fix(rpm): drop %attr(,,user) on config files to avoid dnf silent filter
All checks were successful
CI / Format, lint, build, test (push) Successful in 1m11s
CI / Publish cortex to COPR (push) Successful in 11m3s
CI / Build cortex SRPM (push) Successful in 43s
CI / Build neuron SRPM (push) Successful in 43s
CI / Publish neuron to COPR (push) Successful in 8m56s
CI / Bump version in source (push) Successful in 30s
All checks were successful
CI / Format, lint, build, test (push) Successful in 1m11s
CI / Publish cortex to COPR (push) Successful in 11m3s
CI / Build cortex SRPM (push) Successful in 43s
CI / Build neuron SRPM (push) Successful in 43s
CI / Publish neuron to COPR (push) Successful in 8m56s
CI / Bump version in source (push) Successful in 30s
Using %attr(,,cortex) / %attr(,,neuron) on config files caused rpm's auto-dep-generator to emit Requires: user(name) and group(name) on each package. When those Requires couldn't be resolved — whether due to sysusers Provides mismatches, missing GPG keys, or dnf5 cache state — dnf5 silently filtered the package out of the candidate set and reported "Nothing to do" rather than an unsatisfied-dep error. Adopt the pattern that already works reliably across our infra (grenade/monsoon): ship config files as default root:root with 0644 perms, don't declare user/group ownership in the rpm file list. systemd-sysusers still creates the service user via the shipped sysusers.d file; the service drops to that user at runtime via the User= directive in the unit. This removes the user(cortex)/user(neuron) Requires entirely, which is the root cause of the dnf5 filtering. File permission tightening can be reintroduced later — either via a separate secrets file with different mode bits, or by moving secret material to /var/lib/<svc>/ where the service drop-privileges account already has write access. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
18
cortex.spec
18
cortex.spec
@@ -22,12 +22,6 @@ BuildRequires: systemd-rpm-macros
|
|||||||
Requires(pre): shadow-utils
|
Requires(pre): shadow-utils
|
||||||
Requires: systemd
|
Requires: systemd
|
||||||
|
|
||||||
# rpm's sysusers provides-generator only emits versioned user(cortex) when
|
|
||||||
# the u-line has GECOS/home/shell fields. %attr(,,cortex) in %files emits
|
|
||||||
# an unversioned Requires: user(cortex), so we provide it explicitly.
|
|
||||||
Provides: user(cortex)
|
|
||||||
Provides: group(cortex)
|
|
||||||
|
|
||||||
%description
|
%description
|
||||||
Cortex is a Rust reverse-proxy that sits in front of multiple inference
|
Cortex is a Rust reverse-proxy that sits in front of multiple inference
|
||||||
nodes (via neuron daemons) and presents a unified OpenAI and Anthropic
|
nodes (via neuron daemons) and presents a unified OpenAI and Anthropic
|
||||||
@@ -53,9 +47,9 @@ cargo build --release -p cortex-cli
|
|||||||
install -Dm755 target/release/cortex %{buildroot}%{_bindir}/cortex
|
install -Dm755 target/release/cortex %{buildroot}%{_bindir}/cortex
|
||||||
install -Dm644 data/cortex.service %{buildroot}%{_unitdir}/cortex.service
|
install -Dm644 data/cortex.service %{buildroot}%{_unitdir}/cortex.service
|
||||||
install -Dm644 data/cortex-sysusers.conf %{buildroot}%{_sysusersdir}/cortex.conf
|
install -Dm644 data/cortex-sysusers.conf %{buildroot}%{_sysusersdir}/cortex.conf
|
||||||
install -dm750 %{buildroot}%{_sysconfdir}/cortex
|
install -dm755 %{buildroot}%{_sysconfdir}/cortex
|
||||||
install -Dm640 cortex.example.toml %{buildroot}%{_sysconfdir}/cortex/cortex.toml
|
install -Dm644 cortex.example.toml %{buildroot}%{_sysconfdir}/cortex/cortex.toml
|
||||||
install -Dm640 models.example.toml %{buildroot}%{_sysconfdir}/cortex/models.toml
|
install -Dm644 models.example.toml %{buildroot}%{_sysconfdir}/cortex/models.toml
