Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-6209

The systemd-sysusers file triggers do not work when building container images

    • None
    • None
    • sst_cs_plumbers
    • ssg_core_services
    • 3
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None
    • None
    • If docs needed, set a value
    • None

      Description of problem:

      When building container images and the package brings sysusers.d definitions, it'd be good if the transfiletriggerin scriptlet kicked-in and worked, like it does when installing package on a host. That would help in situations when the %sysusers_create_compat mechanism fails to work, for example see bug 2218209.

      Unlike in Fedora (https://src.fedoraproject.org/rpms/systemd/blob/rawhide/f/triggers.systemd) and upstream (https://github.com/systemd/systemd/blob/5d97475b270ed7651e1610e908c23ef65b62bbc4/src/rpm/triggers.systemd.sh.in), CentOS Stream (https://gitlab.com/redhat/centos-stream/rpms/systemd/-/blob/c9s/triggers.systemd) wraps the invocation of systemd-sysusers with the

      if test -d "/run/systemd/system"; then
      %{_bindir}/systemd-sysusers || :
      fi

      check. When building a container image, such directory does not exist because systemd is not running.

      Version-Release number of selected component (if applicable):

      systemd-252-15.el9.x86_64

      How reproducible:

      Deterministic.

      Steps to Reproduce:
      1. On host, install 389-ds-base which has the bug 2218209 problem:

      1. dnf install -y 389-ds-base
        2. # grep dirsrv /etc/passwd
        3. Try the same in container:
        $ podman run --rm quay.io/centos/centos:stream9 bash -c 'dnf install -y 389-ds-base && grep dirsrv /etc/passwd'

      Actual results:

      On the host:

      [...]

      Installing : 389-ds-base-2.3.4-2.el9.x86_64 2/2
      Running scriptlet: 389-ds-base-2.3.4-2.el9.x86_64 2/2
      useradd: invalid user ID '389:389'

      Creating user 'dirsrv' (user for 389-ds-base) with UID 389 and GID 389.

      Verifying : 389-ds-base-2.3.4-2.el9.x86_64 1/2

      [...]

      dirsrv:x:389:389:user for 389-ds-base:/usr/share/dirsrv:/sbin/nologin

      In container:

      Installing : python3-lib389-2.3.4-2.el9.noarch 149/151
      Installing : 389-ds-base-2.3.4-2.el9.x86_64 150/151
      Running scriptlet: 389-ds-base-2.3.4-2.el9.x86_64 150/151
      useradd: invalid user ID '389:389'

      Installing : rpm-plugin-selinux-4.16.1.3-23.el9.x86_64 151/151
      Running scriptlet: nss-3.79.0-18.el9.x86_64 151/151
      Running scriptlet: selinux-policy-targeted-38.1.15-1.el9.noarch 151/151

      and the grep does not find the line in /etc/passwd.

      Expected results:

      I'd expect even in the container case that

      Creating user 'dirsrv' (user for 389-ds-base) with UID 389 and GID 389.

      line to be shown, indicating that the systemd-sysusers trigger got invoked and run. It is possible to force that to happen with

      podman run --rm quay.io/centos/centos:stream9 bash -c 'mkdir -p /run/systemd/system && dnf install -y 389-ds-base && grep dirsrv /etc/passwd'

      but it is a workaround and it also enables other triggers like sysctl that are likely correctly disabled in containers.

      Additional info:

            systemd-maint systemd maint mailing list
            rhn-engineering-jpazdziora Jan Pazdziora
            systemd maint mailing list systemd maint mailing list
            Frantisek Sumsal Frantisek Sumsal
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated: