fix(rpm): drop %attr(,,user) on config files to avoid dnf silent filter

Using %attr(,,cortex) / %attr(,,neuron) on config files caused rpm's auto-dep-generator to emit Requires: user(name) and group(name) on each package. When those Requires couldn't be resolved — whether due to sysusers Provides mismatches, missing GPG keys, or dnf5 cache state — dnf5 silently filtered the package out of the candidate set and reported "Nothing to do" rather than an unsatisfied-dep error. Adopt the pattern that already works reliably across our infra (grenade/monsoon): ship config files as default root:root with 0644 perms, don't declare user/group ownership in the rpm file list. systemd-sysusers still creates the service user via the shipped sysusers.d file; the service drops to that user at runtime via the User= directive in the unit. This removes the user(cortex)/user(neuron) Requires entirely, which is the root cause of the dnf5 filtering. File permission tightening can be reintroduced later — either via a separate secrets file with different mode bits, or by moving secret material to /var/lib/<svc>/ where the service drop-privileges account already has write access. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-16 14:33:08 +03:00
6 changed files with 31 additions and 98 deletions
--- a/.gitea/workflows/ci.yml
+++ b/.gitea/workflows/ci.yml
@@ -66,8 +66,6 @@ jobs:
    if: startsWith(github.ref, 'refs/tags/v')
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0
      - name: Determine version
        id: version
@@ -81,12 +79,6 @@ jobs:
          sed -i '/\[workspace\.package\]/,/\[/{ s/^version = ".*"/version = "'"${VERSION}"'"/ }' Cargo.toml
          sed -i "s/^Version:.*/Version:        ${VERSION}/" cortex.spec
      - name: Generate changelog entry
        uses: https://git.lair.cafe/actions/rpm-changelog@v1
        with:
          spec: cortex.spec
          version: ${{ steps.version.outputs.VERSION }}
      - name: Generate source tarball
        run: |
          set -ex
@@ -126,8 +118,6 @@ jobs:
    if: startsWith(github.ref, 'refs/tags/v')
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0
      - name: Determine version
        id: version
@@ -139,37 +129,31 @@ jobs:
        run: |
          VERSION="${{ steps.version.outputs.VERSION }}"
          sed -i '/\[workspace\.package\]/,/\[/{ s/^version = ".*"/version = "'"${VERSION}"'"/ }' Cargo.toml
-          sed -i "s/^Version:.*/Version:        ${VERSION}/" helexa-neuron.spec
+          sed -i "s/^Version:.*/Version:        ${VERSION}/" neuron.spec
      - name: Generate changelog entry
        uses: https://git.lair.cafe/actions/rpm-changelog@v1
        with:
          spec: helexa-neuron.spec
          version: ${{ steps.version.outputs.VERSION }}
      - name: Generate source tarball
        run: |
          set -ex
          VERSION="${{ steps.version.outputs.VERSION }}"
-          tar czf /tmp/helexa-neuron-${VERSION}.tar.gz \
+          tar czf /tmp/neuron-${VERSION}.tar.gz \
-            --transform "s,^\.,helexa-neuron-${VERSION}," \
+            --transform "s,^\.,neuron-${VERSION}," \
            --exclude='./target' \
            --exclude='./.git' \
            --exclude='*.tar.gz' \
            --exclude='*.src.rpm' \
            .
-          mv /tmp/helexa-neuron-${VERSION}.tar.gz .
+          mv /tmp/neuron-${VERSION}.tar.gz .
