rpm-ostree
rpm-ostree copied to clipboard
coreos
sysusers: add a treefile option in rpm-ostree
Add sysusers option in treefile, if true,
- turns off
nss-altfilessupport - disables the
passwd / groupfiles migration to/usr/lib
Xref to https://github.com/coreos/fedora-coreos-tracker/issues/155#issuecomment-1781289749
Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all
![openshift-ci[bot] avatar](https://avatars.githubusercontent.com/in/91280?v=4 "Published by a pub.dev verified publisher"){kind=small}
Build fcos with https://github.com/coreos/fedora-coreos-config/pull/2698, run fcos_groups and fcos_users passed.
[coreos-assembler]$ kola run -E src/config/tests/ ext.config.files.fcos_groups
=== RUN ext.config.files.fcos_groups
--- PASS: ext.config.files.fcos_groups (42.60s)
PASS, output in tmp/kola/qemu-2023-10-30-0933-16127
[coreos-assembler]$ kola run -E src/config/tests/ ext.config.files.fcos_users
=== RUN ext.config.files.fcos_users
--- PASS: ext.config.files.fcos_users (42.68s)
PASS, output in tmp/kola/qemu-2023-10-30-0934-16164
Tried to remove altfiles in composepost_nsswitch_altfiles with passing arg sysusers, but this does not work, find that if checking usr/etc/nsswitch.conf is symlink, then will not update the configuration file (refer to https://github.com/coreos/rpm-ostree/blob/main/rust/src/composepost.rs#L689), maybe transfer to authselect to create the configuration (see https://src.fedoraproject.org/rpms/authselect/blob/rawhide/f/authselect.spec#_315)?
Does this mean should remove altfiles in postprocess?
I'm pretty sure we need to also figure out how to disable https://src.fedoraproject.org/rpms/systemd/blob/rawhide/f/systemd.spec#_940
Add an environment variable e.g.?
Also per discussion I'd say this treefile option should also enable RPMOSTREE_EXP_BRIDGE_SYSUSERS
Edit: And if we have this enabled we also ignore (or error out) if the static check-passwd is specified.
I'm pretty sure we need to also figure out how to disable https://src.fedoraproject.org/rpms/systemd/blob/rawhide/f/systemd.spec#_940
Add an environment variable e.g.?
Another problem is when installing a package which requires a systemd users, that will also create the user during pre-script, should we also disable it? for example tcpdump:
$ sudo rpm -q --scripts tcpdump
preinstall scriptlet (using /bin/sh):
# generated from tcpdump-sysusers.conf
getent group 'tcpdump' >/dev/null || groupadd -f -g '72' -r 'tcpdump' || :
if ! getent passwd 'tcpdump' >/dev/null; then
if ! getent passwd '72' >/dev/null; then
useradd -r -u '72' -g 'tcpdump' -d '/' -s '/usr/sbin/nologin' -c 'tcpdump' 'tcpdump' || :
else
useradd -r -g 'tcpdump' -d '/' -s '/usr/sbin/nologin' -c 'tcpdump' 'tcpdump' || :
fi
fi
exit 0
Tried to remove altfiles in composepost_nsswitch_altfiles with passing arg sysusers, but this does not work, find that if checking usr/etc/nsswitch.conf is symlink, then will not update the configuration file (refer to https://github.com/coreos/rpm-ostree/blob/main/rust/src/composepost.rs#L689), maybe transfer to authselect to create the configuration (see https://src.fedoraproject.org/rpms/authselect/blob/rawhide/f/authselect.spec#_315)?
Ah wow yes...messy. We have "dueling" sources of truth here. I guess for now we could copy the file to /etc and edit it there?