-
Bug
-
Resolution: Unresolved
-
Normal
-
None
-
None
-
None
-
None
-
sst_cs_plumbers
-
ssg_core_services
-
3
-
False
-
-
None
-
None
-
None
-
None
-
If docs needed, set a value
-
-
Unspecified
-
None
Description of problem:
When building container images and the package brings sysusers.d definitions, it'd be good if the transfiletriggerin scriptlet kicked-in and worked, like it does when installing package on a host. That would help in situations when the %sysusers_create_compat mechanism fails to work, for example see bug 2218209.
Unlike in Fedora (https://src.fedoraproject.org/rpms/systemd/blob/rawhide/f/triggers.systemd) and upstream (https://github.com/systemd/systemd/blob/5d97475b270ed7651e1610e908c23ef65b62bbc4/src/rpm/triggers.systemd.sh.in), CentOS Stream (https://gitlab.com/redhat/centos-stream/rpms/systemd/-/blob/c9s/triggers.systemd) wraps the invocation of systemd-sysusers with the
if test -d "/run/systemd/system"; then
%{_bindir}/systemd-sysusers || :
fi
check. When building a container image, such directory does not exist because systemd is not running.
Version-Release number of selected component (if applicable):
systemd-252-15.el9.x86_64
How reproducible:
Deterministic.
Steps to Reproduce:
1. On host, install 389-ds-base which has the bug 2218209 problem:
- dnf install -y 389-ds-base
2. # grep dirsrv /etc/passwd
3. Try the same in container:
$ podman run --rm quay.io/centos/centos:stream9 bash -c 'dnf install -y 389-ds-base && grep dirsrv /etc/passwd'
Actual results:
On the host:
[...]
Installing : 389-ds-base-2.3.4-2.el9.x86_64 2/2
Running scriptlet: 389-ds-base-2.3.4-2.el9.x86_64 2/2
useradd: invalid user ID '389:389'
Creating user 'dirsrv' (user for 389-ds-base) with UID 389 and GID 389.
Verifying : 389-ds-base-2.3.4-2.el9.x86_64 1/2
[...]
dirsrv:x:389:389:user for 389-ds-base:/usr/share/dirsrv:/sbin/nologin
In container:
Installing : python3-lib389-2.3.4-2.el9.noarch 149/151
Installing : 389-ds-base-2.3.4-2.el9.x86_64 150/151
Running scriptlet: 389-ds-base-2.3.4-2.el9.x86_64 150/151
useradd: invalid user ID '389:389'
Installing : rpm-plugin-selinux-4.16.1.3-23.el9.x86_64 151/151
Running scriptlet: nss-3.79.0-18.el9.x86_64 151/151
Running scriptlet: selinux-policy-targeted-38.1.15-1.el9.noarch 151/151
and the grep does not find the line in /etc/passwd.
Expected results:
I'd expect even in the container case that
Creating user 'dirsrv' (user for 389-ds-base) with UID 389 and GID 389.
line to be shown, indicating that the systemd-sysusers trigger got invoked and run. It is possible to force that to happen with
podman run --rm quay.io/centos/centos:stream9 bash -c 'mkdir -p /run/systemd/system && dnf install -y 389-ds-base && grep dirsrv /etc/passwd'
but it is a workaround and it also enables other triggers like sysctl that are likely correctly disabled in containers.
Additional info:
- external trackers