passwd, group: add more entries

jlebon · jlebon · commit f202927c40c2 · 2024-11-29T12:27:32.000-05:00
User and group handling is a very messy topic and the split RHCOS effort runs right into some of the intricacies. In the layered node image model, a bunch of packages that previously were part of the base compose are now layered in a separate build step. Some of those packages also want to bring their own users/groups, such as `openvswitch`, `containers`, and `unbound`. Because they're no longer part of the base compose, the way UIDs and GIDs are allocated to dynamic system users changes, possibly shifting the IDs of multiple system users. Even for system users that don't actually have e.g. data in `/var`, we pretty much have to reserve their IDs they historically had so as to not create a "hole" in the range that could be filled by something which _does_ have data. This issue is in fact relevant even without the split RHCOS effort. Any system user dropped (or e.g. package that switches to `DynamicUser`) from the base compose can also create a hole, causing drift to occur for other system users. Anyway, this is obviously not a great position to be in, but we can't really have IDs drifting on client systems. So just pin all the currently dynamically allocated entries. Cross fingers on `DynamicUser` and systemd sysusers to save us before we run out of IDs... See also: coreos/fedora-coreos-tracker#155 See also: https://gitlab.com/fedora/bootc/tracker/-/issues/31 See also: bootc-dev/bootc#673
diff --git a/group b/group
@@ -35,6 +35,15 @@ nobody:x:99:
 users:x:100:
 avahi-autoipd:x:170:
 systemd-journal:x:190:
+systemd-journal-remote:x:791:
+dnsmasq:x:792:
+clevis:x:793:
+gluster:x:794:
+printadmin:x:795:
+systemd-coredump:x:796:
+render:x:797:
+input:x:798:
+unbound:x:799:
 openvswitch:x:800:
 hugetlbfs:x:801:
 dockerroot:x:986:
diff --git a/passwd b/passwd
@@ -19,6 +19,12 @@ sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
 dbus:x:81:81:System message bus:/:/sbin/nologin
 nobody:x:99:99:Nobody:/:/sbin/nologin
 avahi-autoipd:x:170:170:Avahi IPv4LL Stack:/var/lib/avahi-autoipd:/sbin/nologin
+systemd-journal-remote:x:794:791:Journal Remote:/var/log/journal/remote:/sbin/nologin
+dnsmasq:x:795:792:Dnsmasq DHCP and DNS server:/var/lib/dnsmasq:/usr/sbin/nologin
+clevis:x:796:793:Clevis Decryption Framework unprivileged user:/var/cache/clevis:/usr/sbin/nologin
+gluster:x:797:794:GlusterFS daemons:/run/gluster:/sbin/nologin
+systemd-coredump:x:798:796:systemd Core Dumper:/:/sbin/nologin
+unbound:x:799:799:Unbound DNS resolver:/etc/unbound:/sbin/nologin
 openvswitch:x:800:800::/:/sbin/nologin
 chrony:x:994:992::/var/lib/chrony:/sbin/nologin
 sssd:x:995:993:User for sssd:/:/sbin/nologin
