This PR updates our native packages, static builds, and local builds to utilize this for user/group account creation when the system supports it.

In addition, this PR includes the following further changes to our user/group account handling:

For all native packages, we now use a separate package called netdata-user for user/group account creation which all of our other packages pre-depend on. This significantly simplifies most of our packages as it completely eliminates most of our pre-install hook scripts (almost all of them just create the user/group if they don’t exist), as well as making the account handling a tiny bit easier to integrate with the package managers and providing an easy way to see if a system using native packages has updated to a version that uses the new account handling. This package will directly install the sysusers config where systemd expects to find it.
For RPM 4.19 and newer, we now properly leverage the user/group dependency tracking provided by RPM itself to handle the creation of our user/group instead of relying on a custom postinstall script.
For static builds and local builds, the user/group creation code has been unified. Previously, it was duplicated in the regular netdata-installer and the static install code, and the behavior had diverged in problematic ways between the two. Now, the actual handling is done in packaging/installer/functions.sh.
For static builds and local builds, if the system appears to support systemd-sysusers, the config file will be copied into the correct location and then systemd-sysusers will be invoked to create the users. Otherwise, the existing behavior will be used as a fallback.
The list of supplementary groups we add the netdata user to has been significantly reduced for new installs. Almost all of the groups were used only by the old log-based collectors written in Python. New installs don’t use those because the Go plugin uses file capabilities for accessing logs, so there’s no reason to add the netdata user to these groups.

Test Plan

Requires manual testing of installation/updates to confirm that everything behaves correctly.

This allows for better integration with modern systemd systems, as well as enabling more consistent user creation behavior on systems that support it. All systemd-based platforms we currently support support sysusers based configuration of user accounts.

This also splits the user account handling to a dedicated package, which both simplifies the dependency tree, and also eliminates most of our preinstall hooks (almost all of them were just creating the accounts if they didn’t exist). On RPM 4.19 and newer, simply packaging the sysusers file results in the resultant RPM auto-generating the user information without any need for us to supply an install script to generate the accounts. On older RPM versions, we still ship and install the file, but we also include a postinstall script that then uses it to create the users (or falls back to useradd/groupadd). Use of the RPM integration is keyed off of the presence of the `add_sysuser` macro that RPM versions with this support provide, instead of keying off of specific distros and releases, which should avoid the need for us to update this as new releases of distros we support come out that use a new enough RPM version.

Like with the RPMs, this splits the user account handling to it’s own package, which simplifies both our set of maintainer scripts and our overall dependency tree. Unlike RPM, dpkg does not currently have support for automatic user account handling (though there is a draft proposal in the works to add this), so we need to always have appropriate maintainer scripts to create the users.

Also, centralize the user account handling code between the local and static builds. The updated code will directly install the sysusers.d file if the system appears to support sysusers.d user generation, and will then use systemd-sysusers for account creation. In the event that this is not supported, it falls back to the old behavior.

Almost all of the supplementary groups we currently add the Netdata user to were used by the older log-based collectors written in Python. On modern installs where data collection is done by the Go plugin out of the box, we don’t need these group memberships due to the use of file capabilities, so we shouldn’t be adding the Netdata user to them.

Copilot

Pull Request Overview

This PR modernizes Netdata's user/group account handling by leveraging systemd's sysusers mechanism when available, while maintaining backward compatibility. The implementation introduces a separate netdata-user package for native package installations and unifies account creation logic across static builds and local installations.

Introduces systemd sysusers support with fallback to traditional tools for user/group creation
Creates dedicated netdata-user package to handle account creation for all native packages
Reduces supplementary groups for new installations to only essential groups (docker, ceph, I2C)

Reviewed Changes

Copilot reviewed 29 out of 30 changed files in this pull request and generated 4 comments.

Show a summary per file

File	Description
system/systemd/sysusers.conf.in	New systemd sysusers configuration template for declarative user/group creation
packaging/installer/functions.sh	Unified account creation logic with sysusers support and fallback
packaging/makeself/install-or-update.sh	Simplified to use new unified account creation function
packaging/cmake/pkg-files/deb/user/postinst	New postinstall script for netdata-user package
packaging/cmake/pkg-files/deb/*/preinst	Removed redundant user creation scripts from plugin packages
packaging/cmake/Modules/Packaging.cmake	Updated package dependencies to use netdata-user package
netdata.spec.in	Added RPM sysusers support and netdata-user subpackage
netdata-installer.sh	Simplified to use unified account creation function
CMakeLists.txt	Added build configuration for sysusers file installation

_{Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.}

packaging/installer/functions.sh

netdata.spec.in

packaging/installer/functions.sh

packaging/cmake/Modules/Packaging.cmake

They haven’t actually been included in the package since we switched to using a separate package, and nothing broke, so we obviously don’t actually need them. What they were doing was questionable anyway (dpkg-statoverride is supposed to be for the administrator to adjust things, not for individual packages to fix their supposedly broken permissions).

thiagoftsm · 2025-10-20T12:31:55Z

@Ferroin ,

After the recent commits, we are seeing a CI failure. Could you please take a look?