|
||||||
|
|
||||||
%pre
|
%pre
|
||||||
%sysusers_create_compat %{_builddir}/%{name}-%{version}/data/cortex-sysusers.conf
|
%sysusers_create_compat %{_builddir}/%{name}-%{version}/data/cortex-sysusers.conf
|
||||||
@@ -75,9 +69,9 @@ install -Dm640 models.example.toml %{buildroot}%{_sysconfdir}/cortex/models.toml
|
|||||||
%{_bindir}/cortex
|
%{_bindir}/cortex
|
||||||
%{_unitdir}/cortex.service
|
%{_unitdir}/cortex.service
|
||||||
%{_sysusersdir}/cortex.conf
|
%{_sysusersdir}/cortex.conf
|
||||||
%dir %attr(750,root,cortex) %{_sysconfdir}/cortex
|
%dir %{_sysconfdir}/cortex
|
||||||
%config(noreplace) %attr(640,root,cortex) %{_sysconfdir}/cortex/cortex.toml
|
%config(noreplace) %{_sysconfdir}/cortex/cortex.toml
|
||||||
%config(noreplace) %attr(640,root,cortex) %{_sysconfdir}/cortex/models.toml
|
%config(noreplace) %{_sysconfdir}/cortex/models.toml
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
* Tue Apr 15 2026 Rob Thijssen <grenade@rob.tn> - 0.1.0-1
|
* Tue Apr 15 2026 Rob Thijssen <grenade@rob.tn> - 0.1.0-1
|
||||||
|
|||||||
14
neuron.spec
14
neuron.spec
@@ -22,12 +22,6 @@ BuildRequires: systemd-rpm-macros
|
|||||||
Requires(pre): shadow-utils
|
Requires(pre): shadow-utils
|
||||||
Requires: systemd
|
Requires: systemd
|
||||||
|
|
||||||
# rpm's sysusers provides-generator only emits versioned user(neuron) when
|
|
||||||
# the u-line has GECOS/home/shell fields. %attr(,,neuron) in %files emits
|
|
||||||
# an unversioned Requires: user(neuron), so we provide it explicitly.
|
|
||||||
Provides: user(neuron)
|
|
||||||
Provides: group(neuron)
|
|
||||||
|
|
||||||
%description
|
%description
|
||||||
Neuron is a per-node daemon for cortex inference clusters. It discovers
|
Neuron is a per-node daemon for cortex inference clusters. It discovers
|
||||||
local GPU hardware via nvidia-smi, manages inference harnesses (mistral.rs,
|
local GPU hardware via nvidia-smi, manages inference harnesses (mistral.rs,
|
||||||
@@ -52,8 +46,8 @@ cargo build --release -p neuron
|
|||||||
install -Dm755 target/release/neuron %{buildroot}%{_bindir}/neuron
|
install -Dm755 target/release/neuron %{buildroot}%{_bindir}/neuron
|
||||||
install -Dm644 data/neuron.service %{buildroot}%{_unitdir}/neuron.service
|
install -Dm644 data/neuron.service %{buildroot}%{_unitdir}/neuron.service
|
||||||
install -Dm644 data/neuron-sysusers.conf %{buildroot}%{_sysusersdir}/neuron.conf
|
install -Dm644 data/neuron-sysusers.conf %{buildroot}%{_sysusersdir}/neuron.conf
|
||||||
install -dm750 %{buildroot}%{_sysconfdir}/neuron
|
install -dm755 %{buildroot}%{_sysconfdir}/neuron
|
||||||
install -Dm640 neuron.example.toml %{buildroot}%{_sysconfdir}/neuron/neuron.toml
|
install -Dm644 neuron.example.toml %{buildroot}%{_sysconfdir}/neuron/neuron.toml
|
||||||
|
|
||||||
%pre
|
%pre
|
||||||
%sysusers_create_compat %{_builddir}/%{name}-%{version}/data/neuron-sysusers.conf
|
%sysusers_create_compat %{_builddir}/%{name}-%{version}/data/neuron-sysusers.conf
|
||||||
@@ -73,8 +67,8 @@ install -Dm640 neuron.example.toml %{buildroot}%{_sysconfdir}/neuron/neuron.toml
|
|||||||
%{_bindir}/neuron
|
%{_bindir}/neuron
|
||||||
%{_unitdir}/neuron.service
|
%{_unitdir}/neuron.service
|
||||||
%{_sysusersdir}/neuron.conf
|
%{_sysusersdir}/neuron.conf
|
||||||
%dir %attr(750,root,neuron) %{_sysconfdir}/neuron
|
%dir %{_sysconfdir}/neuron
|
||||||
%config(noreplace) %attr(640,root,neuron) %{_sysconfdir}/neuron/neuron.toml
|
%config(noreplace) %{_sysconfdir}/neuron/neuron.toml
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
* Tue Apr 15 2026 Rob Thijssen <grenade@rob.tn> - 0.1.0-1
|
* Tue Apr 15 2026 Rob Thijssen <grenade@rob.tn> - 0.1.0-1
|
||||||
|
|||||||
Reference in New Issue
Block a user