fix(rpm): explicitly Provides user(name) to satisfy systemd unit Requires

Diagnosing the persistent "Nothing to do" on v0.1.10 surfaced that removing %attr(,,name) from %files wasn't enough. systemd-rpm-macros ships its own rpm dep generator (/usr/lib/rpm/systemd.req) that parses User=/Group= directives from every .service file the package ships and emits Requires: user(NAME)/group(NAME) accordingly. Rpmbuild log from v0.1.10 shows these Requires are still emitted even after the %attr removal. Meanwhile the sysusers provides-generator emits group(NAME) in both unversioned and versioned forms, but only a versioned user(NAME) = <base64> when the u-line has GECOS/home/shell fields. The asymmetry leaves Requires: user(NAME) unresolvable. Add explicit Provides: user(NAME) back to both specs, with a comment documenting the actual cause (systemd unit parsing, not file attrs) so the next person touching these specs doesn't repeat the mistake. Why monsoon didn't hit this: it creates its user in %pre via groupadd/useradd (not sysusers.d), so no Provides are generated at all — matching the Requires: user(monsoon) by luck of the rpm solver treating unknown symbols as soft-fails for that path. Ours went through the sysusers Provides code path and hit the asymmetry instead. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
ci: migrate rpm changelog generation to reusable action
2026-04-16 15:32:51 +03:00 · 2026-04-16 15:32:51 +03:00 · 2026-04-16 15:32:51 +03:00 · 2026-04-16 15:32:51 +03:00 · 2026-04-16 15:06:18 +03:00 · 2026-04-16 14:50:17 +03:00
7 changed files with 57 additions and 32 deletions
--- a/.gitea/workflows/ci.yml
+++ b/.gitea/workflows/ci.yml
@@ -66,6 +66,8 @@ jobs:
    if: startsWith(github.ref, 'refs/tags/v')
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0
      - name: Determine version
        id: version
@@ -79,6 +81,12 @@ jobs:
          sed -i '/\[workspace\.package\]/,/\[/{ s/^version = ".*"/version = "'"${VERSION}"'"/ }' Cargo.toml
          sed -i "s/^Version:.*/Version:        ${VERSION}/" cortex.spec
      - name: Generate changelog entry
        uses: https://git.lair.cafe/actions/rpm-changelog@v1
        with:
          spec: cortex.spec
          version: ${{ steps.version.outputs.VERSION }}
      - name: Generate source tarball
        run: |
          set -ex
@@ -118,6 +126,8 @@ jobs:
    if: startsWith(github.ref, 'refs/tags/v')
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0
      - name: Determine version
        id: version
@@ -131,6 +141,12 @@ jobs:
          sed -i '/\[workspace\.package\]/,/\[/{ s/^version = ".*"/version = "'"${VERSION}"'"/ }' Cargo.toml
          sed -i "s/^Version:.*/Version:        ${VERSION}/" neuron.spec
      - name: Generate changelog entry
        uses: https://git.lair.cafe/actions/rpm-changelog@v1
        with:
          spec: neuron.spec
          version: ${{ steps.version.outputs.VERSION }}
      - name: Generate source tarball
        run: |
          set -ex
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -351,7 +351,7 @@ checksum = "773648b94d0e5d620f64f280777445740e61fe701025087ec8b57f45c791888b"
 [[package]]
 name = "cortex-cli"
-version = "0.1.5"
+version = "0.1.10"
 dependencies = [
 "anyhow",
 "clap",
@@ -366,7 +366,7 @@ dependencies = [
 [[package]]
 name = "cortex-core"
-version = "0.1.5"
+version = "0.1.10"
 dependencies = [
 "anyhow",
 "async-trait",
@@ -381,7 +381,7 @@ dependencies = [
 [[package]]
 name = "cortex-gateway"
-version = "0.1.5"
+version = "0.1.10"
 dependencies = [
 "anyhow",
 "axum",
@@ -1184,7 +1184,7 @@ dependencies = [
 [[package]]
 name = "neuron"
-version = "0.1.5"
+version = "0.1.10"
 dependencies = [
 "anyhow",
 "async-trait",
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -8,7 +8,7 @@ members = [
 ]
 [workspace.package]
-version = "0.1.5"
+version = "0.1.10"
 edition = "2024"
 license = "GPL-3.0-or-later"
 repository = "https://git.lair.cafe/helexa/cortex"
--- a/cortex.spec
+++ b/cortex.spec
@@ -1,5 +1,5 @@
 Name:           cortex
-Version:        0.1.5
+Version:        0.1.10
 Release:        1%{?dist}
 Summary:        Inference gateway for multi-node GPU clusters
@@ -22,11 +22,14 @@ BuildRequires:  systemd-rpm-macros
 Requires(pre):  shadow-utils
 Requires:       systemd
-# rpm's sysusers provides-generator only emits versioned user(cortex) when
+# systemd-rpm-macros ships a unit dep generator that parses User=/Group=
-# the u-line has GECOS/home/shell fields. %attr(,,cortex) in %files emits
+# from our .service file and emits Requires: user(cortex)/group(cortex).
