rpm-ostree rebase ostree-unverified-registry does not include autheselect changes
Closed this issue · 4 comments
Describe the bug
I created an OCI container using bazzite as the FROM. The main purpose of this container was to pre-include the ldap setup into the container. autheselect changes do not seem to be populated from the container, specifically, the sss entries that should exist in /etc/autheselect/system-auth and by symlink /etc/pam.d/system-auth are not added to the system despite the fact that they are present within the container
Reproduction steps
- Create an oci image from a Containerfile with:
FROM bazzite:latest
RUN authselect select sssd with-mkhomedir && \
ostree container commit
- build oci-container:
podman build -t bazzite-custom .
- verify lines exist in container:
podman run --rm -it bazzite-custom grep sss /etc/pam.d/system-auth
- push to registry
- ostree rebase ostree-unverified-registry:
- grep sss /etc/pam.d/system-auth
Expected behavior
Lines in rebased system match lines in container:
auth sufficient pam_sss.so forward_pass
account [default=bad success=ok user_unknown=ignore] pam_sss.so
password sufficient pam_sss.so use_authtok
session optional pam_sss.so
Actual behavior
/etc/pam.d/system-auth is unchanged and has no sssd support included
System details
root@bazzite-test:~# rpm-ostree --version
rpm-ostree:
Version: '2024.6'
Git: 1dda51b264eec8003eb6032f1f41844754ec163b
Features:
- rust
- compose
- container
- fedora-integration
root@bazzite-test:~# rpm-ostree status -b
State: idle
BootedDeployment:
● ostree-unverified-registry:registry.home.whitfieldclan.com/repository/images/bazzite-custom:latest
Digest: sha256:d119613c0e0e24bbc74d4d94c00681270c53c6697730ace0a240a01a517e8589
Version: 40.20240618.0 (2024-06-21T11:04:38Z)
Additional information
No response
I ran this also against a coreos / ucore server and the same problem exists.
I have been doing some document/source reading in order to figure this out. Since rpm-ostree will not update any /etc file which doesn't match the previous baseline version of the file; ucore and bazzite probably updated this file and therefore stopped changes from being pushed from base image updates.
I would like to move this out of bug state and instead pose a question (or possible lack of feature).
Is there a way to get an /etc file back to the correct state so that it will be updated by the base image?
There is /usr/etc which includes the /etc content that came from the image. You can copy the file from there to /etc/.
sudo ostree admin config-diff will show you all the files the user or system have modified, deleted or added. Those files will not automatically be updated when you upgrade, you could set up a script/service to copy from /usr/etc any of them you want to replace. If you decide to do something like that be advised that any modifications to those files on /etc you replace will be gone forever which can be a dangerous thing.
Thank you for the detailed answer. I am sorry it took so long for me to get back to you. This would be good information for the manual (assuming it isn't already there and I somehow overlooked it).
I am trying to use rpm_ostree as a replacement for nixOS. I have an image setup with all of my local network configuration needs so I can deploy it and have a computer instantly on the network and functioning. This has proved difficult with authselect. I am going to see if I can find out why it is locally changed to begin with and then perhaps find out if that can be removed from the ublue images.