fix(rpm): drop %attr(,,user) on config files to avoid dnf silent filter

Using %attr(,,cortex) / %attr(,,neuron) on config files caused rpm's auto-dep-generator to emit Requires: user(name) and group(name) on each package. When those Requires couldn't be resolved — whether due to sysusers Provides mismatches, missing GPG keys, or dnf5 cache state — dnf5 silently filtered the package out of the candidate set and reported "Nothing to do" rather than an unsatisfied-dep error. Adopt the pattern that already works reliably across our infra (grenade/monsoon): ship config files as default root:root with 0644 perms, don't declare user/group ownership in the rpm file list. systemd-sysusers still creates the service user via the shipped sysusers.d file; the service drops to that user at runtime via the User= directive in the unit. This removes the user(cortex)/user(neuron) Requires entirely, which is the root cause of the dnf5 filtering. File permission tightening can be reintroduced later — either via a separate secrets file with different mode bits, or by moving secret material to /var/lib/<svc>/ where the service drop-privileges account already has write access. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
fix(neuron): run service as neuron user, not cortex
2026-04-16 14:33:08 +03:00 · 2026-04-16 13:32:36 +03:00 · 2026-04-16 13:25:34 +03:00 · 2026-04-16 13:07:06 +03:00 · 2026-04-16 13:01:42 +03:00 · 2026-04-16 12:34:39 +03:00
9 changed files with 47 additions and 39 deletions
--- a/.gitea/workflows/ci.yml
+++ b/.gitea/workflows/ci.yml
@@ -173,13 +173,12 @@ jobs:
        with:
          name: srpm-cortex
-      - name: Configure copr-cli
+      - name: Publish to COPR
-        run: |
+        uses: https://git.lair.cafe/actions/copr-publish@v1
-          mkdir -p ~/.config
+        with:
-          echo "${{ secrets.COPR_CONFIG }}" > ~/.config/copr
+          project: helexa/cortex
-
+          srpm: "*.src.rpm"
-      - name: Submit build to COPR
+          copr-config: ${{ secrets.COPR_CONFIG }}
        run: copr-cli build helexa/cortex *.src.rpm
  copr-neuron:
    name: Publish neuron to COPR
@@ -191,13 +190,12 @@ jobs:
        with:
          name: srpm-neuron
-      - name: Configure copr-cli
+      - name: Publish to COPR
-        run: |
+        uses: https://git.lair.cafe/actions/copr-publish@v1
-          mkdir -p ~/.config
+        with:
-          echo "${{ secrets.COPR_CONFIG }}" > ~/.config/copr
+          project: helexa/neuron
-
+          srpm: "*.src.rpm"
-      - name: Submit build to COPR
+          copr-config: ${{ secrets.COPR_CONFIG }}
        run: copr-cli build helexa/neuron *.src.rpm
  bump-version:
    name: Bump version in source
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -351,7 +351,7 @@ checksum = "773648b94d0e5d620f64f280777445740e61fe701025087ec8b57f45c791888b"
 [[package]]
 name = "cortex-cli"
-version = "0.1.0"
+version = "0.1.7"
 dependencies = [
 "anyhow",
 "clap",
@@ -366,7 +366,7 @@ dependencies = [
 [[package]]
 name = "cortex-core"
-version = "0.1.0"
+version = "0.1.7"
 dependencies = [
 "anyhow",
 "async-trait",
@@ -381,7 +381,7 @@ dependencies = [
 [[package]]
 name = "cortex-gateway"
-version = "0.1.0"
+version = "0.1.7"
 dependencies = [
 "anyhow",
 "axum",
@@ -1184,7 +1184,7 @@ dependencies = [
 [[package]]
 name = "neuron"
