4eb52e5483
The `nobody` user/group is special and can't be driven from a sysusers dropin because Fedora's systemd has a compiled-in default value for naming the overflow user that same name and that always takes precedence. The problem is that due to legacy and cargo-culting, we have to deal with a bunch of systems with the `nobody` user set to 99:99 that we can't just ignore. We need to migrate those, but for now at least to make `--sysusers` usable in these environments, let's add a new hidden `--nobody-99` option which defines _only_ that entry in the hardcoded passwd/group. This _is_ respected by systemd-sysusers. See also: https://github.com/coreos/fedora-coreos-tracker/issues/1201 See also: https://github.com/systemd/systemd/issues/7717
37 lines
987 B
YAML
37 lines
987 B
YAML
# This file configures things relevant to `rpm-ostree compose postprocess`.
|
|
|
|
# We want content lifecycled with the image
|
|
opt-usrlocal: "root"
|
|
|
|
# https://github.com/CentOS/centos-bootc/issues/167
|
|
machineid-compat: true
|
|
|
|
rpmdb: target
|
|
# We never want rpmdb.sqlite-shm as it's unreproducible
|
|
rpmdb-normalize: true
|
|
|
|
ignore-removed-users:
|
|
- root
|
|
ignore-removed-groups:
|
|
- root
|
|
# By default users and groups are injected to nss-altfiles
|
|
# which is immutable. This list moves a selected set
|
|
# to /etc/group instead, which is mutable per system
|
|
# and allows local users to become part of these groups.
|
|
etc-group-members:
|
|
- wheel
|
|
- systemd-journal
|
|
- tss # https://issues.redhat.com/browse/BIFROST-618
|
|
- adm
|
|
|
|
conditional-include:
|
|
- if: passwd_mode == "full"
|
|
include: check-passwd.yaml
|
|
- if: passwd_mode == "nobody"
|
|
include: check-passwd-nobody.yaml
|
|
- if: passwd_mode == "none"
|
|
include:
|
|
check-passwd:
|
|
type: "none"
|
|
check-groups:
|
|
type: "none"
|