Yocto integration, user and group IDs, and persistent data partition

Hello,

This is more a question about Yocto than Mender specifically, but maybe someone had the same problem here.

We are using Mender with a persistent /data partitition. Files on that partition are owned by several users and groups with specific permissions to secure the access to our device. Unfortunately, when updating Yocto to newer versions, or sometimes just by adding or removing software in our image, we find that user and group IDs can change. Yocto/OpenEmbedded do not set fixed user IDs for most system users and groups (NTP, systemd, and other system recipes).

As a result, when installing an update, the user groups and numbers on our /data partition are not matching with the new numbers assigned by Yocto during the build of the updated image.

We are trying to force Yocto to use fixed IDs but it requires changes to all recipes that create users, to manually assign an user and group ID as needed.

Do you know of better solutions to this problem? Is there a way to make sure user and group IDs remain deterministic even when changing the Yocto source?

Hi @pulkomandy,

The canonical Yocto way to handle this is using the useradd-staticids bbclass. It might however be slightly problematic if you already have deployed devices and require carefully constructing the UIDs/GIDs for new builds to match the existing ones.

Greetz,
Josef

Thanks, this worked for us

We could extract the existing passwd and groups files from our existing rootfs and re-inject it this way in the build for future versions.