rpm-ostree icon indicating copy to clipboard operation
rpm-ostree copied to clipboard

Published 20 hours ago verified publisher icon coreos

core: intercept groupadd/useradd/usermod calls in scriptlets

Open lucab opened this issue 2 years ago • 1 comments

Background discussion behind this happened in https://github.com/coreos/rpm-ostree/pull/3712#issuecomment-1144931758.

In the context of making incremental progress on the sysusers.d front, we'd like to start auto-generating fragments for system users and groups. Attempting to do this post-fact by parsing /etc content hits a minor problem related to distinguishing dynamic and static IDs. Moving a bit earlier in scriptlets processing though we can intercept calls to useradd and groupadd in order to learn whether they were given static IDs.

An example of dynamic IDs (from chrony RPM) looks like this:

%pre
getent group chrony > /dev/null || /usr/sbin/groupadd -r chrony
getent passwd chrony > /dev/null || /usr/sbin/useradd -r -g chrony \
       -d %{_localstatedir}/lib/chrony -s /sbin/nologin chrony
:

Instead, an example of static IDs (from squid RPM) looks like this:

%pre
if ! getent group squid >/dev/null 2>&1; then
  /usr/sbin/groupadd -g 23 squid
fi

if ! getent passwd squid >/dev/null 2>&1 ; then
  /usr/sbin/useradd -g 23 -u 23 -d /var/spool/squid -r -s /sbin/nologin squid >/dev/null 2>&1 || exit 1 
fi

Let's start adding some groupadd and useradd wrapper in scriptlets environment that will:

  • parse the CLI args to gain knowledge about static IDs
  • generate the relevant sysusers.d fragment
  • forward to the real groupadd/useradd binary

lucab avatar Jun 13 '22 13:06 lucab

I realized there are some packages (e.g. clevis) which are calling usermod, so we should also intercept that and translate it to a m entry. Overall progress:

  • [x] intercept useradd - https://github.com/coreos/rpm-ostree/pull/3897
  • [x] intercept groupadd - https://github.com/coreos/rpm-ostree/pull/3778
  • [x] intercept usermod - https://github.com/coreos/rpm-ostree/pull/3942

lucab avatar Aug 05 '22 12:08 lucab

I filed https://github.com/ostreedev/ostree-rs-ext/issues/383 but probably it's a duplicate of this (though we should debate it living in ostree).

What do you see as the status on this? It seems like we landed code, but it's disabled by default?

Do we need an opt-in sysusers: true?

cgwalters avatar Oct 03 '22 21:10 cgwalters

We did land all the wrappers but they are currently gated by a RPMOSTREE_EXP_BRIDGE_SYSUSERS env flag: https://github.com/coreos/rpm-ostree/blob/ea5e9b65c720c8ff5e600d345495e1f07d7b018e/src/libpriv/usermod-wrapper.sh#L7-L9

Do we need an opt-in sysusers: true?

At some point yes, but this is entangled in 1) cleanups on Fedora side (most things should be ok in F38), and 2) figuring out the interactions with all the other users/groups configuration fields in the treefile.

If you are mostly caring about the in-container flow at this point, I think at this time it makes sense to turn it always-on there.

lucab avatar Oct 04 '22 14:10 lucab

Ah but it doesn't work in the native-container flow because we're only using the libdnf path there. Filed https://github.com/coreos/rpm-ostree/issues/4075

cgwalters avatar Oct 04 '22 14:10 cgwalters