bootc-base-imagectl: add --nobody-99 for use with --sysusers

The `nobody` user/group is special and can't be driven from a sysusers dropin because Fedora's systemd has a compiled-in default value for naming the overflow user that same name and that always takes precedence. The problem is that due to legacy and cargo-culting, we have to deal with a bunch of systems with the `nobody` user set to 99:99 that we can't just ignore. We need to migrate those, but for now at least to make `--sysusers` usable in these environments, let's add a new hidden `--nobody-99` option which defines _only_ that entry in the hardcoded passwd/group. This _is_ respected by systemd-sysusers. See also: https://github.com/coreos/fedora-coreos-tracker/issues/1201 See also: https://github.com/systemd/systemd/issues/7717
2025-07-15 14:32:23 -04:00 · 2025-07-15 14:32:23 -04:00 · 4eb52e5483
commit 4eb52e5483
parent f70cc9d7b0
7 changed files with 37 additions and 8 deletions
--- a/5
+++ b/5
@ -50,8 +50,8 @@ def run_build_rootfs(args):
        override_manifest['documentation'] = False
    if args.sysusers:
        override_manifest['sysusers'] = 'compose-forced'
-        override_manifest['check-passwd'] = {'type': 'none'}
-        override_manifest['check-groups'] = {'type': 'none'}
+        passwd_mode = 'nobody' if args.nobody_99 else 'none'
+        override_manifest['variables'] = {'passwd_mode': passwd_mode}

    tmp_manifest = None
    if override_manifest:
@ -153,6 +153,7 @@ if __name__ == "__main__":
    build_rootfs.add_argument("--add-dir", help='Copy dir contents into the target', action='append', default=[], metavar='DIR')
    build_rootfs.add_argument("--no-docs", help="Don't install documentation", action='store_true')
    build_rootfs.add_argument("--sysusers", help="Run systemd-sysusers instead of injecting hardcoded passwd/group entries", action='store_true')
+    build_rootfs.add_argument("--nobody-99", help=argparse.SUPPRESS, action='store_true')
    build_rootfs.add_argument("source_root", help="Path to the source root directory used for dnf configuration (default=/)", nargs='?', default='/')
    build_rootfs.add_argument("target", help="Path to the target root directory that will be generated.")
    build_rootfs.set_defaults(func=run_build_rootfs)
--- a/minimal/check-passwd-nobody.yaml
+++ b/minimal/check-passwd-nobody.yaml
@ -0,0 +1,6 @@
+check-passwd:
+  type: "file"
+  filename: "passwd-nobody"
+check-groups:
+  type: "file"
+  filename: "group-nobody"
--- a/minimal/check-passwd.yaml
+++ b/minimal/check-passwd.yaml
@ -0,0 +1,6 @@
+check-passwd:
+  type: "file"
+  filename: "passwd"
+check-groups:
+  type: "file"
+  filename: "group"
--- a/minimal/group-nobody
+++ b/minimal/group-nobody
@ -0,0 +1,4 @@
+# this is used with the --nobody-99 option for backwards compatibility with
+# systems that had nobody set to 99
+nobody:x:99:
+nfsnobody:x:65534:
--- a/minimal/manifest.yaml
+++ b/minimal/manifest.yaml
@ -3,6 +3,9 @@ metadata:

 edition: "2024"

+variables:
+  passwd_mode: full
+
 # Be minimal
 recommends: false

--- a/minimal/passwd-nobody
+++ b/minimal/passwd-nobody
@ -0,0 +1,4 @@
+# this is used with the --nobody-99 option for backwards compatibility with
+# systems that had nobody set to 99
+nobody:x:99:99:Kernel Overflow User:/:/usr/sbin/nologin
+nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/usr/sbin/nologin
--- a/minimal/postprocess-conf.yaml
+++ b/minimal/postprocess-conf.yaml
@ -24,9 +24,14 @@ etc-group-members:
  - tss # https://issues.redhat.com/browse/BIFROST-618
  - adm

-check-passwd:
-  type: "file"
-  filename: "passwd"
-check-groups:
-  type: "file"
-  filename: "group"
+conditional-include:
+  - if: passwd_mode == "full"
+    include: check-passwd.yaml
+  - if: passwd_mode == "nobody"
+    include: check-passwd-nobody.yaml
+  - if: passwd_mode == "none"
+    include:
+      check-passwd:
+        type: "none"
+      check-groups:
+        type: "none"