systemd, tools: stop creating static cockpit-wsinstance user

Clean it up on package upgrades. Unlike the old `cockpit-ws` user, this
user never owned any files on disk (other than cockpit-system), so this
is safe.

Co-Authored-By: Martin Pitt <mpitt@redhat.com>

Author: allisonkarlitskaya

src/systemd/Makefile.am

@@ -59,11 +59,6 @@ tmpfilesconfdir = $(prefix)/lib/tmpfiles.d
 systemdgenerated += $(nodist_tmpfilesconf_DATA)
 nodist_tmpfilesconf_DATA = src/systemd/tmpfiles.d/cockpit-ws.conf
 
-# -----------------
-# sysusers
-sysusersconfdir = $(prefix)/lib/sysusers.d
-dist_sysusersconf_DATA = src/systemd/sysusers.d/cockpit-wsinstance.conf
-
 # -----------------
 # Policykit
 polkitdir = $(datadir)/polkit-1/actions

src/systemd/sysusers.d/cockpit-wsinstance.conf

@@ -390,7 +390,6 @@ authentication via sssd/FreeIPA.
 %{_unitdir}/cockpit-wsinstance-socket-user.service
 %{_unitdir}/system-cockpithttps.slice
 %{_prefix}/%{__lib}/tmpfiles.d/cockpit-ws.conf
-%{_sysusersdir}/cockpit-wsinstance.conf
 %{pamdir}/pam_ssh_add.so
 %{pamdir}/pam_cockpit_cert.so
 %{_libexecdir}/cockpit-ws
@@ -409,11 +408,6 @@ authentication via sssd/FreeIPA.
 %ghost %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{name}
 
 %pre ws
-# HACK: old RPM and even Fedora's current RPM don't properly support sysusers
-# https://github.com/rpm-software-management/rpm/issues/3073
-getent group cockpit-wsinstance >/dev/null || groupadd -r cockpit-wsinstance
-getent passwd cockpit-wsinstance >/dev/null || useradd -r -g cockpit-wsinstance -d /nonexisting -s /sbin/nologin -c "User for cockpit-ws instances" cockpit-wsinstance
-
 if %{_sbindir}/selinuxenabled 2>/dev/null; then
     %selinux_relabel_pre -s %{selinuxtype}
 fi
@@ -448,6 +442,11 @@ if test -f %{_sysconfdir}/pam.d/cockpit &&  grep -q pam_cockpit_cert %{_sysconfd
     echo '**** WARNING:'
 fi
 
+# remove obsolete system user on upgrade (replaced with DynamicUser in version 330)
+if getent passwd cockpit-wsinstance >/dev/null; then
+    userdel cockpit-wsinstance
+fi
+
 %preun ws
 %systemd_preun cockpit.socket cockpit.service
 

tools/cockpit.spec

@@ -18,7 +18,6 @@ ${env:deb_systemdsystemunitdir}/system-cockpithttps.slice
 ${env:deb_pamlibdir}/security/pam_ssh_add.so
 ${env:deb_pamlibdir}/security/pam_cockpit_cert.so
 usr/lib/tmpfiles.d/cockpit-ws.conf
-usr/lib/sysusers.d/cockpit-wsinstance.conf
 usr/lib/cockpit/cockpit-session
 usr/lib/cockpit/cockpit-ws
 usr/lib/cockpit/cockpit-wsinstance-factory

tools/debian/cockpit-ws.install

@@ -10,6 +10,12 @@ if [ "$1" = "configure" ] && dpkg-statoverride --list /usr/lib/cockpit/cockpit-s
     chgrp root /usr/lib/cockpit/cockpit-session
 fi
 
+# remove obsolete system user on upgrade (replaced with DynamicUser in version 330)
+if [ "$1" = "configure" ] && getent passwd cockpit-wsinstance >/dev/null; then
+    echo "Cleaning up obsolete static cockpit-wsinstance user"
+    deluser --system cockpit-wsinstance
+fi
+
 # restart cockpit.service on package upgrades, if it's already running
 if [ -d /run/systemd/system ] && [ -n "$2" ]; then
     deb-systemd-invoke try-restart cockpit.service >/dev/null || true

tools/debian/cockpit-ws.postinst

@@ -87,7 +87,3 @@ else
 	NO_QUNIT=1 pytest -vv -k 'not linter and not test_descriptions' -opythonpath=$$(ls -d debian/cockpit-bridge/usr/lib/python3*/dist-packages)
 endif
 endif
-
-# dh compat 14 does that automatically, remove when upgrading
-execute_before_dh_installtmpfiles:
-	dh_installsysusers