cgwalters
commented
1 year ago OK https://github.com/coreos/rpm-ostree/pull/4076 pushes things slightly farther, but with that PR I get:
# env RPMOSTREE_EXP_BRIDGE_SYSUSERS=1 /run/workdir/target/release/rpm-ostree install libvirt
...
error: Intercepting groupadd: Failed to access RPMOSTREE_SCRIPT_PKG_NAME environment variable: environment variable not found
...So, yeah either we:
- rework the unified core mode to work when already in a container image (i.e. don't use bwrap/rofiles-fuse/etc)
- don't include the package name in the generated sysusers, but just a single file
/usr/lib/sysusers.d/rpmostree-package-generated.confor so
I definitely lean to the former.
jlebon
When we introduced the native container bits, it completely blew up our "unified core" model, and we are bypassing that today and just running through the "traditional libdnf" flow. This mostly works, but a core side effect right now is we lose out on all the interception we're doing for things like
/usr/bin/useraddetc.I hit this when trying to test out https://github.com/coreos/rpm-ostree/issues/3762
(Also, we're using the libdnf progress output, not our nicer progress bars with indicatif etc.)
Thinking about this a bit...there's two possibilities I see.
First, we can go forward with enabling at least a subset of
cliwrapby default, most notably foruseradd/groupadd/kernel-install. We have the tools for that since https://github.com/coreos/rpm-ostree/pull/4001If we enabled cliwrap for that core subset by default in our base images, we'd automatically have this.
Another alternative is - when we're in a container, we can just live-mutate the filesystem tree quite safely and assume we're the only process running (and I guess we can undo it when the process exits).