bootc-base-imagectl: add --nobody-99 for use with --sysusers

The `nobody` user/group is special and can't be driven from a sysusers dropin because Fedora's systemd has a compiled-in default value for naming the overflow user that same name and that always takes precedence. The problem is that due to legacy and cargo-culting, we have to deal with a bunch of systems with the `nobody` user set to 99:99 that we can't just ignore. We need to migrate those, but for now at least to make `--sysusers` usable in these environments, let's add a new hidden `--nobody-99` option which defines _only_ that entry in the hardcoded passwd/group. This _is_ respected by systemd-sysusers. See also: https://github.com/coreos/fedora-coreos-tracker/issues/1201 See also: https://github.com/systemd/systemd/issues/7717
2025-07-15 14:32:23 -04:00 · 2025-07-15 14:32:23 -04:00 · 4eb52e5483
commit 4eb52e5483
parent f70cc9d7b0
7 changed files with 37 additions and 8 deletions
--- a/minimal/check-passwd-nobody.yaml
+++ b/minimal/check-passwd-nobody.yaml
@ -0,0 +1,6 @@
+check-passwd:
+  type: "file"
+  filename: "passwd-nobody"
+check-groups:
+  type: "file"
+  filename: "group-nobody"
--- a/minimal/check-passwd.yaml
+++ b/minimal/check-passwd.yaml
@ -0,0 +1,6 @@
+check-passwd:
+  type: "file"
+  filename: "passwd"
+check-groups:
+  type: "file"
+  filename: "group"
--- a/minimal/group-nobody
+++ b/minimal/group-nobody
@ -0,0 +1,4 @@
+# this is used with the --nobody-99 option for backwards compatibility with
+# systems that had nobody set to 99
+nobody:x:99:
+nfsnobody:x:65534:
--- a/minimal/manifest.yaml
+++ b/minimal/manifest.yaml
@ -3,6 +3,9 @@ metadata:

 edition: "2024"

+variables:
+  passwd_mode: full
+
 # Be minimal
 recommends: false

--- a/minimal/passwd-nobody
+++ b/minimal/passwd-nobody
@ -0,0 +1,4 @@
+# this is used with the --nobody-99 option for backwards compatibility with
+# systems that had nobody set to 99
+nobody:x:99:99:Kernel Overflow User:/:/usr/sbin/nologin
+nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/usr/sbin/nologin
--- a/minimal/postprocess-conf.yaml
+++ b/minimal/postprocess-conf.yaml
@ -24,9 +24,14 @@ etc-group-members:
  - tss # https://issues.redhat.com/browse/BIFROST-618
  - adm

-check-passwd:
-  type: "file"
-  filename: "passwd"
-check-groups:
-  type: "file"
-  filename: "group"
+conditional-include:
+  - if: passwd_mode == "full"
+    include: check-passwd.yaml
+  - if: passwd_mode == "nobody"
+    include: check-passwd-nobody.yaml
+  - if: passwd_mode == "none"
+    include:
+      check-passwd:
+        type: "none"
+      check-groups:
+        type: "none"