From b70886d3df3a93daa7aab2285ecc1a80867690f5 Mon Sep 17 00:00:00 2001
From: Manuel Bentele
Date: Fri, 25 Jun 2021 12:36:25 +0200
Subject: [libvirt] Enforce libvirt UIDs/GIDs to not collide with LDAP
 UIDs/GIDs

---
 core/modules/libvirt-users/module.build | 43 ++++++++++++++++++
 core/modules/libvirt-users/module.conf  |  5 +++
 core/modules/libvirt/data/addon-init    | 77 ---------------------------------
 core/modules/libvirt/module.conf        |  4 ++
 core/targets/qemu/libvirt-users         |  1 +
 5 files changed, 53 insertions(+), 77 deletions(-)
 create mode 100644 core/modules/libvirt-users/module.build
 create mode 100644 core/modules/libvirt-users/module.conf
 create mode 120000 core/targets/qemu/libvirt-users

diff --git a/core/modules/libvirt-users/module.build b/core/modules/libvirt-users/module.build
new file mode 100644
index 00000000..cab41b98
--- /dev/null
+++ b/core/modules/libvirt-users/module.build
@@ -0,0 +1,43 @@
+#!/bin/bash
+fetch_source() {
+	:
+}
+
+build() {
+	:
+}
+
+post_copy() {
+	# Create libvirt users before installing libvirt packages since the
+	# libvirt DEB package hook script will create system users with an
+	# UID/GID greater or equal than 1000. Those default libvirt UIDs/GIDs
+	# are not allowed since they will collide with LDAP UIDs/GIDs.
+
+	# add system groups to run libvirt
+	if ! getent group libvirt-qemu >/dev/null; then
+		addgroup --quiet --system libvirt-qemu
+	fi
+
+	if ! getent group kvm >/dev/null; then
+		addgroup --quiet --system kvm
+	fi
+
+	# add system user libvirt runs qemu/kvm instances with
+	if ! getent passwd libvirt-qemu >/dev/null; then
+		adduser --quiet \
+			--system \
+			--ingroup kvm \
+			--quiet \
+			--disabled-login \
+			--disabled-password \
+			--home /var/lib/libvirt \
+			--no-create-home \
+			--gecos "Libvirt Qemu" \
+			libvirt-qemu
+	fi
+
+	# add libvirt system user to the libvirt system group
+	if ! getent group libvirt-qemu >/dev/null; then
+		adduser --quiet libvirt-qemu libvirt-qemu
+	fi
+}
diff --git a/core/modules/libvirt-users/module.conf b/core/modules/libvirt-users/module.conf
new file mode 100644
index 00000000..668ddf88
--- /dev/null
+++ b/core/modules/libvirt-users/module.conf
@@ -0,0 +1,5 @@
+#!/bin/bash
+
+REQUIRED_BINARIES=""
+REQUIRED_LIBRARIES=""
+REQUIRED_DIRECTORIES=""
diff --git a/core/modules/libvirt/data/addon-init b/core/modules/libvirt/data/addon-init
index 49c9b7b0..131a03f7 100755
--- a/core/modules/libvirt/data/addon-init
+++ b/core/modules/libvirt/data/addon-init
@@ -1,83 +1,6 @@
 #!/bin/ash
 
-#
-# allocated UID and GID for libvirt-qemu
-#
-LIBVIRT_QEMU_UID=64055
-LIBVIRT_QEMU_GID=64055
-
-#
-# add groups to run libvirt
-#
-if ! getent group libvirt >/dev/null; then
-	addgroup --quiet --system libvirt
-fi
-
-if ! getent group kvm >/dev/null; then
-	addgroup --quiet --system kvm
-fi
-
-#
-# add user and group libvirt runs qemu/kvm instances with
-#
-if ! getent passwd libvirt-qemu >/dev/null; then
-
-	# set uid if available (expected); don't fail otherwise.
-	PARAMETER_UID=''
-	if ! getent passwd $LIBVIRT_QEMU_UID >/dev/null; then
-		PARAMETER_UID="--uid $LIBVIRT_QEMU_UID"
-	fi
-
-	adduser --quiet \
-			--system \
-			--ingroup kvm \
-			--quiet \
-			--disabled-login \
-			--disabled-password \
-			--home /var/lib/libvirt \
-			--no-create-home \
-			--gecos "Libvirt Qemu" \
-			$PARAMETER_UID \
-			libvirt-qemu
-fi
-
-if ! getent group libvirt-qemu >/dev/null; then
-
-	# set gid if available (expected); don't fail otherwise.
-	PARAMETER_GID=''
-	if ! getent group $LIBVIRT_QEMU_GID >/dev/null; then
-		PARAMETER_GID="--gid $LIBVIRT_QEMU_GID"
-	fi
-
-	addgroup --quiet --system $PARAMETER_GID libvirt-qemu
-	adduser --quiet libvirt-qemu libvirt-qemu
-fi
-
-#
-# add each sudo user to the libvirt group
-#
-for u in $(getent group sudo | sed -e "s/^.*://" -e "s/,/ /g"); do
-	adduser "$u" libvirt >/dev/null || true
-done
-
-if ! getent group libvirt-dnsmasq >/dev/null; then
-	addgroup --quiet --system libvirt-dnsmasq
-fi
-if ! getent passwd libvirt-dnsmasq >/dev/null; then
-	adduser --quiet \
-			--system \
-			--ingroup libvirt-dnsmasq \
-			--disabled-login \
-			--disabled-password \
-			--home /var/lib/libvirt/dnsmasq \
-			--no-create-home \
-			--gecos "Libvirt Dnsmasq" \
-			libvirt-dnsmasq
-fi
-
-#
 # register and start libvirt services
-#
 systemctl daemon-reload
 systemctl start libvirtd.service
 systemctl start libvirt-guests.service
diff --git a/core/modules/libvirt/module.conf b/core/modules/libvirt/module.conf
index 668ddf88..d67344f7 100644
--- a/core/modules/libvirt/module.conf
+++ b/core/modules/libvirt/module.conf
@@ -1,5 +1,9 @@
 #!/bin/bash
 
+REQUIRED_MODULES="
+        libvirt-users
+"
+
 REQUIRED_BINARIES=""
 REQUIRED_LIBRARIES=""
 REQUIRED_DIRECTORIES=""
diff --git a/core/targets/qemu/libvirt-users b/core/targets/qemu/libvirt-users
new file mode 120000
index 00000000..6f799d72
--- /dev/null
+++ b/core/targets/qemu/libvirt-users
@@ -0,0 +1 @@
+../../modules/libvirt-users
\ No newline at end of file
-- 
cgit v1.2.3-55-g7522