particle-os/debian-bootc-base-images
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
debian-bootc-base-images/minimal/manifest.yaml
Jonathan Lebon 4eb52e5483
bootc-base-imagectl: add --nobody-99 for use with --sysusers 
The `nobody` user/group is special and can't be driven from a sysusers
dropin because Fedora's systemd has a compiled-in default value
for naming the overflow user that same name and that always takes
precedence.

The problem is that due to legacy and cargo-culting, we have to deal
with a bunch of systems with the `nobody` user set to 99:99 that we
can't just ignore. We need to migrate those, but for now at least to
make `--sysusers` usable in these environments, let's add a new hidden
`--nobody-99` option which defines _only_ that entry in the hardcoded
passwd/group. This _is_ respected by systemd-sysusers.

See also: https://github.com/coreos/fedora-coreos-tracker/issues/1201
See also: https://github.com/systemd/systemd/issues/7717
2025-07-15 14:32:42 -04:00

48 lines
1.5 KiB
YAML
Raw Blame History

metadata:
summary: Effectively just bootc, systemd, kernel, and dnf as a starting point.
edition: "2024"
variables:
passwd_mode: full
# Be minimal
recommends: false
# Default to `bash` in our container, the same as other containers we ship.
container-cmd:
- /sbin/init
remove-from-packages:
# Generally we expect other tools to do this (e.g. Ignition or cloud-init)
- [systemd, /usr/lib/systemd/system/sysinit.target.wants/systemd-firstboot.service]
# We don't want auto-generated mount units. See also
# https://github.com/systemd/systemd/issues/13099
- [systemd-udev, /usr/lib/systemd/system-generators/systemd-gpt-auto-generator]
include:
- kernel.yaml
- postprocess-conf.yaml
- tmpfiles.yaml
- bootc.yaml
- bootupd.yaml
- ostree.yaml
- initramfs.yaml
- basic-fixes.yaml
- kernel-install.yaml
- systemd-presets.yaml
packages:
# this is implied by dependencies but let's make it explicit
- coreutils
# We need dnf for building derived container images. In Fedora, this pulls
# in dnf5. In CentOS/RHEL, this pulls in dnf(4). We can simplify this back to
# just `dnf` once the `dnf` package is retired from Fedora.
- /usr/bin/dnf
# Even in minimal, we have this. If you don't want SELinux today, you'll need
# to build a custom image.
- selinux-policy-targeted
# And we want container-selinux because trying to layer it on later currently causes issues.
- container-selinux
# Needed for tpm2 bound luks
- tpm2-tools
Reference in a new issue View git blame Copy permalink