Use sysusers only at compose-time for container-native path

jlebon · jlebon · commit 46641da6000e · 2025-10-06T15:37:33.000-04:00
fedora-bootc today defines its own passwd/group files which were originally based on the Fedora CoreOS ones (which in turn came from Fedora Atomic). The main problem with that is that we have our own passwd/group files which we want to be able to use. There is no interface for passing this to bootc-base-imagectl and it would be awkward to add one. Hence the `PASSWD_GROUP_DIR` hack. More recently, `bootc-base-imagectl` learned a new `--sysusers` option in which we can opt-out of the centralized passwd/group file and have full control over UID allocation via sysusers dropins. Use it. Also use the hidden `--nobody-99` option for backwards compatibility. All the entries in our passwd/group files are already present in our sysusers dropins, so this is in fact functionally equivalent. Notably this does not change anything about nss-altfiles. The entries in `/usr/lib/{passwd,group}` remain the exact same. This allows us to stop using the `PASSWD_GROUP_DIR` hack for FCOS at least. For RHCOS, we'll have to keep it for RHEL 9.6. But because buildah prints a warning if a build arg is undefined, set the default value to "none". Note this does not affect the legacy cosa build path. The in-tree passwd/group files are still used there. For more information, see: - coreos/rpm-ostree#5427 - https://gitlab.com/fedora/bootc/base-images/-/merge_requests/242 - https://gitlab.com/fedora/bootc/base-images/-/merge_requests/243
diff --git a/Containerfile b/Containerfile
@@ -21,7 +21,7 @@ FROM ${BUILDER_IMG} as builder
 ARG VERSION=overridden
 ARG MANIFEST=overridden
 # XXX: see inject_passwd_group() in build-rootfs
-ARG PASSWD_GROUP_DIR
+ARG PASSWD_GROUP_DIR=none
 ARG STRICT_MODE=0
 
 COPY . /src
diff --git a/build-rootfs b/build-rootfs
@@ -112,8 +112,8 @@ def inject_yumrepos():
 
 
 def build_rootfs(target_rootfs, manifest_path, packages, locked_nevras, overlays, repos, nodocs):
-    passwd_group_dir = os.getenv('PASSWD_GROUP_DIR')
-    if passwd_group_dir is not None:
+    passwd_group_dir = os.getenv('PASSWD_GROUP_DIR', 'none')
+    if passwd_group_dir != 'none':
         inject_passwd_group(os.path.join(SRCDIR, passwd_group_dir))
     with tempfile.NamedTemporaryFile(mode='w') as argsfile:
         for pkg in packages:
@@ -130,6 +130,9 @@ def build_rootfs(target_rootfs, manifest_path, packages, locked_nevras, overlays
         if locked_nevras and lock_arg_supported():
             for locked_nevra in locked_nevras:
                 argsfile.write(f"--lock={locked_nevra}\n")
+        if passwd_group_dir == 'none':
+            argsfile.write("--sysusers\n")
+            argsfile.write("--nobody-99\n")
         argsfile.flush()
         cache_arg = []
         if os.path.isdir('/cache') and rpm_ostree_has_cachedir_fix():
diff --git a/manifests/group b/manifests/group
@@ -1,3 +1,6 @@
+# Note this file is used by the non-container native path only. We can remove it
+# once we've fully switched over.
+
 root:x:0:
 bin:x:1:
 daemon:x:2:
diff --git a/manifests/passwd b/manifests/passwd
@@ -1,3 +1,6 @@
+# Note this file is used by the non-container native path only. We can remove it
+# once we've fully switched over.
+
 adm:x:3:4:adm:/var/adm:/usr/sbin/nologin
 avahi-autoipd:x:170:170:Avahi IPv4LL Stack:/var/lib/avahi-autoipd:/usr/sbin/nologin
 bin:x:1:1:bin:/bin:/usr/sbin/nologin
