From f202927c40c2880501da4af662376e51abbe4dfb Mon Sep 17 00:00:00 2001 From: Jonathan Lebon Date: Fri, 29 Nov 2024 11:48:03 -0500 Subject: [PATCH] passwd, group: add more entries User and group handling is a very messy topic and the split RHCOS effort runs right into some of the intricacies. In the layered node image model, a bunch of packages that previously were part of the base compose are now layered in a separate build step. Some of those packages also want to bring their own users/groups, such as `openvswitch`, `containers`, and `unbound`. Because they're no longer part of the base compose, the way UIDs and GIDs are allocated to dynamic system users changes, possibly shifting the IDs of multiple system users. Even for system users that don't actually have e.g. data in `/var`, we pretty much have to reserve their IDs they historically had so as to not create a "hole" in the range that could be filled by something which _does_ have data. This issue is in fact relevant even without the split RHCOS effort. Any system user dropped (or e.g. package that switches to `DynamicUser`) from the base compose can also create a hole, causing drift to occur for other system users. Anyway, this is obviously not a great position to be in, but we can't really have IDs drifting on client systems. So just pin all the currently dynamically allocated entries. Cross fingers on `DynamicUser` and systemd sysusers to save us before we run out of IDs... See also: https://github.com/coreos/fedora-coreos-tracker/issues/155 See also: https://gitlab.com/fedora/bootc/tracker/-/issues/31 See also: https://github.com/containers/bootc/issues/673 --- group | 9 +++++++++ passwd | 6 ++++++ 2 files changed, 15 insertions(+) diff --git a/group b/group index 223ad8d0..590c027c 100644 --- a/group +++ b/group @@ -35,6 +35,15 @@ nobody:x:99: users:x:100: avahi-autoipd:x:170: systemd-journal:x:190: +systemd-journal-remote:x:791: +dnsmasq:x:792: +clevis:x:793: +gluster:x:794: +printadmin:x:795: +systemd-coredump:x:796: +render:x:797: +input:x:798: +unbound:x:799: openvswitch:x:800: hugetlbfs:x:801: dockerroot:x:986: diff --git a/passwd b/passwd index b410fb79..73b303b7 100644 --- a/passwd +++ b/passwd @@ -19,6 +19,12 @@ sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin dbus:x:81:81:System message bus:/:/sbin/nologin nobody:x:99:99:Nobody:/:/sbin/nologin avahi-autoipd:x:170:170:Avahi IPv4LL Stack:/var/lib/avahi-autoipd:/sbin/nologin +systemd-journal-remote:x:794:791:Journal Remote:/var/log/journal/remote:/sbin/nologin +dnsmasq:x:795:792:Dnsmasq DHCP and DNS server:/var/lib/dnsmasq:/usr/sbin/nologin +clevis:x:796:793:Clevis Decryption Framework unprivileged user:/var/cache/clevis:/usr/sbin/nologin +gluster:x:797:794:GlusterFS daemons:/run/gluster:/sbin/nologin +systemd-coredump:x:798:796:systemd Core Dumper:/:/sbin/nologin +unbound:x:799:799:Unbound DNS resolver:/etc/unbound:/sbin/nologin openvswitch:x:800:800::/:/sbin/nologin chrony:x:994:992::/var/lib/chrony:/sbin/nologin sssd:x:995:993:User for sssd:/:/sbin/nologin