      - name: Vendor Rust dependencies
        run: |
          VERSION="${{ steps.version.outputs.VERSION }}"
          cargo vendor vendor/
-          tar czf helexa-neuron-${VERSION}-vendor.tar.gz vendor/
+          tar czf neuron-${VERSION}-vendor.tar.gz vendor/
          rm -rf vendor/
      - name: Build SRPM
        run: |
-          rpmbuild -bs helexa-neuron.spec \
+          rpmbuild -bs neuron.spec \
            --define "_sourcedir $(pwd)" \
            --define "_srcrpmdir $(pwd)"
@@ -192,7 +176,7 @@ jobs:
      - name: Publish to COPR
        uses: https://git.lair.cafe/actions/copr-publish@v1
        with:
-          project: helexa/helexa
+          project: helexa/cortex
          srpm: "*.src.rpm"
          copr-config: ${{ secrets.COPR_CONFIG }}
@@ -209,7 +193,7 @@ jobs:
      - name: Publish to COPR
        uses: https://git.lair.cafe/actions/copr-publish@v1
        with:
-          project: helexa/helexa
+          project: helexa/neuron
          srpm: "*.src.rpm"
          copr-config: ${{ secrets.COPR_CONFIG }}
@@ -219,43 +203,21 @@ jobs:
    needs: [copr-cortex, copr-neuron]
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0
-      - name: Determine version
+      - name: Stamp version and push
        id: version
        run: echo "VERSION=${GITHUB_REF#refs/tags/v}" >> "$GITHUB_OUTPUT"
      - name: Stamp version
        run: |
          VERSION="${{ steps.version.outputs.VERSION }}"
          sed -i '/\[workspace\.package\]/,/\[/{ s/^version = ".*"/version = "'"${VERSION}"'"/ }' Cargo.toml
          sed -i "s/^Version:.*/Version:        ${VERSION}/" cortex.spec
          sed -i "s/^Version:.*/Version:        ${VERSION}/" helexa-neuron.spec
          cargo check --workspace 2>/dev/null || true
      - name: Generate cortex changelog entry
        uses: https://git.lair.cafe/actions/rpm-changelog@v1
        with:
          spec: cortex.spec
          version: ${{ steps.version.outputs.VERSION }}
      - name: Generate helexa-neuron changelog entry
        uses: https://git.lair.cafe/actions/rpm-changelog@v1
        with:
          spec: helexa-neuron.spec
          version: ${{ steps.version.outputs.VERSION }}
      - name: Commit and push
        env:
          GITEA_TOKEN: ${{ secrets.GITEA_TOKEN }}
        run: |
-          VERSION="${{ steps.version.outputs.VERSION }}"
+          VERSION="${GITHUB_REF#refs/tags/v}"
          sed -i '/\[workspace\.package\]/,/\[/{ s/^version = ".*"/version = "'"${VERSION}"'"/ }' Cargo.toml
          sed -i "s/^Version:.*/Version:        ${VERSION}/" cortex.spec
          sed -i "s/^Version:.*/Version:        ${VERSION}/" neuron.spec
          cargo check --workspace 2>/dev/null || true
          git config user.name "Gitea Actions"
          git config user.email "actions@git.lair.cafe"
-          git add Cargo.toml Cargo.lock cortex.spec helexa-neuron.spec
+          git add Cargo.toml Cargo.lock cortex.spec neuron.spec
          if git diff --cached --quiet; then
-            echo "Nothing to commit for ${VERSION}"
+            echo "Version already at ${VERSION}"
          else
            git commit -m "chore: bump version to ${VERSION}"
            git remote set-url origin "https://gitea-actions:${GITEA_TOKEN}@git.lair.cafe/helexa/cortex.git"
--- a/CLAUDE.md
+++ b/CLAUDE.md
@@ -595,24 +595,16 @@ placement matching can be added incrementally.
 Completed. Both packages have RPM specs, systemd units, and example configs.
 CI builds parallel SRPMs on tag push and publishes to separate COPR repos.
- `cortex.spec` — installs the `cortex` binary. Package name keeps the
+- `cortex.spec` → `helexa/cortex` COPR: binary, systemd unit, config files
-  short `cortex` because no Fedora package collides with it.
+- `neuron.spec` → `helexa/neuron` COPR: binary, systemd unit, config
 - `helexa-neuron.spec` — installs the `neuron` binary under package name
  `helexa-neuron`. Renamed from bare `neuron` to avoid collision with
  Fedora's NEURON neural-simulation package
  (https://src.fedoraproject.org/rpms/neuron); binary, systemd unit,
  system user, and config dir all stay named `neuron` since those are
  project-local contexts.
 - `data/cortex.service`, `data/neuron.service` — systemd units
 - `cortex.example.toml`, `neuron.example.toml`, `models.example.toml`
- CI: parallel `srpm-cortex` + `srpm-neuron` jobs, then parallel COPR
+- CI: parallel `srpm-cortex` + `srpm-neuron` jobs, then parallel COPR publish
  publish to a single project `helexa/helexa` hosting both packages.
