Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-115278

Base image prevents installing packages creating users

Linking RHIVOS CVEs to...Migration: Automation ...SWIFT: POC ConversionSync from "Extern...XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Undefined Undefined
    • None
    • rhel-10.0
    • rhel-bootc-container
    • None
    • No
    • Low
    • 1
    • rhel-image-mode
    • None
    • False
    • False
    • Hide

      None

      Show
      None
    • None
    • Bootc Sprint #19
    • None
    • None
    • Unspecified
    • Unspecified
    • Unspecified
    • None

      What were you trying to do that didn't work?

      A customer is trying to install qemu-kvm-common package in the bootc base image for RHEL10.0. Installation of the package fails in RPM scriptlet when it tries to add the user "qemu":

      [...]
getent group kvm >/dev/null || groupadd -g 36 -r kvm
getent group qemu >/dev/null || groupadd -g 107 -r qemu
getent passwd qemu >/dev/null || \
useradd -r -u 107 -g qemu -G kvm -d / -s /sbin/nologin \
  -c "qemu user" qemu

      Failure:

      useradd: group 'kvm' does not exist
warning: %post(qemu-kvm-common-18:9.1.0-15.el10_0.3.x86_64) scriptlet failed, exit status 6

Error in POSTIN scriptlet in rpm package qemu-kvm-common

      Root cause:
      getent group kvm returns 0 because the "kvm" group exists in nss-altfiles managed /usr/lib/group file, but not in a "local" group (a group /etc/group), causing useradd -G kvm ... to fail.
      It's unclear to me what populated /usr/lib/group in the base image, it contains already many groups, including "kvm", but for sure it's not part of nss-altfiles package.

      What is the impact of this issue to you?

      Customers cannot install properly packages creating users based on potentially non-existing groups

      Please provide the package NVR for which the bug is seen:

      nss-altfiles-2.23.0-5.el10.x86_64
      shadow-utils-4.15.0-5.el10.x86_64

      How reproducible is this bug?:

      Always

      Steps to reproduce

      1. Install a container based on RHEL10 latest bootc image 
        $ echo "FROM registry.redhat.io/rhel10/rhel-bootc:latest" > bootc-mini
$ podman build -f bootc-mini -t docker.io/mini
      2. Spawn a shell in the container 
        $ podman run -it --rm --name repro docker.io/mini /bin/bash
bash-5.2#
      3. Verify that "kvm" group exists and try to create a "qemu" user in that supplementary group 
        bash-5.2# getent group kvm
kvm:x:36:
bash-5.2# grep kvm /etc/group /usr/lib/group
/usr/lib/group:kvm:x:36:

bash-5.2# useradd -G kvm qemu
useradd: group 'kvm' does not exist

      Expected results

      User being created.

      Actual results

      Failure because "kvm" is not in /etc/group

      Additional information

      This issue shows up because of 3 conditions:

      1. nss-altfiles package is part of the base image
      2. /usr/lib/group got populated when the base image got built
      3. /etc/nsswitch.conf contains "altfiles" provider, because authselect profile was applied with with-altfiles feature

              Unassigned Unassigned
              rhn-support-rmetrich Renaud Métrich
              Colin Walters Colin Walters
              Wei Shi Wei Shi
              Gabriela Necasova Gabriela Necasova
              Votes:
              0 Vote for this issue
              Watchers:
              9 Start watching this issue

                Created:
                Updated: