stages: add org.osbuild.ostree.passwd

This stage takes /usr/lib/passwd and /usr/etc/passwd from an OSTree checkout, merges them into one file, and store it as /etc/passwd in the buildroot. It does the same for /etc/group. The reason for doing this is that there is an issue with unstable UIDs and GIDs when creating OSTree commits from scratch. When there is a package that creates a system user or a system group, it can change the UID and GID of users and groups that are created later. This is not a problem in traditional deployments because already created users and groups never change their UIDs and GIDs, but with OSTree we recreate the files from scratch and then replace the previous one so it can actually change. By copying the files to the build root before doing any other operations, we can make sure that the UIDs and GIDs of already existing users and groups won't change. Co-author: Christian Kellner <christian@kellner.me>
2021-08-17 10:34:33 +02:00 · 2021-08-17 10:34:33 +02:00 · 8b0ea15817
commit 8b0ea15817
parent 3695e22369
3 changed files with 203 additions and 1 deletions
--- a/osbuild/util/ostree.py
+++ b/osbuild/util/ostree.py
@ -139,3 +139,50 @@ def deployment_path(root: PathLike, osname: str, ref: str, serial: int):
    sysroot = f"{stateroot}/deploy/{commit}.{serial}"

    return sysroot
+
+
+class PasswdLike:
+    """Representation of a file with structure like /etc/passwd
+
+    If each line in a file contains a key-value pair separated by the
+    first colon on the line, it can be considered "passwd"-like. This
+    class can parse the the list, manipulate it, and export it to file
+    again.
+    """
+    def __init__(self):
+        """Initialize an empty PasswdLike object"""
+        self.db = dict()
+
+    @classmethod
+    def from_file(cls, path: PathLike, allow_missing_file: bool=False):
+        """Initialize a PasswdLike object from an existing file"""
+        ret = cls()
+        if allow_missing_file:
+            if not os.path.isfile(path):
+                return ret
+
+        with open(path, "r") as p:
+            ret.db = cls._passwd_lines_to_dict(p.readlines())
+        return ret
+
+    def merge_with_file(self, path: PathLike, allow_missing_file: bool=False):
+        """Extend the database with entries from another file"""
+        if allow_missing_file:
+            if not os.path.isfile(path):
+                return
+
+        with open(path, "r") as p:
+            additional_passwd_dict = self._passwd_lines_to_dict(p.readlines())
+            for name, passwd_line in additional_passwd_dict.items():
+                if name not in self.db:
+                    self.db[name] = passwd_line
+
+    def dump_to_file(self, path: PathLike):
+        """Write the current database to a file"""
+        with open(path, "w") as p:
+            p.writelines(list(self.db.values()))
+
+    @staticmethod
+    def _passwd_lines_to_dict(lines):
+        """Take a list of passwd lines and produce a "name": "line" dictionary"""
+        return {line.split(':')[0]: line for line in lines}
--- a/stages/org.osbuild.ostree.passwd
+++ b/stages/org.osbuild.ostree.passwd
@ -0,0 +1,92 @@
+#!/usr/bin/python3
+"""
+Populate buildroot with /etc/passwd and /etc/group from an OSTree checkout
+
+Using the OSTree checkout provided as in input, copy /usr/etc/passwd and
+/usr/lib/passwd, merge them and store the result into /etc/passwd in the
+buildroot. Do the same for /etc/group file.
+
+The use case for this stage is when one wants to preserve UIDs and GIDs
+which might change when the system is build from scratch. Creating these
+files before any RPMs (or other packages) are installed will prevent changes
+in UIDs and GIDs.
+"""
+
+import os
+import sys
+import subprocess
+
+import osbuild.api
+
+from osbuild.util.ostree import PasswdLike
+
+
+SCHEMA_2 = """
+"options": {
+  "additionalProperties": false
+},
+"inputs": {
+  "type": "object",
+  "additionalProperties": false,
+  "required": ["commits"],
+  "properties": {
+    "commits": {
+      "type": "object",
+      "additionalProperties": true
+    }
+  }
+}
+"""
+
+
+def ostree(*args, _input=None, **kwargs):
+    args = list(args) + [f'--{k}={v}' for k, v in kwargs.items()]
+    print("ostree " + " ".join(args), file=sys.stderr)
+    subprocess.run(["ostree"] + args,
+                   encoding="utf-8",
+                   stdout=sys.stderr,
+                   input=_input,
+                   check=True)
+
+
+def parse_input(inputs):
+    commits = inputs["commits"]
+    source_root = commits["path"]
+    data = commits["data"]
+    refs = data["refs"]
+    assert refs, "Need at least one commit"
+    assert len(refs) == 1, "Only one commit is currently supported"
+    return source_root, refs
+
+
+# pylint: disable=too-many-statements
+def main(tree, inputs, _options):
+    source_root, refs = parse_input(inputs)
+
+    os.makedirs(os.path.join(tree, "etc"), exist_ok=True)
+    # Only once ref (commit) is currently supported, so this loop will run exactly once
+    for commit, data in refs.items():
+        ref = data.get("path", commit).lstrip("/")
+        checkout_root = os.path.join(source_root, ref)
+
+        # Merge /usr/etc/passwd with /usr/lib/passwd from the checkout and store it in the buildroot
+        # "tree" directory. Entries in /usr/etc/passwd have a precedence, but the file does not
+        # necessarily exist.
+        passwd = PasswdLike.from_file(os.path.join(checkout_root, "usr/etc/passwd"), allow_missing_file=True)
+        passwd.merge_with_file(os.path.join(checkout_root, "usr/lib/passwd"), allow_missing_file=False)
+        passwd.dump_to_file(os.path.join(tree, "etc/passwd"))
+
+        # Merge /usr/etc/group with /usr/lib/group from the checkout and store it in the buildroot
+        # "tree" directory. Entries in /usr/etc/group have a precedence, but the file does not
+        # necessarily exist.
+        passwd = PasswdLike.from_file(os.path.join(checkout_root, "usr/etc/group"), allow_missing_file=True)
+        passwd.merge_with_file(os.path.join(checkout_root, "usr/lib/group"), allow_missing_file=False)
+        passwd.dump_to_file(os.path.join(tree, "etc/group"))
+
+
+if __name__ == '__main__':
+    stage_args = osbuild.api.arguments()
+    r = main(stage_args["tree"],
+             stage_args["inputs"],
+             stage_args["options"])
+    sys.exit(r)
--- a/test/mod/test_util_ostree.py
+++ b/test/mod/test_util_ostree.py
@ -3,8 +3,10 @@
 #

 import json
-import unittest
+import os
 import subprocess
+import tempfile
+import unittest

 from osbuild.util import ostree

@ -84,3 +86,64 @@ class TestObjectStore(unittest.TestCase):

        for p, v in params.items():
            self.assertEqual(v, js[p])
+
+
+class TestPasswdLike(unittest.TestCase):
+
+    def test_merge_passwd(self):
+        with tempfile.TemporaryDirectory() as tmpdir:
+            primary_file_lines = [
+                "root:x:0:0:root:/root:/bin/bash\n",
+                "bin:x:1:1:bin:/bin:/sbin/nologin\n",
+                "daemon:x:2:2:daemon:/sbin:/sbin/nologin\n"
+            ]
+            secondary_file_lines = [
+                "daemon:x:9:9:daemon:/sbin:/sbin/nologin\n"
+                "lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin\n",
+                "sync:x:5:0:sync:/sbin:/bin/sync\n"
+            ]
+            result_file_lines = [
+                "root:x:0:0:root:/root:/bin/bash\n",
+                "bin:x:1:1:bin:/bin:/sbin/nologin\n",
+                "daemon:x:2:2:daemon:/sbin:/sbin/nologin\n",
+                "lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin\n",
+                "sync:x:5:0:sync:/sbin:/bin/sync\n"
+            ]
+            with open(os.path.join(tmpdir, "primary"), "w") as f:
+                f.writelines(primary_file_lines)
+            with open(os.path.join(tmpdir, "secondary"), "w") as f:
+                f.writelines(secondary_file_lines)
+
+            passwd = ostree.PasswdLike.from_file(os.path.join(tmpdir, "primary"))
+            passwd.merge_with_file(os.path.join(tmpdir, "secondary"))
+            passwd.dump_to_file(os.path.join(tmpdir, "result"))
+
+            with open(os.path.join(tmpdir, "result"), "r") as f:
+                self.assertEqual(sorted(f.readlines()), sorted(result_file_lines))
+
+    def test_merge_group(self):
+        with tempfile.TemporaryDirectory() as tmpdir:
+            primary_file_lines = [
+                "root:x:0:\n",
+                "bin:x:1:\n"
+            ]
+            secondary_file_lines = [
+                "bin:x:4:\n",
+                "daemon:x:2:\n"
+            ]
+            result_file_lines = [
+                "root:x:0:\n",
+                "bin:x:1:\n",
+                "daemon:x:2:\n"
+            ]
+            with open(os.path.join(tmpdir, "primary"), "w") as f:
+                f.writelines(primary_file_lines)
+            with open(os.path.join(tmpdir, "secondary"), "w") as f:
+                f.writelines(secondary_file_lines)
+
+            passwd = ostree.PasswdLike.from_file(os.path.join(tmpdir, "primary"))
+            passwd.merge_with_file(os.path.join(tmpdir, "secondary"))
+            passwd.dump_to_file(os.path.join(tmpdir, "result"))
+
+            with open(os.path.join(tmpdir, "result"), "r") as f:
+                self.assertEqual(sorted(f.readlines()), sorted(result_file_lines))