Best regards.

thiagoftsm · 2025-10-20T20:20:27Z

@Ferroin ,

The functionality was verified on a local machine without systemd, where it performed as expected.

In contrast, during testing on CentOS 9 using the generated RPM packages, I observed that the groups were not correctly applied:

[root@192 artifacts]# ls -l /usr/libexec/netdata/plugins.d/*.plugin
-rwxr-x---. 1 root root   8919848 Oct 20 17:56 /usr/libexec/netdata/plugins.d/apps.plugin
-rwxr-x---. 1 root root     21787 Oct 20 17:46 /usr/libexec/netdata/plugins.d/charts.d.plugin
-rwxr-x---. 1 root root   3304112 Oct 20 17:49 /usr/libexec/netdata/plugins.d/cups.plugin
-rwxr-x---. 1 root root   3741952 Oct 20 17:53 /usr/libexec/netdata/plugins.d/debugfs.plugin
-rwsr-x---. 1 root root  10298008 Oct 20 17:51 /usr/libexec/netdata/plugins.d/ebpf.plugin
-rwsr-x---. 1 root root   4278768 Oct 20 17:49 /usr/libexec/netdata/plugins.d/freeipmi.plugin
-rwxr-x---. 1 root root 125509816 Oct 20 18:03 /usr/libexec/netdata/plugins.d/go.d.plugin
-rwxr-x---. 1 root root  75815160 Oct 20 18:02 /usr/libexec/netdata/plugins.d/ibm.d.plugin
-rwxr-x---. 1 root root      6521 Oct 20 17:46 /usr/libexec/netdata/plugins.d/ioping.plugin
-rwxr-x---. 1 root root   5242864 Oct 20 17:55 /usr/libexec/netdata/plugins.d/network-viewer.plugin
-rwxr-x---. 1 root root   3079544 Oct 20 17:49 /usr/libexec/netdata/plugins.d/perf.plugin
-rwxr-x---. 1 root root     25678 Oct 20 17:46 /usr/libexec/netdata/plugins.d/python.d.plugin
-rwxr-x---. 1 root root   3037136 Oct 20 17:49 /usr/libexec/netdata/plugins.d/slabinfo.plugin
-rwxr-x---. 1 root root   7843112 Oct 20 17:52 /usr/libexec/netdata/plugins.d/systemd-journal.plugin
-rwxr-x---. 1 root root   6971320 Oct 20 17:52 /usr/libexec/netdata/plugins.d/systemd-units.plugin

thiagoftsm · 2025-10-20T22:04:44Z

Debian packages have the expected user and group.

thiagoftsm · 2025-10-20T23:43:01Z

@Ferroin , the static binary is also working.

After this series of tests, I only identified issues with RPMs.

Ferroin · 2025-10-21T10:47:49Z

@thiagoftsm Just to confirm, this was a stock install of CentOS 9 Stream that you were testing on?

thiagoftsm · 2025-10-21T12:46:41Z

@thiagoftsm Just to confirm, this was a stock install of CentOS 9 Stream that you were testing on?

Yes. I generated the RPMs with command:

docker run -it --rm -e VERSION=0.1 -v $PWD:/netdata netdata/package-builders:centos-stream9-v1

And I created a libvirt image with file:

Vagrant.configure("2") do |config|
    config.vm.define "centoslinux9" do |centos9| 
        centos9.vm.provider "libvirt" do |v|
            v.cpus = 3
            v.memory = 2048
        end
        config.vm.box = "eurolinux-vagrant/centos-stream-9"
    end
end

Ferroin · 2025-10-22T11:12:03Z

@thiagoftsm Latest commits should fix the issues you were seeing.

thiagoftsm · 2025-10-22T14:24:32Z

@thiagoftsm Latest commits should fix the issues you were seeing.

