-
Notifications
You must be signed in to change notification settings - Fork 196
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
sysusers: add a treefile option in rpm-ostree #4680
base: main
Are you sure you want to change the base?
Conversation
Skipping CI for Draft Pull Request. |
3c76dba
to
3fbf784
Compare
Build fcos with coreos/fedora-coreos-config#2698, run
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So...no opposition to experimenting with this.
However my overall concern is that sysusers won't handle cases where we have a dynamic UID/GID included in the ostree commit/image content.
I think we started to add a check for this as part of the build system.
rust/src/passwd.rs
Outdated
new_entities.add_passwd_content(rootfs.as_raw_fd(), "usr/lib/passwd")?; | ||
new_entities.add_group_content(rootfs.as_raw_fd(), "usr/lib/group")?; | ||
} else { | ||
new_entities.add_passwd_content(rootfs.as_raw_fd(), "usr/etc/passwd")?; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this right though? I thought we'd be relying on systemd-sysusers creating the users/groups on firstboot?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe should add both? Do you mean with empty passwd
/ group
(and no check-passwd/check-groups
)? Maybe that is the final goal.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Right, I thought the goal was that we start with an empty passwd
file if we were going all-in on sysusers.
db.add_group_content(rootfs.as_raw_fd(), "usr/etc/group")?; | ||
db.add_group_content(rootfs.as_raw_fd(), "usr/lib/group")?; | ||
if has_usrlib_passwd(&rootfs)? { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this change can land now if you want
1a64b58
to
ee3f713
Compare
nss-altfiles
support and the passwd / group
files migration to /usr/lib
ee3f713
to
3034dc0
Compare
Default is `false`, if `true`: - turns off nss-altfiles support - disables the passwd / group files migration to /usr/lib Xref to coreos/fedora-coreos-tracker#155 (comment)
3034dc0
to
a9c572a
Compare
Tried to remove Does this mean should remove |
I'm pretty sure we need to also figure out how to disable https://src.fedoraproject.org/rpms/systemd/blob/rawhide/f/systemd.spec#_940 Add an environment variable e.g.? |
Also per discussion I'd say this treefile option should also enable Edit: And if we have this enabled we also ignore (or error out) if the static |
Another problem is when installing a package which requires a systemd users, that will also create the user during pre-script, should we also disable it? for example
|
Ah wow yes...messy. We have "dueling" sources of truth here. I guess for now we could copy the file to |
ef30c3b
to
7401b70
Compare
7401b70
to
6cbfed7
Compare
Add
sysusers
option in treefile, iftrue
,nss-altfiles
supportpasswd / group
files migration to/usr/lib
Xref to coreos/fedora-coreos-tracker#155 (comment)