[V3,1/2] base-passwd: add clock group

From: Chen Qi <Qi.Chen@windriver.com>

New systemd version (v258) introduces a new group, clock, to
"enable applications like linuxptp to open clocks without root
privileges".[1]

This results in warning at do_rootfs time:
WARNING: Group clock has never been defined

Add group clock with gid 81 to fix this issue. The wheel group's
gid is 80, so 81 is chosen. And as the patch to add wheel group
was not accepted by upstream, directly mark this one's upstream
status to be 'Inappropriate'.

[1] https://github.com/systemd/systemd/commit/af96ccfc24bc4803078a46b4ef2cdeb5decdfbcd

Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
---
 .../base-passwd/0001-Add-clock-group.patch    | 34 +++++++++++++++++++
 .../base-passwd/base-passwd_3.6.7.bb          |  1 +
 2 files changed, 35 insertions(+)
 create mode 100644 meta/recipes-core/base-passwd/base-passwd/0001-Add-clock-group.patch

> -----Original Message-----
> From: openembedded-core@lists.openembedded.org <openembedded-core@lists.openembedded.org> On Behalf Of Chen Qi via lists.openembedded.org
> Sent: den 16 oktober 2025 10:47
> To: openembedded-core@lists.openembedded.org
> Subject: [OE-core][PATCH V3 1/2] base-passwd: add clock group
> 
> From: Chen Qi <Qi.Chen@windriver.com>
> 
> New systemd version (v258) introduces a new group, clock, to
> "enable applications like linuxptp to open clocks without root
> privileges".[1]
> 
> This results in warning at do_rootfs time:
> WARNING: Group clock has never been defined
> 
> Add group clock with gid 81 to fix this issue. The wheel group's
> gid is 80, so 81 is chosen. And as the patch to add wheel group
> was not accepted by upstream, directly mark this one's upstream
> status to be 'Inappropriate'.
> 
> [1] https://github.com/systemd/systemd/commit/af96ccfc24bc4803078a46b4ef2cdeb5decdfbcd
> 
> Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
> ---
>  .../base-passwd/0001-Add-clock-group.patch    | 34 +++++++++++++++++++
>  .../base-passwd/base-passwd_3.6.7.bb          |  1 +
>  2 files changed, 35 insertions(+)
>  create mode 100644 meta/recipes-core/base-passwd/base-passwd/0001-Add-clock-group.patch
> 
> diff --git a/meta/recipes-core/base-passwd/base-passwd/0001-Add-clock-group.patch b/meta/recipes-core/base-passwd/base-passwd/0001-Add-clock-group.patch
> new file mode 100644
> index 0000000000..1cb22a05f7
> --- /dev/null
> +++ b/meta/recipes-core/base-passwd/base-passwd/0001-Add-clock-group.patch
> @@ -0,0 +1,34 @@
> +From 4b3a8f347179d7e2a1062eeed13a6474deb28728 Mon Sep 17 00:00:00 2001
> +From: Chen Qi <Qi.Chen@windriver.com>
> +Date: Thu, 16 Oct 2025 08:48:49 +0800
> +Subject: [PATCH] Add clock group
> +
> +The clock group is needed to "to enable applications like linuxptp
> +to open clocks without root privileges". See the link below:
> +https://github.com/systemd/systemd/commit/af96ccfc24bc4803078a46b4ef2cdeb
> 5decdfbcd
> +
> +Note that this group is needed as long as people use udev from
> +systemd because 50-udev-default.rules needs it. See the above
> +commit.
> +
> +Upstream-Status: Inappropriate [enable feature]
> +
> +Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
> +---
> + group.master | 1 +
> + 1 file changed, 1 insertion(+)
> +
> +diff --git a/group.master b/group.master
> +index e54fd1d..6f84539 100644
> +--- a/group.master
> ++++ b/group.master
> +@@ -39,5 +39,6 @@ staff:*:50:
> + games:*:60:
> + shutdown:*:70:
> + wheel:*:80:
> ++clock:*:81:

Why does this have to go here. Why can't you just update the 
GROUPADD_PARAM:${PN} in the systemd recipe to create the clock group:

GROUPADD_PARAM:${PN} = "-r systemd-journal; -r clock;"

That way it is only created if systemd is actually used.

