Fixes#2601Fixes#393 - gid numbers can be part of the systemd nspawn range.
Previously we allocated gid numbers based on the fact that uid_t is a u32, so we allowed 65536 through u32::max. However, there are two major issues with this that I didn't realise. The first is that anything greater than i32::max (2147483648) can confuse the linux kernel.
The second is that systemd allocates 524288 through 1879048191 to itself for nspawn.
This leaves with with only a few usable ranges.
1000 through 60000
60578 through 61183
65520 through 65533
65536 through 524287
1879048192 through 2147483647
The last range being the largest is the natural and obvious area we should allocate from. This happens to nicely fall in the pattern of 0x7000_0000 through 0x7fff_ffff which allows us to take the last 24 bits of the uuid then applying a bit mask we can ensure that we end up in this range.
There are now two major issues.
We have now changed our validation code to enforce a tighter range, but we may have already allocated users into these ranges.
External systems like FreeIPA allocated uid/gid numbers with reckless abandon directly into these ranges.
As a result we need to make two concessions.
We *secretly* still allow manual allocation of id's from 65536 through to 1879048191 which is the nspawn container range. This happens to be the range that freeipa allocates into. We will never generate an ID in this range, but we will allow it to ease imports since the users of these ranges already have shown they 'don't care' about that range. This also affects SCIM imports for longer term migrations.
Second is id's that fall outside the valid ranges. In the extremely unlikely event this has occurred, a startup migration has been added to regenerate these id values for affected entries to prevent upgrade issues.
An accidental effect of this is freeing up the range 524288 to 1879048191 for other subuid uses.
* fixing up error handling for prctl calls
* minor clippy lintypoos
* making clippy happier
* clippizing a test
* more clippy-calming
* adding tpm-udev to ubuntu flows for testing
* rebuilt wasm
* moving from rg to grep because someone doesn't like nice things
* such clippy like wow
* clippy config to the rescue
* otel can eprintln kthx
* started python integration tests, features
* more tests more things
* adding heaps more things
* updating docs
* fixing python test
* fixing errors, updating integration test
* Add models for OAuth2, Person, ServiceAccount and add missing endpoints
* Alias Group to GroupInfo to keep it retrocompatible
* Fixed issues from review
* adding oauth2rs_get_basic_secret
* adding oauth2rs_get_basic_secret
* Fixed mypy issues
* adding more error logs
* updating test scripts and configs
* fixing tests and validating things
* more errors
---------
Co-authored-by: Dogeek <simon.bordeyne@gmail.com>
* doing some work for enumerating how the accounts work together
* fixing up build scripts and removing extra things
* making JavaScript as_tag use the struct field names
* making shared.js a module, removing wasmloader.js
* don't compress compressed things
* adding some test coverage because there was some rando panic-inducing thing
* ldap constants
* documenting a macro
* helpful weird errors
* the war on strings continues
* less json more better
* testing things fixing bugs
* idm_domain_reset_token_key wasn't working, added a test and fixed it (we weren't testing it)
* idm_domain_set_ldap_basedn - adding tests
* adding testing for idm_account_credential_update_cancel_mfareg
* warning of deprecation
* pulling out exitcode, adding hyper dep to handle errors (was already transitively there due to reqwest)
* adding better error handling, more options for client things
* adding extra_attributes field to BuiltinGroup, migrating more things.
* checkpoint 3 - ACP, easy as 1,2,3
* codespell
* now throwing error on dyngroup with defined members
* auth: Add a privileged flag to AuthStep::Init2 step to request a rw session
The privileged flag is defined as Option<bool> for compatibility with
existing clients.
