Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

lint: Verify /etc/{,g}shadow #1179

Open
cgwalters opened this issue Mar 7, 2025 · 1 comment
Open

lint: Verify /etc/{,g}shadow #1179

cgwalters opened this issue Mar 7, 2025 · 1 comment
Labels
enhancement New feature or request triaged This looks like a valid issue

Comments

@cgwalters
Copy link
Collaborator

We had a case where ublue developers hit this:

Mar 07 17:23:41 localhost systemd-sysusers[1022]: /etc/gshadow: Group "plocate" already exists.

And that becomes pretty fatal as other sysusers don't get added.

Add a bootc lint that verifies that /etc/gshadow doesn't have broken entries; we have code that cleans this up in rpm-ostree somewhere in https://github.com/coreos/rpm-ostree/tree/main/rust/src/nameservice or maybe the postprocess.

(Really we should have bootc container finalize|commit)
@cgwalters cgwalters added area/container-lint Linting enhancement New feature or request triaged This looks like a valid issue labels Mar 7, 2025
@cgwalters
Copy link
Collaborator Author

To briefly followup on this, it's a super messy situation.

The problem in a nutshell was this scenario:

  • Going from an image that had users in /usr/lib/{passwd,group} aka nss-altfiles to one that didn't (because the first was run through https://github.com/hhd-dev/rechunk/ but the second wasn't)
  • But /etc/{,g}shadow persisted from the previous deployment, with shadow entries for that plocate group for example
  • systemd-sysusers chokes and dies on this
  • Then critical users like e.g. gdm weren't added, meaning gdm didn't start

So this isn't something we can fix at bootc container lint time. At least not without increasing its scope. I could imagine supporting something like this:

FROM quay.io/exampleos/new as new
RUN --mount=type=bind,from=new,target=/run/newimage bootc container lint --to=new

or so where we could do a static analysis and warn about this type of upgrade scenario. Really we're kind of beyond what linting is and this should be a distinct tool.

But, that said in the end, we should be robust to this type of thing.

  • First off, the shadow entries are just stubs and I really think systemd-sysusers should just allow the case where the shadow entry exists with ! for a password and that's going to be the new state too.
  • Failing that though, we could ship a systemd unit...well, I'm not sure where, but something that would run Before=systemd-sysusers.service (or again maybe in the initramfs) that detects this situation and does its best to fix it

This one is actually kind of yet another special case of the generic uid/gid drift problem (ref #673 ) that just doesn't fall cleanly into bootc's currently designed architectural domain, but neither does it anything else's (it's not systemd's problem, nor shadow-utils problem, nor glibc etc.). I'm not excited about making it bootc's domain, but it may be the most practical thing to do.

@cgwalters cgwalters removed the area/container-lint Linting label Mar 8, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request triaged This looks like a valid issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@cgwalters