-version = "0.1.0"
+version = "0.1.7"
 dependencies = [
 "anyhow",
 "async-trait",
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -8,7 +8,7 @@ members = [
 ]
 [workspace.package]
-version = "0.1.0"
+version = "0.1.7"
 edition = "2024"
 license = "GPL-3.0-or-later"
 repository = "https://git.lair.cafe/helexa/cortex"
--- a/cortex.spec
+++ b/cortex.spec
@@ -1,5 +1,5 @@
 Name:           cortex
-Version:        0.1.0
+Version:        0.1.7
 Release:        1%{?dist}
 Summary:        Inference gateway for multi-node GPU clusters
@@ -20,6 +20,7 @@ BuildRequires:  pkgconfig(openssl)
 BuildRequires:  systemd-rpm-macros
 Requires(pre):  shadow-utils
 Requires:       systemd
 %description
 Cortex is a Rust reverse-proxy that sits in front of multiple inference
@@ -45,13 +46,13 @@ cargo build --release -p cortex-cli
 %install
 install -Dm755 target/release/cortex %{buildroot}%{_bindir}/cortex
 install -Dm644 data/cortex.service %{buildroot}%{_unitdir}/cortex.service
-install -dm750 %{buildroot}%{_sysconfdir}/cortex
+install -Dm644 data/cortex-sysusers.conf %{buildroot}%{_sysusersdir}/cortex.conf
-install -Dm640 cortex.example.toml %{buildroot}%{_sysconfdir}/cortex/cortex.toml
+install -dm755 %{buildroot}%{_sysconfdir}/cortex
-install -Dm640 models.example.toml %{buildroot}%{_sysconfdir}/cortex/models.toml
+install -Dm644 cortex.example.toml %{buildroot}%{_sysconfdir}/cortex/cortex.toml
 install -Dm644 models.example.toml %{buildroot}%{_sysconfdir}/cortex/models.toml
 %pre
-getent group cortex >/dev/null || groupadd -r cortex
+%sysusers_create_compat %{_builddir}/%{name}-%{version}/data/cortex-sysusers.conf
 getent passwd cortex >/dev/null || useradd -r -g cortex -d /var/lib/cortex -s /sbin/nologin cortex
 %post
 %systemd_post cortex.service
@@ -67,9 +68,10 @@ getent passwd cortex >/dev/null || useradd -r -g cortex -d /var/lib/cortex -s /s
 %doc README.md
 %{_bindir}/cortex
 %{_unitdir}/cortex.service
-%dir %attr(750,root,cortex) %{_sysconfdir}/cortex
+%{_sysusersdir}/cortex.conf
-%config(noreplace) %attr(640,root,cortex) %{_sysconfdir}/cortex/cortex.toml
+%dir %{_sysconfdir}/cortex
-%config(noreplace) %attr(640,root,cortex) %{_sysconfdir}/cortex/models.toml
+%config(noreplace) %{_sysconfdir}/cortex/cortex.toml
 %config(noreplace) %{_sysconfdir}/cortex/models.toml
 %changelog
 * Tue Apr 15 2026 Rob Thijssen <grenade@rob.tn> - 0.1.0-1
--- a/data/cortex-sysusers.conf
+++ b/data/cortex-sysusers.conf
@@ -0,0 +1,3 @@
 g cortex - -
 u cortex - "Cortex inference cluster" /var/lib/cortex /sbin/nologin
 m cortex cortex
--- a/data/neuron-sysusers.conf
+++ b/data/neuron-sysusers.conf
@@ -0,0 +1,3 @@
 g neuron - -
 u neuron - "Neuron GPU node daemon" /var/lib/neuron /sbin/nologin
 m neuron neuron
--- a/data/neuron.service
+++ b/data/neuron.service
@@ -5,11 +5,11 @@ Wants=network-online.target
 [Service]
 Type=simple
-ExecStart=/usr/bin/neuron --config /etc/cortex/neuron.toml
+ExecStart=/usr/bin/neuron --config /etc/neuron/neuron.toml
 Restart=on-failure
 RestartSec=5
-User=cortex
+User=neuron
-Group=cortex
+Group=neuron
 [Install]
 WantedBy=multi-user.target
--- a/neuron.example.toml
+++ b/neuron.example.toml
@@ -1,6 +1,6 @@
 # neuron.example.toml — example configuration
 #
-# Copy to /etc/cortex/neuron.toml and adjust for your environment.
+# Copy to /etc/neuron/neuron.toml and adjust for your environment.