> + users:*:100:
> + nogroup:*:65534:
> +--
> +2.34.1
> +
> diff --git a/meta/recipes-core/base-passwd/base-passwd_3.6.7.bb b/meta/recipes-core/base-passwd/base-passwd_3.6.7.bb
> index 177927d674..e4e0890293 100644
> --- a/meta/recipes-core/base-passwd/base-passwd_3.6.7.bb
> +++ b/meta/recipes-core/base-passwd/base-passwd_3.6.7.bb
> @@ -13,6 +13,7 @@ SRC_URI =
> "https://launchpad.net/debian/+archive/primary/+files/${BPN}_${PV}.tar
>             file://0005-Add-kvm-group.patch \
>             file://0007-Add-wheel-group.patch \
>             file://0001-base-passwd-Add-the-sgx-group.patch \
> +           file://0001-Add-clock-group.patch \
>             "
> 
>  SRC_URI[sha256sum] = "cf869870fed7862b57bfa9e99cd5cd6f365e2349705a1b65af7fc182629bd1ab"
> --
> 2.34.1

//Peter

On 10/16/25 17:49, Peter Kjellerstedt wrote:
>> -----Original Message-----
>> From: openembedded-core@lists.openembedded.org <openembedded-core@lists.openembedded.org> On Behalf Of Chen Qi via lists.openembedded.org
>> Sent: den 16 oktober 2025 10:47
>> To: openembedded-core@lists.openembedded.org
>> Subject: [OE-core][PATCH V3 1/2] base-passwd: add clock group
>>
>> From: Chen Qi <Qi.Chen@windriver.com>
>>
>> New systemd version (v258) introduces a new group, clock, to
>> "enable applications like linuxptp to open clocks without root
>> privileges".[1]
>>
>> This results in warning at do_rootfs time:
>> WARNING: Group clock has never been defined
>>
>> Add group clock with gid 81 to fix this issue. The wheel group's
>> gid is 80, so 81 is chosen. And as the patch to add wheel group
>> was not accepted by upstream, directly mark this one's upstream
>> status to be 'Inappropriate'.
>>
>> [1] https://github.com/systemd/systemd/commit/af96ccfc24bc4803078a46b4ef2cdeb5decdfbcd
>>
>> Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
>> ---
>>   .../base-passwd/0001-Add-clock-group.patch    | 34 +++++++++++++++++++
>>   .../base-passwd/base-passwd_3.6.7.bb          |  1 +
>>   2 files changed, 35 insertions(+)
>>   create mode 100644 meta/recipes-core/base-passwd/base-passwd/0001-Add-clock-group.patch
>>
>> diff --git a/meta/recipes-core/base-passwd/base-passwd/0001-Add-clock-group.patch b/meta/recipes-core/base-passwd/base-passwd/0001-Add-clock-group.patch
>> new file mode 100644
>> index 0000000000..1cb22a05f7
>> --- /dev/null
>> +++ b/meta/recipes-core/base-passwd/base-passwd/0001-Add-clock-group.patch
>> @@ -0,0 +1,34 @@
>> +From 4b3a8f347179d7e2a1062eeed13a6474deb28728 Mon Sep 17 00:00:00 2001
>> +From: Chen Qi <Qi.Chen@windriver.com>
>> +Date: Thu, 16 Oct 2025 08:48:49 +0800
>> +Subject: [PATCH] Add clock group
>> +
>> +The clock group is needed to "to enable applications like linuxptp
>> +to open clocks without root privileges". See the link below:
>> +https://github.com/systemd/systemd/commit/af96ccfc24bc4803078a46b4ef2cdeb
>> 5decdfbcd
>> +
>> +Note that this group is needed as long as people use udev from
>> +systemd because 50-udev-default.rules needs it. See the above
>> +commit.
>> +
>> +Upstream-Status: Inappropriate [enable feature]
>> +
>> +Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
>> +---
>> + group.master | 1 +
>> + 1 file changed, 1 insertion(+)
>> +
>> +diff --git a/group.master b/group.master
>> +index e54fd1d..6f84539 100644
>> +--- a/group.master
>> ++++ b/group.master
>> +@@ -39,5 +39,6 @@ staff:*:50:
>> + games:*:60:
>> + shutdown:*:70:
>> + wheel:*:80:
>> ++clock:*:81:
> Why does this have to go here. Why can't you just update the
> GROUPADD_PARAM:${PN} in the systemd recipe to create the clock group:
>
> GROUPADD_PARAM:${PN} = "-r systemd-journal; -r clock;"
>
> That way it is only created if systemd is actually used.

