sysusers: add a treefile option in rpm-ostree

[HuijingHei]

Add sysusers option in treefile, if true,

• turns off nss-altfiles support
• disables the passwd / group files migration to /usr/lib

Xref to coreos/fedora-coreos-tracker#155 (comment)

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[HuijingHei]

Build fcos with coreos/fedora-coreos-config#2698, run fcos_groups and fcos_users passed.

[coreos-assembler]$ kola run -E src/config/tests/ ext.config.files.fcos_groups
=== RUN   ext.config.files.fcos_groups
--- PASS: ext.config.files.fcos_groups (42.60s)
PASS, output in tmp/kola/qemu-2023-10-30-0933-16127
[coreos-assembler]$ kola run -E src/config/tests/ ext.config.files.fcos_users
=== RUN   ext.config.files.fcos_users
--- PASS: ext.config.files.fcos_users (42.68s)
PASS, output in tmp/kola/qemu-2023-10-30-0934-16164

[cgwalters]

So...no opposition to experimenting with this.

However my overall concern is that sysusers won't handle cases where we have a dynamic UID/GID included in the ostree commit/image content.

I think we started to add a check for this as part of the build system.

[cgwalters]

Is this right though? I thought we'd be relying on systemd-sysusers creating the users/groups on firstboot?

[HuijingHei]

Maybe should add both? Do you mean with empty passwd / group (and no check-passwd/check-groups)? Maybe that is the final goal.

[cgwalters]

Right, I thought the goal was that we start with an empty passwd file if we were going all-in on sysusers.

[cgwalters]

I think this change can land now if you want

[HuijingHei]

Tried to remove altfiles in composepost_nsswitch_altfiles with passing arg sysusers, but this does not work, find that if checking usr/etc/nsswitch.conf is symlink, then will not update the configuration file (refer to https://github.com/coreos/rpm-ostree/blob/main/rust/src/composepost.rs#L689), maybe transfer to authselect to create the configuration (see https://src.fedoraproject.org/rpms/authselect/blob/rawhide/f/authselect.spec#_315)?

Does this mean should remove altfiles in postprocess?

[cgwalters]

I'm pretty sure we need to also figure out how to disable https://src.fedoraproject.org/rpms/systemd/blob/rawhide/f/systemd.spec#_940

Add an environment variable e.g.?

[cgwalters]

Also per discussion I'd say this treefile option should also enable RPMOSTREE_EXP_BRIDGE_SYSUSERS

Edit: And if we have this enabled we also ignore (or error out) if the static check-passwd is specified.

[HuijingHei]

I'm pretty sure we need to also figure out how to disable https://src.fedoraproject.org/rpms/systemd/blob/rawhide/f/systemd.spec#_940

Add an environment variable e.g.?

Another problem is when installing a package which requires a systemd users, that will also create the user during pre-script, should we also disable it? for example tcpdump:

$ sudo rpm -q --scripts tcpdump
preinstall scriptlet (using /bin/sh):

# generated from tcpdump-sysusers.conf
getent group 'tcpdump' >/dev/null || groupadd -f -g '72' -r 'tcpdump' || :
if ! getent passwd 'tcpdump' >/dev/null; then
if ! getent passwd '72' >/dev/null; then
useradd -r -u '72' -g 'tcpdump' -d '/' -s '/usr/sbin/nologin' -c 'tcpdump' 'tcpdump' || :
else
useradd -r -g 'tcpdump' -d '/' -s '/usr/sbin/nologin' -c 'tcpdump' 'tcpdump' || :
fi
fi 

exit 0

[cgwalters]

Tried to remove altfiles in composepost_nsswitch_altfiles with passing arg sysusers, but this does not work, find that if checking usr/etc/nsswitch.conf is symlink, then will not update the configuration file (refer to https://github.com/coreos/rpm-ostree/blob/main/rust/src/composepost.rs#L689), maybe transfer to authselect to create the configuration (see https://src.fedoraproject.org/rpms/authselect/blob/rawhide/f/authselect.spec#_315)?

Ah wow yes...messy. We have "dueling" sources of truth here. I guess for now we could copy the file to /etc and edit it there?

[cgwalters]

In discussion about this one now I think short term what we want is a denylist like:

sysusers-groups:

• tss

Anything in that set would be dropped from the altfiles setup at build time - and we rely on them being created at boot.

Alternatively, we could try an allowlist instead. Maybe support both.

[jlebon]

Note #5427 proposes also adding a sysusers: knob to the treefile but a different initial purpose. Though I left it extensible for other semantics we might want as part of nss-altfiles migration.