OCPBUGS-64841: Ensure 'containers' user & group are part of the image #1917
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change | ||||||
|---|---|---|---|---|---|---|---|---|
|
|
@@ -130,6 +130,38 @@ postprocess: | |||||||
| fi | ||||||||
| fi | ||||||||
|
|
||||||||
| - | | ||||||||
| #!/usr/bin/env bash | ||||||||
| set -xeo pipefail | ||||||||
| # Ensure that the containers user & group are created as part of the image. | ||||||||
| # We can not move users/groups from the image to dynamically created ones | ||||||||
| # until we fix https://github.com/bootc-dev/bootc/issues/1179. | ||||||||
| # See https://redhat.atlassian.net/browse/OCPBUGS-64841 and commit message | ||||||||
| # for the full details. | ||||||||
|
|
||||||||
| # Only do that when doing a container build | ||||||||
| if [[ -f /run/.containerenv ]] && [[ -f /usr/lib/sysusers.d/crio.conf ]]; then | ||||||||
|
Comment on lines
+142
to
+143
Member
There was a problem hiding this comment. We only ever run in a container environment.
Suggested change
Am I missing something?
Member
There was a problem hiding this comment. Also, in what situations would
Member
Author
There was a problem hiding this comment. Probably should fail indeed. |
||||||||
| # First, cleanup the broken entries from /etc/passwd|group|shadow|gshadow | ||||||||
| sed -i "/^containers:/d" /etc/{passwd,group,shadow,gshadow} | ||||||||
|
Comment on lines
+144
to
+145
Member
There was a problem hiding this comment. This contradicts your statement in the description of this PR:
If that is true then
Member
Author
There was a problem hiding this comment. New nodes start with a pure RHEL boot image that does not have CRI-O installed. This is the container image with CRI-O installed.
Member
There was a problem hiding this comment. just for my understanding, since there are a lot of pieces here. Today we have:
I think what you are saying is that in
Member
Author
There was a problem hiding this comment. yes, it gets added to the node layer |
||||||||
|
|
||||||||
| # We're running as part of a derivation; `systemd-sysusers` will not work | ||||||||
| # because it doesn't go through NSS. Hackily put the /usr/lib files in /etc | ||||||||
| # temporarily then put them back. | ||||||||
| mv /etc/passwd /etc/passwd.bak | ||||||||
| mv /etc/group /etc/group.bak | ||||||||
| mv /usr/lib/passwd /etc/passwd | ||||||||
| mv /usr/lib/group /etc/group | ||||||||
|
|
||||||||
| # Re-create the user/group/shadow/gshadow entries | ||||||||
| systemd-sysusers crio.conf | ||||||||
|
Member
There was a problem hiding this comment. I think we need to go further and fixate the UID/GID to whatever it was in the base composes on 4.18. Basically same rationale as f202927. I guess we could do that here, or just add it to r-c-c which already carries a bunch of other fixated users/groups the node image needs. I'm not sure why containers wasn't part of that commit I did back then. I'm pretty sure the way I came up with this is that I booted a live ~4.18 RHCOS and added the dynamic entries, so perhaps containers wasn't added back then for some reason. |
||||||||
|
|
||||||||
| # Put everything back in place | ||||||||
| mv /etc/passwd /usr/lib/passwd | ||||||||
| mv /etc/group /usr/lib/group | ||||||||
| mv /etc/passwd.bak /etc/passwd | ||||||||
| mv /etc/group.bak /etc/group | ||||||||
|
Member
There was a problem hiding this comment. I'd like to keep this "hack" targeted. Can we do something here that will make sure the only entry that was created was the |
||||||||
| fi | ||||||||
|
|
||||||||
| - | | ||||||||
| #!/usr/bin/env bash | ||||||||
| set -xeuo pipefail | ||||||||
|
|
||||||||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In what situation would we ever not be running in a container env?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I was conservative and copied the checks from above. I'll update both.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah the check above dates back from when we supported both layered and base composes for the node image.