-# an unversioned Requires: user(cortex), so we provide it explicitly.
+# rpm's sysusers provides-generator emits the unversioned form for groups
 # but only a versioned user(cortex) = <base64> for users with GECOS/home/
 # shell. Provide the unversioned user(cortex) explicitly so dnf can resolve
 # the auto-generated Requires. Without this, dnf5 silently filters the
 # package and reports "Nothing to do".
 Provides:       user(cortex)
 Provides:       group(cortex)
 %description
 Cortex is a Rust reverse-proxy that sits in front of multiple inference
@@ -53,9 +56,9 @@ cargo build --release -p cortex-cli
 install -Dm755 target/release/cortex %{buildroot}%{_bindir}/cortex
 install -Dm644 data/cortex.service %{buildroot}%{_unitdir}/cortex.service
 install -Dm644 data/cortex-sysusers.conf %{buildroot}%{_sysusersdir}/cortex.conf
-install -dm750 %{buildroot}%{_sysconfdir}/cortex
+install -dm755 %{buildroot}%{_sysconfdir}/cortex
-install -Dm640 cortex.example.toml %{buildroot}%{_sysconfdir}/cortex/cortex.toml
+install -Dm644 cortex.example.toml %{buildroot}%{_sysconfdir}/cortex/cortex.toml
-install -Dm640 models.example.toml %{buildroot}%{_sysconfdir}/cortex/models.toml
+install -Dm644 models.example.toml %{buildroot}%{_sysconfdir}/cortex/models.toml
 %pre
 %sysusers_create_compat %{_builddir}/%{name}-%{version}/data/cortex-sysusers.conf
@@ -75,10 +78,10 @@ install -Dm640 models.example.toml %{buildroot}%{_sysconfdir}/cortex/models.toml
 %{_bindir}/cortex
 %{_unitdir}/cortex.service
 %{_sysusersdir}/cortex.conf
-%dir %attr(750,root,cortex) %{_sysconfdir}/cortex
+%dir %{_sysconfdir}/cortex
-%config(noreplace) %attr(640,root,cortex) %{_sysconfdir}/cortex/cortex.toml
+%config(noreplace) %{_sysconfdir}/cortex/cortex.toml
-%config(noreplace) %attr(640,root,cortex) %{_sysconfdir}/cortex/models.toml
+%config(noreplace) %{_sysconfdir}/cortex/models.toml
 %changelog
-* Tue Apr 15 2026 Rob Thijssen <grenade@rob.tn> - 0.1.0-1
+* Wed Apr 15 2026 Rob Thijssen <grenade@rob.tn> - 0.1.0-1
 - Initial package
--- a/data/neuron-sysusers.conf
+++ b/data/neuron-sysusers.conf
@@ -0,0 +1,3 @@
 g neuron - -
 u neuron - "Neuron GPU node daemon" /var/lib/neuron /sbin/nologin
 m neuron neuron
--- a/data/neuron.service
+++ b/data/neuron.service
@@ -8,8 +8,8 @@ Type=simple
 ExecStart=/usr/bin/neuron --config /etc/neuron/neuron.toml
 Restart=on-failure
 RestartSec=5
-User=cortex
+User=neuron
-Group=cortex
+Group=neuron
 [Install]
 WantedBy=multi-user.target
--- a/neuron.spec
+++ b/neuron.spec
@@ -1,5 +1,5 @@
 Name:           neuron
-Version:        0.1.5
+Version:        0.1.10
 Release:        1%{?dist}
 Summary:        Per-node GPU discovery and harness management daemon for cortex
@@ -22,11 +22,14 @@ BuildRequires:  systemd-rpm-macros
 Requires(pre):  shadow-utils
 Requires:       systemd
-# rpm's sysusers provides-generator only emits versioned user(cortex) when
+# systemd-rpm-macros ships a unit dep generator that parses User=/Group=
-# the u-line has GECOS/home/shell fields. %attr(,,cortex) in %files emits
+# from our .service file and emits Requires: user(neuron)/group(neuron).