I can confirm RPMs issue were addressed.
I am going to run another test with DEB packages to confirm I did not miss nothing there.
@ilyam8 , if you had any other test in mind, please, go ahead because previous issues were already fixed.

thiagoftsm

This PR was tested on the following scenarios:

Slackware current: Compiling source code;
CentOS 7: Static building;
Ubuntu 20.04: DEB;
CentOS 9: RPM.

In all scenarios user and groups were correctly associated. LGTM!

Copilot

Pull Request Overview

Copilot reviewed 31 out of 32 changed files in this pull request and generated 2 comments.

_{Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.}

netdata.spec.in

packaging/cmake/Modules/Packaging.cmake

ilyam8 · 2025-10-23T13:41:24Z

@Ferroin, check the latest Copilot comments + I think you need to update netdata-uninstaller.

Co-authored-by: Copilot <[email protected]>

thiagoftsm

Last changes did not affect overall permissions in different scenarios. LGTM!

Ferroin added 5 commits October 16, 2025 11:31

Add systemd-sysusers config.

5066d1f

This allows for better integration with modern systemd systems, as well as enabling more consistent user creation behavior on systems that support it. All systemd-based platforms we currently support support sysusers based configuration of user accounts.

github-actions bot added area/packaging Packaging and operating systems support area/build Build system (autotools and cmake). labels Oct 16, 2025

Ferroin added 3 commits October 16, 2025 12:32

Fix left-over conditionals in RPM spec file.

44259b4

Fix RPM user account handling, again.

eee6581

Also handle OL8.

25361da

Ferroin marked this pull request as ready for review October 20, 2025 11:07

Ferroin requested review from a team and vkalintiris as code owners October 20, 2025 11:07

Ferroin requested a review from a team October 20, 2025 11:07

ilyam8 requested a review from Copilot October 20, 2025 11:11

Copilot AI reviewed Oct 20, 2025

View reviewed changes

packaging/installer/functions.sh Show resolved Hide resolved

netdata.spec.in Outdated Show resolved Hide resolved

packaging/installer/functions.sh Outdated Show resolved Hide resolved

packaging/cmake/Modules/Packaging.cmake Outdated Show resolved Hide resolved

Ferroin added 3 commits October 20, 2025 07:28

Drop duplicate conditional in RPM spec file.

7450e30

Explicitly handle NETDATA_ADDED_TO_GROUPS being unset.

25bfd1e

Drop nobody group from sysusers config.

4dbb9c4

Further fixes for RPMs.

5f63ce9

Fix deps for legacy RPM distros.

97600e4

thiagoftsm previously approved these changes Oct 22, 2025

View reviewed changes

ilyam8 requested a review from Copilot October 23, 2025 13:17

Copilot AI reviewed Oct 23, 2025

View reviewed changes

netdata.spec.in Outdated Show resolved Hide resolved

packaging/cmake/Modules/Packaging.cmake Outdated Show resolved Hide resolved

Clean up conditional in RPM spec file.

c43e3d3

Co-authored-by: Copilot <[email protected]>

Ferroin dismissed thiagoftsm’s stale review via c43e3d3 October 27, 2025 12:36

Revert unintentionally included change.

58efc69

Co-authored-by: Copilot <[email protected]>

thiagoftsm self-requested a review October 27, 2025 18:11

thiagoftsm approved these changes Oct 28, 2025

View reviewed changes

Update our user/group account handling to use sysusers.d when possible. #21162

Are you sure you want to change the base?

Update our user/group account handling to use sysusers.d when possible. #21162

Uh oh!

Conversation

Ferroin commented Oct 16, 2025

Summary

Test Plan

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Pull Request Overview

Reviewed Changes

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

thiagoftsm commented Oct 20, 2025

Uh oh!

thiagoftsm commented Oct 20, 2025

Uh oh!

thiagoftsm commented Oct 20, 2025

Uh oh!

thiagoftsm commented Oct 20, 2025

Uh oh!

Ferroin commented Oct 21, 2025

Uh oh!

thiagoftsm commented Oct 21, 2025

Uh oh!

Ferroin commented Oct 22, 2025

Uh oh!

thiagoftsm commented Oct 22, 2025

Uh oh!

thiagoftsm left a comment

Choose a reason for hiding this comment

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Pull Request Overview

Uh oh!

Uh oh!

Uh oh!

ilyam8 commented Oct 23, 2025

Uh oh!

thiagoftsm left a comment

Choose a reason for hiding this comment

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants