fail compose when new users / groups are created
Opened this issue · 1 comments
champtar commented
Describe the bug
When using check-passwd/group file it would be great to have an option to fail the build when new entries are found
Reproduction steps
part of my compose:
ignore-removed-users:
- root
ignore-removed-groups:
- root
check-passwd: { type: file, filename: passwd }
check-groups: { type: file, filename: group }
compose logs:
Ignored user missing from new passwd file: root
New passwd entries: pcp, systemd-oom
Ignored group missing from new group file: root
New group entries: pcp, sgx, systemd-oom
Expected behavior
Have a new option to make compose fail
Actual behavior
compose succeed, leading to potential issues in the future
System details
Alma 9.3
# rpm -q rpm-ostree
rpm-ostree-2023.7-1.el9.x86_64
Additional information
No response
champtar commented
Related, in the past I think system user created during compose were created from 400 up, and on the host from 998 down, it might have changed with systemd-sysusers (or i'm hallucinating)
In any case right now on my test machine I managed to have
# cat /etc/passwd
...
systemd-oom:x:998:998:systemd Userspace OOM Killer:/:/usr/sbin/nologin
# cat /usr/lib/passwd
...
pcp:x:998:998:Performance Co-Pilot:/var/lib/pcp:/usr/sbin/nologin
systemd-oom:x:997:997:systemd Userspace OOM Killer:/:/usr/sbin/nologin
# id pcp
uid=998(systemd-oom) gid=998(systemd-oom) groups=998(systemd-oom)
(systemd-oom was missing in my passwd/group files, then I added pcp rpm which calls systemd-sysusers in %pre)