-# an unversioned Requires: user(cortex), so we provide it explicitly.
+# rpm's sysusers provides-generator emits the unversioned form for groups
-Provides:       user(cortex)
+# but only a versioned user(neuron) = <base64> for users with GECOS/home/
-Provides:       group(cortex)
+# shell. Provide the unversioned user(neuron) explicitly so dnf can resolve
 # the auto-generated Requires. Without this, dnf5 silently filters the
 # package and reports "Nothing to do".
 Provides:       user(neuron)
 %description
 Neuron is a per-node daemon for cortex inference clusters. It discovers
@@ -51,12 +54,12 @@ cargo build --release -p neuron
 %install
 install -Dm755 target/release/neuron %{buildroot}%{_bindir}/neuron
 install -Dm644 data/neuron.service %{buildroot}%{_unitdir}/neuron.service
-install -Dm644 data/cortex-sysusers.conf %{buildroot}%{_sysusersdir}/neuron.conf
+install -Dm644 data/neuron-sysusers.conf %{buildroot}%{_sysusersdir}/neuron.conf
-install -dm750 %{buildroot}%{_sysconfdir}/neuron
+install -dm755 %{buildroot}%{_sysconfdir}/neuron
-install -Dm640 neuron.example.toml %{buildroot}%{_sysconfdir}/neuron/neuron.toml
+install -Dm644 neuron.example.toml %{buildroot}%{_sysconfdir}/neuron/neuron.toml
 %pre
-%sysusers_create_compat %{_builddir}/%{name}-%{version}/data/cortex-sysusers.conf
+%sysusers_create_compat %{_builddir}/%{name}-%{version}/data/neuron-sysusers.conf
 %post
 %systemd_post neuron.service
@@ -73,9 +76,9 @@ install -Dm640 neuron.example.toml %{buildroot}%{_sysconfdir}/neuron/neuron.toml
 %{_bindir}/neuron
 %{_unitdir}/neuron.service
 %{_sysusersdir}/neuron.conf
-%dir %attr(750,root,cortex) %{_sysconfdir}/neuron
+%dir %{_sysconfdir}/neuron
-%config(noreplace) %attr(640,root,cortex) %{_sysconfdir}/neuron/neuron.toml
+%config(noreplace) %{_sysconfdir}/neuron/neuron.toml
 %changelog
-* Tue Apr 15 2026 Rob Thijssen <grenade@rob.tn> - 0.1.0-1
+* Wed Apr 15 2026 Rob Thijssen <grenade@rob.tn> - 0.1.0-1
 - Initial package
Author	SHA1	Message	Date
rob thijssen	556e5293dc	fix(rpm): explicitly Provides user(name) to satisfy systemd unit Requires All checks were successful CI / Format, lint, build, test (push) Successful in 2m59s Details CI / Build cortex SRPM (push) Successful in 44s Details CI / Build neuron SRPM (push) Successful in 49s Details CI / Publish neuron to COPR (push) Successful in 8m17s Details CI / Publish cortex to COPR (push) Successful in 9m56s Details CI / Bump version in source (push) Successful in 30s Details Diagnosing the persistent "Nothing to do" on v0.1.10 surfaced that removing %attr(,,name) from %files wasn't enough. systemd-rpm-macros ships its own rpm dep generator (/usr/lib/rpm/systemd.req) that parses User=/Group= directives from every .service file the package ships and emits Requires: user(NAME)/group(NAME) accordingly. Rpmbuild log from v0.1.10 shows these Requires are still emitted even after the %attr removal. Meanwhile the sysusers provides-generator emits group(NAME) in both unversioned and versioned forms, but only a versioned user(NAME) = <base64> when the u-line has GECOS/home/shell fields. The asymmetry leaves Requires: user(NAME) unresolvable. Add explicit Provides: user(NAME) back to both specs, with a comment documenting the actual cause (systemd unit parsing, not file attrs) so the next person touching these specs doesn't repeat the mistake. Why monsoon didn't hit this: it creates its user in %pre via groupadd/useradd (not sysusers.d), so no Provides are generated at all — matching the Requires: user(monsoon) by luck of the rpm solver treating unknown symbols as soft-fails for that path. Ours went through the sysusers Provides code path and hit the asymmetry instead. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-04-16 15:32:51 +03:00
rob thijssen	1d90238b01	ci: migrate rpm changelog generation to reusable action Replace the local .gitea/scripts/generate-rpm-changelog.sh with the shared composite action at https://git.lair.cafe/actions/rpm-changelog@v1. Behaviour is identical — collect commits since the previous v* tag, filter bump-version and merge noise, prepend a dated entry to the spec — but the logic now lives in one place that other projects can consume. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-04-16 15:32:51 +03:00
