Packages that need conversion from shadowutils to sysusers

[travier]

Describe the enhancement

List of packages that need to be converted from shadowutils usage to sysusers config + macro:

• Not yet shipping a sysusers config:

  • rpcbind: https://src.fedoraproject.org/rpms/rpcbind/blob/rawhide/f/rpcbind.spec#_77
  • libutempter: https://src.fedoraproject.org/rpms/libutempter/blob/rawhide/f/libutempter.spec#_45
  • ceph: https://src.fedoraproject.org/rpms/ceph/blob/rawhide/f/ceph.spec#_1646
  • tcpdump: https://src.fedoraproject.org/rpms/tcpdump/blob/rawhide/f/tcpdump.spec#_65
  • openssh: https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/openssh.spec#_558

• Shipping a sysusers config but not using the macro in RPM spec:

  • tpm2-tss: https://src.fedoraproject.org/rpms/tpm2-tss/blob/rawhide/f/tpm2-tss.spec#_68
  • dbus-daemon: https://src.fedoraproject.org/rpms/dbus/blob/rawhide/f/dbus.spec#_303
  • clevis: https://src.fedoraproject.org/rpms/clevis/blob/rawhide/f/clevis.spec#_126

The first category is the priority to ensure that we have all users fully described by sysusers configs.

The second category is a nice to have: once we have that, this increase our confidence that if we replace shadowutlis command with NOPs during composes, we will just skip all users/groups creation.

Related to https://github.com/coreos/fedora-coreos-tracker/issues/155

---

Other packages not part of Fedora CoreOS but that also need an update (doing this is not mandatory but helps us ensure that overlayed packages will work too):

• rabbitmq-server: https://src.fedoraproject.org/rpms/rabbitmq-server/blob/rawhide/f/rabbitmq-server.spec#_121

[cgwalters]

I think RPMs using sysusers only really helps us significantly if sysusers is not invoked during the RPM %post. Another way to say this sysusers works the best when there are no static file content shipped with that user in the RPM. Which is the same case as https://github.com/coreos/rpm-ostree/issues/49#issuecomment-1098037042

Right?

[LorbusChris]

I don't think sysysers is invoked anywhere in the RPM builds today. The %sysusers_create_compat macro that Fedora uses today - while consuming the sysysers config file - still invokes useradd: https://fedoraproject.org/wiki/Changes/Adopting_sysusers.d_format

I've filed PRs to various specs for converting this (not the ones mentioned here though). Here's one example for reference: https://src.fedoraproject.org/rpms/coturn/pull-request/2

[lucab]

The dbus sysusers entry seems to be misaligned and may need to be fixed first, see https://bugzilla.redhat.com/show_bug.cgi?id=2090397.

[lucab]

Related to @cgwalters question, I just found out the hard way that systemd.spec itself does run systemd-sysusers as part of its %post logic: https://src.fedoraproject.org/rpms/systemd/blob/f36/f/systemd.spec#_779

[cgwalters]

Related to @cgwalters question, I just found out the hard way that systemd.spec itself does run systemd-sysusers as part of its %post logic: https://src.fedoraproject.org/rpms/systemd/blob/f36/f/systemd.spec#_779

Ah yes, I think I dimly recall hitting that in the past. Man, this is a mess.

But in the end I think we'll need to handle this by post-processing the /etc/passwd we find in the root into sysusers.