I consider this clock similar to the 'wheel' and 'kvm' groups. 'wheel' 
and 'kvm' groups are added here, so I put 'clock' group here.

 From my understanding, such groups are likely to be used by other 
applications (recipes). You can see this from the original commit: 
https://github.com/systemd/systemd/commit/af96ccfc24bc4803078a46b4ef2cdeb

It's possible that applications such as linuxptp will use this clock 
group. What systemd (udev) does is to change the device's group to 
'clock'. This means applications using those devices could be put in 
'clock' group to be granted access.

Regards,
Qi

>
>> + users:*:100:
>> + nogroup:*:65534:
>> +--
>> +2.34.1
>> +
>> diff --git a/meta/recipes-core/base-passwd/base-passwd_3.6.7.bb b/meta/recipes-core/base-passwd/base-passwd_3.6.7.bb
>> index 177927d674..e4e0890293 100644
>> --- a/meta/recipes-core/base-passwd/base-passwd_3.6.7.bb
>> +++ b/meta/recipes-core/base-passwd/base-passwd_3.6.7.bb
>> @@ -13,6 +13,7 @@ SRC_URI =
>> "https://launchpad.net/debian/+archive/primary/+files/${BPN}_${PV}.tar
>>              file://0005-Add-kvm-group.patch \
>>              file://0007-Add-wheel-group.patch \
>>              file://0001-base-passwd-Add-the-sgx-group.patch \
>> +           file://0001-Add-clock-group.patch \
>>              "
>>
>>   SRC_URI[sha256sum] = "cf869870fed7862b57bfa9e99cd5cd6f365e2349705a1b65af7fc182629bd1ab"
>> --
>> 2.34.1
> //Peter
>

On Fri, 17 Oct 2025 at 04:56, Chen Qi via lists.openembedded.org
<Qi.Chen=windriver.com@lists.openembedded.org> wrote:
> > Why does this have to go here. Why can't you just update the
> > GROUPADD_PARAM:${PN} in the systemd recipe to create the clock group:
> >
> > GROUPADD_PARAM:${PN} = "-r systemd-journal; -r clock;"
> >
> > That way it is only created if systemd is actually used.
>
> I consider this clock similar to the 'wheel' and 'kvm' groups. 'wheel'
> and 'kvm' groups are added here, so I put 'clock' group here.
>
>  From my understanding, such groups are likely to be used by other
> applications (recipes). You can see this from the original commit:
> https://github.com/systemd/systemd/commit/af96ccfc24bc4803078a46b4ef2cdeb
>
> It's possible that applications such as linuxptp will use this clock
> group. What systemd (udev) does is to change the device's group to
> 'clock'. This means applications using those devices could be put in
> 'clock' group to be granted access.

But how do classic binary distributions handle this? Can you research
where e.g. Fedora or Debian create this group? We could probably
follow that, and avoid having to carry an Inappropriate patch. Maybe
base-passwd upstream already has a fix?

