fedora-coreos-config icon indicating copy to clipboard operation
fedora-coreos-config copied to clipboard

Published 20 hours ago verified publisher icon coreos

tests/ignition: check file ownership for system users

Open HuijingHei opened this issue 1 year ago • 7 comments

Based on https://github.com/coreos/fedora-coreos-config/pull/774

HuijingHei avatar Oct 12 '23 14:10 HuijingHei

Check the test is passed without ignition-ostree-sysusers.service in https://github.com/coreos/fedora-coreos-config/pull/774, still not quite sure where the fix is.

$ kola run -E fedora-coreos-config --qemu-image rhcos-414.92.202310100209-0-qemu.x86_64.qcow2 ext.fedora-coreos-config.ignition.sysusers
=== RUN   ext.fedora-coreos-config.ignition.sysusers
--- PASS: ext.fedora-coreos-config.ignition.sysusers (41.09s)
PASS, output in _kola_temp/qemu-2023-10-12-1412-79

$ kola run -E fedora-coreos-config --qemu-image fedora-coreos-38.20231009.20.0-qemu.x86_64.qcow2 ext.fedora-coreos-config.ignition.sysusers
=== RUN   ext.fedora-coreos-config.ignition.sysusers
--- PASS: ext.fedora-coreos-config.ignition.sysusers (40.49s)
PASS, output in _kola_temp/qemu-2023-10-12-1420-138

HuijingHei avatar Oct 12 '23 14:10 HuijingHei

Some context for https://github.com/coreos/fedora-coreos-config/pull/774:

The use case where we need to run sysusers in the initramfs (https://github.com/coreos/fedora-coreos-config/pull/774) is when you want to declare a system user in a sysusers config file (written by Ignition to the real root) and also include a file in the Ignition config that is owned by that new system user. As the users will not be created in the real root when ignition-files runs, it would fail.

So we need something like https://github.com/coreos/fedora-coreos-config/pull/774 to pre-create the users so that Ignition can set the ownership of the files it writes to the real root.

This test looks fine to me but I'm not sure how much we already have testing that in kola.

travier avatar Oct 13 '23 12:10 travier

Thanks @jmarrero @travier for the review, update the test script, might need re-review, thanks!

HuijingHei avatar Oct 17 '23 08:10 HuijingHei

Here is an example config that should fail:

variant: fcos
version: 1.5.0
storage:
  files:
    - path: /etc/foo
      user:
        name: "foo"
      contents:
        inline: |
          # Dummy placeholder
    - path: /etc/sysusers.d/foo.conf
      contents:
        inline: |
          u foo - "Foo user" - -

See: https://www.freedesktop.org/software/systemd/man/sysusers.d.html

travier avatar Oct 17 '23 09:10 travier

Here is an example config that should fail:

variant: fcos
version: 1.5.0
storage:
  files:
    - path: /etc/foo
      user:
        name: "foo"
      contents:
        inline: |
          # Dummy placeholder
    - path: /etc/sysusers.d/foo.conf
      contents:
        inline: |
          u foo - "Foo user" - -

See: https://www.freedesktop.org/software/systemd/man/sysusers.d.html

This should fail with ignition-ostree-sysusers.service refer to https://github.com/coreos/fedora-coreos-config/pull/774#issuecomment-745427947

HuijingHei avatar Oct 17 '23 14:10 HuijingHei

So the issue here is that the sysusers.d dropin gets written by the files stage, so it's not yet present when the new ignition-ostree-sysusers.service unit in #2679 runs.

I commented in https://github.com/coreos/fedora-coreos-tracker/issues/155#issuecomment-1775749284 to try to keep design discussions there.

jlebon avatar Oct 23 '23 18:10 jlebon

Thanks @jlebon @travier for the reply.

Does this script make sense? Can I understand that we support that the entries in Ignition configuration can reference the existed system users (see doc)?

HuijingHei avatar Oct 24 '23 06:10 HuijingHei