Open cgwalters opened 1 year ago
OK https://github.com/coreos/rpm-ostree/pull/4076 pushes things slightly farther, but with that PR I get:
# env RPMOSTREE_EXP_BRIDGE_SYSUSERS=1 /run/workdir/target/release/rpm-ostree install libvirt
...
error: Intercepting groupadd: Failed to access RPMOSTREE_SCRIPT_PKG_NAME environment variable: environment variable not found
...
So, yeah either we:
/usr/lib/sysusers.d/rpmostree-package-generated.conf
or soI definitely lean to the former.
The former makes sense to me too, though I'm concerned about the potential added complexity involved. Hopefully we don't end up with dozens of conditionals throughout an already complex part of the core. Otherwise, it might be worth instead trying to factor things out of the core that the container path can more easily use.
When we introduced the native container bits, it completely blew up our "unified core" model, and we are bypassing that today and just running through the "traditional libdnf" flow. This mostly works, but a core side effect right now is we lose out on all the interception we're doing for things like
/usr/bin/useradd
etc.I hit this when trying to test out https://github.com/coreos/rpm-ostree/issues/3762
(Also, we're using the libdnf progress output, not our nicer progress bars with indicatif etc.)
Thinking about this a bit...there's two possibilities I see.
First, we can go forward with enabling at least a subset of
cliwrap
by default, most notably foruseradd
/groupadd
/kernel-install
. We have the tools for that since https://github.com/coreos/rpm-ostree/pull/4001If we enabled cliwrap for that core subset by default in our base images, we'd automatically have this.
Another alternative is - when we're in a container, we can just live-mutate the filesystem tree quite safely and assume we're the only process running (and I guess we can undo it when the process exits).