Alex

On 10/18/25 02:22, Alexander Kanavin wrote:
> On Fri, 17 Oct 2025 at 04:56, Chen Qi via lists.openembedded.org
> <Qi.Chen=windriver.com@lists.openembedded.org> wrote:
>>> Why does this have to go here. Why can't you just update the
>>> GROUPADD_PARAM:${PN} in the systemd recipe to create the clock group:
>>>
>>> GROUPADD_PARAM:${PN} = "-r systemd-journal; -r clock;"
>>>
>>> That way it is only created if systemd is actually used.
>> I consider this clock similar to the 'wheel' and 'kvm' groups. 'wheel'
>> and 'kvm' groups are added here, so I put 'clock' group here.
>>
>>   From my understanding, such groups are likely to be used by other
>> applications (recipes). You can see this from the original commit:
>> https://github.com/systemd/systemd/commit/af96ccfc24bc4803078a46b4ef2cdeb
>>
>> It's possible that applications such as linuxptp will use this clock
>> group. What systemd (udev) does is to change the device's group to
>> 'clock'. This means applications using those devices could be put in
>> 'clock' group to be granted access.
> But how do classic binary distributions handle this? Can you research
> where e.g. Fedora or Debian create this group? We could probably
> follow that, and avoid having to carry an Inappropriate patch. Maybe
> base-passwd upstream already has a fix?
>
> Alex

Hi Alex,

I just checked the fedora:latest container. It also puts 'clock' group 
in a basic setup package, which, according to its description, is 
basically 'base-passwd + base-files' in Yocto.

See commands and results below:
"""
[root@607fbfbf12bb /]# grep clock /etc/group
clock:x:103:
[root@607fbfbf12bb /]# rpm -qf /etc/group
setup-2.15.0-13.fc42.noarch
[root@607fbfbf12bb /]# rpm -qi setup | grep -A 4 Summary
Summary     : A set of system configuration and setup files
Description :
The setup package contains a set of important system configuration and
setup files, such as passwd, group, and profile.
"""

I also checked base-passwd upstream and debian:latest container. 
base-passwd upstream does not have clock group: 
https://salsa.debian.org/debian/base-passwd/-/blob/master/group.master?ref_type=heads. 
And debian:latest is using systemd 257.8 so it does not have this 
'clock' group issue now.

I'll use gid 103 in patch V4 to sync with fedora (though not necessary).

Regards,
Qi

On Mon, 20 Oct 2025 at 07:14, Chen Qi via lists.openembedded.org
<Qi.Chen=windriver.com@lists.openembedded.org> wrote:
> I also checked base-passwd upstream and debian:latest container.
> base-passwd upstream does not have clock group:
> https://salsa.debian.org/debian/base-passwd/-/blob/master/group.master?ref_type=heads.
> And debian:latest is using systemd 257.8 so it does not have this
> 'clock' group issue now.
>
> I'll use gid 103 in patch V4 to sync with fedora (though not necessary).

Thanks for the research. I think you can simply send the patch
upstream to Debian via a pull request?
https://salsa.debian.org/debian/base-passwd/-/merge_requests

Alex

> -----Original Message-----
> From: Alexander Kanavin <alex.kanavin@gmail.com>
> Sent: den 20 oktober 2025 13:59
> To: Qi.Chen@windriver.com
> Cc: Peter Kjellerstedt <peter.kjellerstedt@axis.com>; openembedded-core@lists.openembedded.org
> Subject: Re: [OE-core][PATCH V3 1/2] base-passwd: add clock group
> 
> On Mon, 20 Oct 2025 at 07:14, Chen Qi via lists.openembedded.org <Qi.Chen=windriver.com@lists.openembedded.org> wrote:
> > I also checked base-passwd upstream and debian:latest container.
> > base-passwd upstream does not have clock group:
> > https://salsa.debian.org/debian/base-passwd/-/blob/master/group.master?ref_type=heads.
> > And debian:latest is using systemd 257.8 so it does not have this
> > 'clock' group issue now.
> >
> > I'll use gid 103 in patch V4 to sync with fedora (though not necessary).

Since most of the other groups provided by base-passwd aren't synced 
with Fedora, can we stick with using IDs <= 100 for base-passwd?
It would at least make my life easier since we have already used a 
huge number of static IDs > 100.

> 
> Thanks for the research. I think you can simply send the patch
> upstream to Debian via a pull request?
> https://salsa.debian.org/debian/base-passwd/-/merge_requests
> 
> Alex

//Peter