Open travier opened 2 years ago
I think RPMs using sysusers only really helps us significantly if sysusers is not invoked during the RPM %post
. Another way to say this sysusers works the best when there are no static file content shipped with that user in the RPM. Which is the same case as https://github.com/coreos/rpm-ostree/issues/49#issuecomment-1098037042
Right?
I don't think sysysers is invoked anywhere in the RPM builds today. The %sysusers_create_compat
macro that Fedora uses today - while consuming the sysysers config file - still invokes useradd
: https://fedoraproject.org/wiki/Changes/Adopting_sysusers.d_format
I've filed PRs to various specs for converting this (not the ones mentioned here though). Here's one example for reference: https://src.fedoraproject.org/rpms/coturn/pull-request/2
The dbus
sysusers entry seems to be misaligned and may need to be fixed first, see https://bugzilla.redhat.com/show_bug.cgi?id=2090397.
Related to @cgwalters question, I just found out the hard way that systemd.spec
itself does run systemd-sysusers
as part of its %post
logic: https://src.fedoraproject.org/rpms/systemd/blob/f36/f/systemd.spec#_779
Related to @cgwalters question, I just found out the hard way that systemd.spec itself does run systemd-sysusers as part of its %post logic: https://src.fedoraproject.org/rpms/systemd/blob/f36/f/systemd.spec#_779
Ah yes, I think I dimly recall hitting that in the past. Man, this is a mess.
But in the end I think we'll need to handle this by post-processing the /etc/passwd
we find in the root into sysusers.
Describe the enhancement
List of packages that need to be converted from shadowutils usage to sysusers config + macro:
Not yet shipping a sysusers config:
Shipping a sysusers config but not using the macro in RPM spec:
The first category is the priority to ensure that we have all users fully described by sysusers configs.
The second category is a nice to have: once we have that, this increase our confidence that if we replace shadowutlis command with NOPs during composes, we will just skip all users/groups creation.
Related to https://github.com/coreos/fedora-coreos-tracker/issues/155
Other packages not part of Fedora CoreOS but that also need an update (doing this is not mandatory but helps us ensure that overlayed packages will work too):