993845d2a2
This works around two issues: - First, rpm switched to reading users/groups directly for its implementation of systemd-sysusers, which meant it no longer reads via nss, which breaks nss-altfiles. xref: https://github.com/rpm-software-management/rpm/pull/2503#issuecomment-1536435351 and below. - Second, even if that was fixed, `keylime` wants to add its user to the group, which can't be done when it's a system uid. Since nothing in the OS content is owned by this group, we can move underneath `/etc` by default. Signed-off-by: Colin Walters <walters@verbum.org>
32 lines
809 B
YAML
32 lines
809 B
YAML
# This file configures things relevant to `rpm-ostree compose postprocess`.
|
|
|
|
# We want content lifecycled with the image
|
|
opt-usrlocal: "root"
|
|
|
|
# https://github.com/CentOS/centos-bootc/issues/167
|
|
machineid-compat: true
|
|
|
|
rpmdb: target
|
|
# We never want rpmdb.sqlite-shm as it's unreproducible
|
|
rpmdb-normalize: true
|
|
|
|
ignore-removed-users:
|
|
- root
|
|
ignore-removed-groups:
|
|
- root
|
|
# By default users and groups are injected to nss-altfiles
|
|
# which is immutable. This list moves a selected set
|
|
# to /etc/group instead, which is mutable per system
|
|
# and allows local users to become part of these groups.
|
|
etc-group-members:
|
|
- wheel
|
|
- systemd-journal
|
|
- tss # https://issues.redhat.com/browse/BIFROST-618
|
|
- adm
|
|
|
|
check-passwd:
|
|
type: "file"
|
|
filename: "passwd"
|
|
check-groups:
|
|
type: "file"
|
|
filename: "group"
|