fail compose when new users / groups are created

Question

fail compose when new users / groups are created

Opened this issue 8 months ago · 1 comments

Describe the bug

When using check-passwd/group file it would be great to have an option to fail the build when new entries are found

Reproduction steps

part of my compose:

ignore-removed-users:
  - root
ignore-removed-groups:
  - root
check-passwd: { type: file, filename: passwd }
check-groups: { type: file, filename: group }

compose logs:

Ignored user missing from new passwd file: root
New passwd entries: pcp, systemd-oom
Ignored group missing from new group file: root
New group entries: pcp, sgx, systemd-oom

Expected behavior

Have a new option to make compose fail

Actual behavior

compose succeed, leading to potential issues in the future

System details

Alma 9.3

# rpm -q rpm-ostree
rpm-ostree-2023.7-1.el9.x86_64

Additional information

No response

Answer 1 · 2024-01-23T13:19:38.000Z

Related, in the past I think system user created during compose were created from 400 up, and on the host from 998 down, it might have changed with systemd-sysusers (or i'm hallucinating)

In any case right now on my test machine I managed to have

# cat /etc/passwd
...
systemd-oom:x:998:998:systemd Userspace OOM Killer:/:/usr/sbin/nologin

# cat /usr/lib/passwd
...
pcp:x:998:998:Performance Co-Pilot:/var/lib/pcp:/usr/sbin/nologin
systemd-oom:x:997:997:systemd Userspace OOM Killer:/:/usr/sbin/nologin

# id pcp
uid=998(systemd-oom) gid=998(systemd-oom) groups=998(systemd-oom)

(systemd-oom was missing in my passwd/group files, then I added pcp rpm which calls systemd-sysusers in %pre)