rob thijssen	d99b25fb8a	ci: auto-generate rpm changelog entry per release On every tag push, build a %changelog entry from the git log since the previous v* tag and prepend it to each spec. Stops the initial entry from drifting further and catches bogus-date / stale-version warnings automatically since the generated date always matches the day the CI runs. The generator drops "chore: bump version" commits (bot-authored, noisy in user-facing changelogs) and merge commits. Author defaults to the gitea-actions identity but can be overridden via CHANGELOG_AUTHOR env var if a human release is desired. Requires fetch-depth: 0 on checkout so git describe can see prior tags and git log can reach them. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-04-16 15:32:51 +03:00
rob thijssen	034da319f1	fix(rpm): correct weekday in changelog entry April 15 2026 was a Wednesday, not Tuesday. rpmbuild validates the day-of-week against the date and warns on mismatch. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-04-16 15:32:51 +03:00
Gitea Actions	7ece281617	chore: bump version to 0.1.10	2026-04-16 15:06:18 +03:00
rob thijssen	3bb5b3c425	fix(rpm): drop %attr(,,user) on config files to avoid dnf silent filter All checks were successful CI / Format, lint, build, test (push) Successful in 1m11s Details CI / Publish cortex to COPR (push) Successful in 11m3s Details CI / Build cortex SRPM (push) Successful in 43s Details CI / Build neuron SRPM (push) Successful in 43s Details CI / Publish neuron to COPR (push) Successful in 8m56s Details CI / Bump version in source (push) Successful in 30s Details Using %attr(,,cortex) / %attr(,,neuron) on config files caused rpm's auto-dep-generator to emit Requires: user(name) and group(name) on each package. When those Requires couldn't be resolved — whether due to sysusers Provides mismatches, missing GPG keys, or dnf5 cache state — dnf5 silently filtered the package out of the candidate set and reported "Nothing to do" rather than an unsatisfied-dep error. Adopt the pattern that already works reliably across our infra (grenade/monsoon): ship config files as default root:root with 0644 perms, don't declare user/group ownership in the rpm file list. systemd-sysusers still creates the service user via the shipped sysusers.d file; the service drops to that user at runtime via the User= directive in the unit. This removes the user(cortex)/user(neuron) Requires entirely, which is the root cause of the dnf5 filtering. File permission tightening can be reintroduced later — either via a separate secrets file with different mode bits, or by moving secret material to /var/lib/<svc>/ where the service drop-privileges account already has write access. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-04-16 14:50:17 +03:00
Gitea Actions	9fa51ad874	chore: bump version to 0.1.8	2026-04-16 10:56:07 +00:00
rob thijssen	9697fbae73	fix(neuron): run service as neuron user, not cortex All checks were successful CI / Format, lint, build, test (push) Successful in 2m22s Details CI / Build cortex SRPM (push) Successful in 43s Details CI / Build neuron SRPM (push) Successful in 43s Details CI / Publish neuron to COPR (push) Successful in 8m49s Details CI / Publish cortex to COPR (push) Successful in 11m22s Details CI / Bump version in source (push) Successful in 31s Details neuron and cortex are independent packages installable on different hosts. Having neuron run under a 'cortex' system user implied a shared identity that doesn't exist. Give neuron its own user/group. - New data/neuron-sysusers.conf declares the neuron user/group with home /var/lib/neuron. - systemd unit User/Group changed to neuron. - Spec file attrs, explicit Provides, and %sysusers_create_compat updated to reference the neuron user. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-04-16 13:32:36 +03:00
Gitea Actions	2ce1060cb8	chore: bump version to 0.1.7	2026-04-16 13:25:34 +03:00