tests: add test for --sysusers

Exercise the `--sysusers` path added in
https://gitlab.com/fedora/bootc/base-images/-/merge_requests/242.

.gitlab-ci.yml

@@ -44,3 +44,4 @@ standard-build-and-test:
     (cd tests/rootfs && buildah build -t localhost/test --from localhost/fedora-bootc)
     cd tests
     buildah build -f Containerfile.test-derive --no-cache -t localhost/fedora-bootc-derived ${PRIV_ARGS} .
+    buildah build -f Containerfile.test-sysusers --no-cache -t localhost/fedora-bootc-derived ${PRIV_ARGS} .

tests/Containerfile.test-sysusers

@@ -0,0 +1,39 @@
+# This test case exercises --sysusers.
+FROM quay.io/fedora/fedora-bootc:rawhide as repos
+
+# This is intentionally a locally built image
+FROM localhost/fedora-bootc as builder
+RUN --mount=type=bind,from=repos,src=/,dst=/repos,rw <<EORUN
+mkdir -p overlay/usr/lib/sysusers.d
+cat > overlay/usr/lib/sysusers.d/00-chrony.conf <<EOF
+g chrony 888
+u chrony 888:888 - - -
+EOF
+/usr/libexec/bootc-base-imagectl build-rootfs --manifest=standard/manifest /repos /target-rootfs --sysusers --add-dir overlay
+EORUN
+
+# This pulls in the rootfs generated in the previous step
+FROM scratch
+COPY --from=builder /target-rootfs/ /
+RUN <<EORUN
+set -xeuo pipefail
+. /usr/lib/os-release
+test "$ID" = fedora
+
+# Sanity-check sysusers application
+getent group chrony | grep :888:
+getent passwd chrony | grep :888:888:
+
+# Verify nobody is the modern default
+getent passwd nobody | grep :65534:65534:
+
+# Cleanup and lint
+rm -rf /var/log /var/cache/* /var/lib/dnf
+bootc container lint
+EORUN
+LABEL containers.bootc 1
+ENV container=oci
+STOPSIGNAL SIGRTMIN+3
+CMD ["/sbin/init"]
+
+