 Install:
 ```sh
-dnf copr enable helexa/helexa
+dnf copr enable helexa/cortex && dnf install cortex    # gateway host
-dnf install cortex                # gateway host
+dnf copr enable helexa/neuron && dnf install neuron    # GPU nodes
 dnf install helexa-neuron         # GPU nodes
 ```
 ### Phase 11: llama.cpp harness stub
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -351,7 +351,7 @@ checksum = "773648b94d0e5d620f64f280777445740e61fe701025087ec8b57f45c791888b"
 [[package]]
 name = "cortex-cli"
-version = "0.1.12"
+version = "0.1.7"
 dependencies = [
 "anyhow",
 "clap",
@@ -366,7 +366,7 @@ dependencies = [
 [[package]]
 name = "cortex-core"
-version = "0.1.12"
+version = "0.1.7"
 dependencies = [
 "anyhow",
 "async-trait",
@@ -381,7 +381,7 @@ dependencies = [
 [[package]]
 name = "cortex-gateway"
-version = "0.1.12"
+version = "0.1.7"
 dependencies = [
 "anyhow",
 "axum",
@@ -1184,7 +1184,7 @@ dependencies = [
 [[package]]
 name = "neuron"
-version = "0.1.12"
+version = "0.1.7"
 dependencies = [
 "anyhow",
 "async-trait",
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -8,7 +8,7 @@ members = [
 ]
 [workspace.package]
-version = "0.1.12"
+version = "0.1.7"
 edition = "2024"
 license = "GPL-3.0-or-later"
 repository = "https://git.lair.cafe/helexa/cortex"
--- a/cortex.spec
+++ b/cortex.spec
@@ -1,5 +1,5 @@
 Name:           cortex
-Version:        0.1.12
+Version:        0.1.7
 Release:        1%{?dist}
 Summary:        Inference gateway for multi-node GPU clusters
@@ -22,15 +22,6 @@ BuildRequires:  systemd-rpm-macros
 Requires(pre):  shadow-utils
 Requires:       systemd
 # systemd-rpm-macros ships a unit dep generator that parses User=/Group=
 # from our .service file and emits Requires: user(cortex)/group(cortex).
 # rpm's sysusers provides-generator emits the unversioned form for groups
 # but only a versioned user(cortex) = <base64> for users with GECOS/home/
 # shell. Provide the unversioned user(cortex) explicitly so dnf can resolve
 # the auto-generated Requires. Without this, dnf5 silently filters the
 # package and reports "Nothing to do".
 Provides:       user(cortex)
 %description
 Cortex is a Rust reverse-proxy that sits in front of multiple inference
 nodes (via neuron daemons) and presents a unified OpenAI and Anthropic
@@ -83,5 +74,5 @@ install -Dm644 models.example.toml %{buildroot}%{_sysconfdir}/cortex/models.toml
 %config(noreplace) %{_sysconfdir}/cortex/models.toml
 %changelog
-* Wed Apr 15 2026 Rob Thijssen <grenade@rob.tn> - 0.1.0-1
+* Tue Apr 15 2026 Rob Thijssen <grenade@rob.tn> - 0.1.0-1
 - Initial package
--- a/helexa-neuron.spec
+++ b/helexa-neuron.spec
@@ -1,10 +1,7 @@
-Name:           helexa-neuron
+Name:           neuron
-Version:        0.1.12
+Version:        0.1.7
 Release:        1%{?dist}
 Summary:        Per-node GPU discovery and harness management daemon for cortex
 # Package name disambiguates from Fedora's existing "neuron" package
 # (NEURON neural simulation environment from Yale). Binary, systemd
 # unit, and system user are still called "neuron" for brevity.
 License:        GPL-3.0-or-later
 URL:            https://git.lair.cafe/helexa/cortex
@@ -25,15 +22,6 @@ BuildRequires:  systemd-rpm-macros
 Requires(pre):  shadow-utils
 Requires:       systemd
 # systemd-rpm-macros ships a unit dep generator that parses User=/Group=
 # from our .service file and emits Requires: user(neuron)/group(neuron).
 # rpm's sysusers provides-generator emits the unversioned form for groups
 # but only a versioned user(neuron) = <base64> for users with GECOS/home/
 # shell. Provide the unversioned user(neuron) explicitly so dnf can resolve
 # the auto-generated Requires. Without this, dnf5 silently filters the
 # package and reports "Nothing to do".
 Provides:       user(neuron)
 %description
 Neuron is a per-node daemon for cortex inference clusters. It discovers
 local GPU hardware via nvidia-smi, manages inference harnesses (mistral.rs,
@@ -83,5 +71,5 @@ install -Dm644 neuron.example.toml %{buildroot}%{_sysconfdir}/neuron/neuron.toml
 %config(noreplace) %{_sysconfdir}/neuron/neuron.toml
 %changelog
-* Wed Apr 15 2026 Rob Thijssen <grenade@rob.tn> - 0.1.0-1
+* Tue Apr 15 2026 Rob Thijssen <grenade@rob.tn> - 0.1.0-1
 - Initial package