search

coreos / rpm-ostree

⚛📦 Hybrid image/package system with atomic upgrades and package layering
https://coreos.github.io/rpm-ostree
Other
870 stars 195 forks source link

core: intercept groupadd/useradd/usermod calls in scriptlets #3762

Open lucab opened 2 years ago

lucab commented 2 years ago

Background discussion behind this happened in https://github.com/coreos/rpm-ostree/pull/3712#issuecomment-1144931758.

In the context of making incremental progress on the sysusers.d front, we'd like to start auto-generating fragments for system users and groups. Attempting to do this post-fact by parsing /etc content hits a minor problem related to distinguishing dynamic and static IDs. Moving a bit earlier in scriptlets processing though we can intercept calls to useradd and groupadd in order to learn whether they were given static IDs.

An example of dynamic IDs (from chrony RPM) looks like this:

%pre
getent group chrony > /dev/null || /usr/sbin/groupadd -r chrony
getent passwd chrony > /dev/null || /usr/sbin/useradd -r -g chrony \
       -d %{_localstatedir}/lib/chrony -s /sbin/nologin chrony
:

Instead, an example of static IDs (from squid RPM) looks like this:

%pre
if ! getent group squid >/dev/null 2>&1; then
  /usr/sbin/groupadd -g 23 squid
fi

if ! getent passwd squid >/dev/null 2>&1 ; then
  /usr/sbin/useradd -g 23 -u 23 -d /var/spool/squid -r -s /sbin/nologin squid >/dev/null 2>&1 || exit 1 
fi

Let's start adding some groupadd and useradd wrapper in scriptlets environment that will:

lucab commented 2 years ago

I realized there are some packages (e.g. clevis) which are calling usermod, so we should also intercept that and translate it to a m entry. Overall progress:

cgwalters commented 2 years ago

I filed https://github.com/ostreedev/ostree-rs-ext/issues/383 but probably it's a duplicate of this (though we should debate it living in ostree).

What do you see as the status on this? It seems like we landed code, but it's disabled by default?

Do we need an opt-in sysusers: true?

lucab commented 2 years ago

We did land all the wrappers but they are currently gated by a RPMOSTREE_EXP_BRIDGE_SYSUSERS env flag: https://github.com/coreos/rpm-ostree/blob/ea5e9b65c720c8ff5e600d345495e1f07d7b018e/src/libpriv/usermod-wrapper.sh#L7-L9

Do we need an opt-in sysusers: true?

At some point yes, but this is entangled in 1) cleanups on Fedora side (most things should be ok in F38), and 2) figuring out the interactions with all the other users/groups configuration fields in the treefile.

If you are mostly caring about the in-container flow at this point, I think at this time it makes sense to turn it always-on there.

cgwalters commented 2 years ago

Ah but it doesn't work in the native-container flow because we're only using the libdnf path there. Filed https://github.com/coreos/rpm-ostree/issues/4075