 #
 # Environment variable overrides use NEURON_ prefix with __ separators:
 #   NEURON_PORT=9090
--- a/neuron.spec
+++ b/neuron.spec
@@ -1,5 +1,5 @@
 Name:           neuron
-Version:        0.1.0
+Version:        0.1.7
 Release:        1%{?dist}
 Summary:        Per-node GPU discovery and harness management daemon for cortex
@@ -20,6 +20,7 @@ BuildRequires:  pkgconfig(openssl)
 BuildRequires:  systemd-rpm-macros
 Requires(pre):  shadow-utils
 Requires:       systemd
 %description
 Neuron is a per-node daemon for cortex inference clusters. It discovers
@@ -44,12 +45,12 @@ cargo build --release -p neuron
 %install
 install -Dm755 target/release/neuron %{buildroot}%{_bindir}/neuron
 install -Dm644 data/neuron.service %{buildroot}%{_unitdir}/neuron.service
-install -dm750 %{buildroot}%{_sysconfdir}/cortex
+install -Dm644 data/neuron-sysusers.conf %{buildroot}%{_sysusersdir}/neuron.conf
-install -Dm640 neuron.example.toml %{buildroot}%{_sysconfdir}/cortex/neuron.toml
+install -dm755 %{buildroot}%{_sysconfdir}/neuron
 install -Dm644 neuron.example.toml %{buildroot}%{_sysconfdir}/neuron/neuron.toml
 %pre
-getent group cortex >/dev/null || groupadd -r cortex
+%sysusers_create_compat %{_builddir}/%{name}-%{version}/data/neuron-sysusers.conf
 getent passwd cortex >/dev/null || useradd -r -g cortex -d /var/lib/cortex -s /sbin/nologin cortex
 %post
 %systemd_post neuron.service
@@ -65,8 +66,9 @@ getent passwd cortex >/dev/null || useradd -r -g cortex -d /var/lib/cortex -s /s
 %doc README.md
 %{_bindir}/neuron
 %{_unitdir}/neuron.service
-%dir %attr(750,root,cortex) %{_sysconfdir}/cortex
+%{_sysusersdir}/neuron.conf
-%config(noreplace) %attr(640,root,cortex) %{_sysconfdir}/cortex/neuron.toml
+%dir %{_sysconfdir}/neuron
 %config(noreplace) %{_sysconfdir}/neuron/neuron.toml
 %changelog
 * Tue Apr 15 2026 Rob Thijssen <grenade@rob.tn> - 0.1.0-1
Author	SHA1	Message	Date
rob thijssen	123f692203	fix(rpm): drop %attr(,,user) on config files to avoid dnf silent filter Some checks failed CI / Build cortex SRPM (push) Has been cancelled Details CI / Build neuron SRPM (push) Has been cancelled Details CI / Publish cortex to COPR (push) Has been cancelled Details CI / Publish neuron to COPR (push) Has been cancelled Details CI / Bump version in source (push) Has been cancelled Details CI / Format, lint, build, test (push) Has been cancelled Details Using %attr(,,cortex) / %attr(,,neuron) on config files caused rpm's auto-dep-generator to emit Requires: user(name) and group(name) on each package. When those Requires couldn't be resolved — whether due to sysusers Provides mismatches, missing GPG keys, or dnf5 cache state — dnf5 silently filtered the package out of the candidate set and reported "Nothing to do" rather than an unsatisfied-dep error. Adopt the pattern that already works reliably across our infra (grenade/monsoon): ship config files as default root:root with 0644 perms, don't declare user/group ownership in the rpm file list. systemd-sysusers still creates the service user via the shipped sysusers.d file; the service drops to that user at runtime via the User= directive in the unit. This removes the user(cortex)/user(neuron) Requires entirely, which is the root cause of the dnf5 filtering. File permission tightening can be reintroduced later — either via a separate secrets file with different mode bits, or by moving secret material to /var/lib/<svc>/ where the service drop-privileges account already has write access. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-04-16 14:33:08 +03:00
rob thijssen	9697fbae73	fix(neuron): run service as neuron user, not cortex All checks were successful CI / Format, lint, build, test (push) Successful in 2m22s Details CI / Build cortex SRPM (push) Successful in 43s Details CI / Build neuron SRPM (push) Successful in 43s Details CI / Publish neuron to COPR (push) Successful in 8m49s Details CI / Publish cortex to COPR (push) Successful in 11m22s Details CI / Bump version in source (push) Successful in 31s Details neuron and cortex are independent packages installable on different hosts. Having neuron run under a 'cortex' system user implied a shared identity that doesn't exist. Give neuron its own user/group. - New data/neuron-sysusers.conf declares the neuron user/group with home /var/lib/neuron. - systemd unit User/Group changed to neuron. - Spec file attrs, explicit Provides, and %sysusers_create_compat updated to reference the neuron user. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-04-16 13:32:36 +03:00
Gitea Actions	2ce1060cb8	chore: bump version to 0.1.7	2026-04-16 13:25:34 +03:00
rob thijssen	142e91c3f7	fix(neuron): install config at /etc/neuron/, not /etc/cortex/ All checks were successful CI / Format, lint, build, test (push) Successful in 4m45s Details CI / Build neuron SRPM (push) Successful in 44s Details CI / Build cortex SRPM (push) Successful in 45s Details CI / Publish neuron to COPR (push) Successful in 8m52s Details CI / Publish cortex to COPR (push) Successful in 11m17s Details CI / Bump version in source (push) Successful in 30s Details The neuron package was shipping its config at /etc/cortex/neuron.toml, which implied a shared config directory between two independent packages. Move to /etc/neuron/neuron.toml — neuron owns its own etc dir, consistent with its own /usr/lib/sysusers.d/neuron.conf and /usr/lib/systemd/system/neuron.service. Updated the systemd unit's ExecStart path and the example toml header to match. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-04-16 13:07:06 +03:00
Gitea Actions	52c8b4c983	chore: bump version to 0.1.5	2026-04-16 13:01:42 +03:00
rob thijssen	4a9a4fc775	ci: migrate copr publish to reusable action All checks were successful CI / Format, lint, build, test (push) Successful in 1m26s Details CI / Build neuron SRPM (push) Successful in 45s Details CI / Build cortex SRPM (push) Successful in 44s Details CI / Publish neuron to COPR (push) Successful in 8m22s Details CI / Publish cortex to COPR (push) Successful in 11m0s Details CI / Bump version in source (push) Successful in 30s Details Replace the in-repo .gitea/scripts/copr-build.sh and per-job copr-cli configuration with the shared composite action at https://git.lair.cafe/actions/copr-publish@v1. Behaviour is identical — submit, watch, dump per-chroot logs — but the logic now lives in a single place that other projects can consume. Removes the actions/checkout step from both COPR jobs since the build script is no longer local to this repo. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-04-16 12:34:39 +03:00
rob thijssen	53a3c1e157	fix(rpm): explicitly Provides user(cortex)/group(cortex) All checks were successful CI / Format, lint, build, test (push) Successful in 57s Details CI / Build cortex SRPM (push) Has been skipped Details CI / Publish cortex to COPR (push) Has been skipped Details CI / Build neuron SRPM (push) Has been skipped Details CI / Publish neuron to COPR (push) Has been skipped Details CI / Bump version in source (push) Has been skipped Details dnf5 was silently rejecting neuron-0.1.3 with "Nothing to do" because it had an unresolvable Requires. Inspection showed: Requires: user(cortex) ← unversioned Provides: user(cortex) = <base64> ← versioned only, no unversioned rpm's sysusers provides-generator only emits the unversioned user() provide when the u-line is minimal. Our sysusers.conf specifies GECOS, home dir, and shell, which pushes the generator to versioned-only. The matching Requires (auto-generated from %attr(,,cortex) on config files) is unversioned, so resolution failed silently. Explicitly declare Provides: user(cortex) and Provides: group(cortex) to guarantee the unversioned forms exist. group(cortex) was already emitted unversioned but adding it for symmetry and to protect against future generator changes. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-04-16 12:06:05 +03:00
rob thijssen	5c7d63c658	ci: dump COPR per-chroot build logs to CI output Previously the COPR publish steps only surfaced copr-cli's status updates (pending/importing/running). When a build failed, diagnosing required clicking through to the COPR web UI. Now we submit with --nowait, watch the build, then use copr-cli download-build to fetch each chroot's builder-live.log and cat them as collapsible ::group:: blocks in the CI output. Logic is factored into .gitea/scripts/copr-build.sh so cortex and neuron jobs share it. Both COPR jobs now check out the repo to access the script. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-04-16 12:06:05 +03:00
Gitea Actions	f161412f91	chore: bump version to 0.1.3	2026-04-16 11:41:11 +03:00
rob thijssen	ba5020138f	fix(rpm): rename sysusers files to match package names All checks were successful CI / Format, lint, build, test (push) Successful in 3m35s Details CI / Build cortex SRPM (push) Successful in 1m46s Details CI / Build neuron SRPM (push) Successful in 1m41s Details CI / Publish cortex to COPR (push) Successful in 7m14s Details CI / Publish neuron to COPR (push) Successful in 5m44s Details CI / Bump version in source (push) Successful in 30s Details cortex-gateway.conf/cortex-neuron.conf implied a hierarchy or coupling that doesn't exist — cortex and neuron are independent packages. Each package's sysusers.d file now matches the package name: cortex ships cortex.conf, neuron ships neuron.conf. Content is still identical (both create the cortex system user/group), and filenames remain distinct so the packages can coinstall. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-04-16 11:20:08 +03:00
rob thijssen	209150771e	fix(rpm): use sysusers.d for cortex user/group creation Both packages set %attr(...,cortex) on their config files, which caused RPM's auto-dep-generator to emit Requires: group(cortex) / user(cortex). The %pre scriptlets that actually created the group ran too late — dnf rejected neuron installation on hosts without cortex because nothing Provided group(cortex). Switch to systemd-sysusers declarative user creation: each package ships its own named sysusers.d file (cortex-gateway.conf and cortex-neuron.conf — different names so both packages can coinstall) with identical content defining the cortex user/group. RPM's user/group dep generator now emits Provides: user(cortex) and Provides: group(cortex) automatically from the sysusers.d files, satisfying the auto-generated Requires. Either package installs standalone; both can coinstall on the gateway host if desired. Also added Requires: systemd since %sysusers_create_compat depends on systemd-sysusers being present on the target. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-04-16 11:18:37 +03:00
Gitea Actions	7c60af3464	chore: bump version to 0.1.2	2026-04-16 11:03:29 +03:00