compose: Change /etc/default/useradd to use HOME=/var/home #1726
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Prep for more code.
For a long time I've resisted encoding "policy" into rpm-ostree as much as possible. Doing so makes it more distribution specific for example. That said, for `/var/home` there argument for doing this in rpm-ostree is that we already make that symlink in our hardcoded rootfs. So we might as well do the other fixups for it. coreos/fedora-coreos-config#18 https://pagure.io/workstation-ostree-config/pull-request/121 https://discussion.fedoraproject.org/t/adapting-user-home-in-etc-passwd/487/6 justjanne/powerline-go#94
|
Question: the ostree docs document two possible arrangements, depending on whether $HOME is shared between operating systems or not: /home -> /var/home Do you consider both to legitimate ways to use rpm-ostree, or is only the first supported? Who choses between the two setups? |
I'd discourage people from doing anything but Now specifically for rpm-ostree, as noted in the commit message we actually hardcode the current symlink. |
Oh yuck; we need to do an |
jlebon
reviewed
Jan 7, 2019
rust/src/composepost.rs
Outdated
| fn postprocess_useradd(rootfs_dfd: &openat::Dir) -> Fallible<()> | ||
| { | ||
| let path = Path::new("usr/etc/default/useradd"); | ||
| if let Some(f) = openat_optional(rootfs_dfd, path, openat::Dir::open_file)? { |
There was a problem hiding this comment.
Minor: we can avoid the indentation here by returning early in the None case.
There was a problem hiding this comment.
I used to have an early return here but it feels like...bad style? We don't have a huge amount of indentation here anyways.
rh-atomic-bot
pushed a commit
that referenced
this pull request
Jan 7, 2019
For a long time I've resisted encoding "policy" into rpm-ostree as much as possible. Doing so makes it more distribution specific for example. That said, for `/var/home` there argument for doing this in rpm-ostree is that we already make that symlink in our hardcoded rootfs. So we might as well do the other fixups for it. coreos/fedora-coreos-config#18 https://pagure.io/workstation-ostree-config/pull-request/121 https://discussion.fedoraproject.org/t/adapting-user-home-in-etc-passwd/487/6 justjanne/powerline-go#94 Closes: #1726 Approved by: jlebon
|
☀️ Test successful - status-atomicjenkins |
owtaylor
added a commit
to owtaylor/toolbox
that referenced
this pull request
Jan 10, 2019
Silverblue, and rpm-ostree more generally are moving to HOME=/var/home/$USER and make the /home symlink just a compatibility feature. See: coreos/rpm-ostree#1726 Matching what the host does will reduce weird side-effects, so propagate $HOME into the container, and if the host has /home as a symlink to /var/home, do the same for the toolbox.
debarshiray
pushed a commit
to owtaylor/toolbox
that referenced
this pull request
Jan 16, 2019
Silverblue, and rpm-ostree more generally are moving to HOME=/var/home/$USER and make the /home symlink just a compatibility feature. See: coreos/rpm-ostree#1726 Matching what the host does will reduce weird side-effects, so propagate $HOME into the container, and if the host has /home as a symlink to /var/home, do the same for the toolbox.
|
I'll expand a bit more here re Anaconda before I forget; I think there are two issues. First, this change also needs to be made in e.g. https://pagure.io/fedora-lorax-templates/blob/master/f/ostree-based-installer because Anaconda will add a user from the install environment, not via The second problem (deriving from the first) is that last I looked anaconda uses |
debarshiray
pushed a commit
to owtaylor/toolbox
that referenced
this pull request
Jan 16, 2019
Silverblue, and rpm-ostree more generally are moving to HOME=/var/home/$USER and make the /home symlink just a compatibility feature. See: coreos/rpm-ostree#1726 Matching what the host does will reduce weird side-effects, so propagate $HOME into the container, and if the host has /home as a symlink to /var/home, do the same for the toolbox. containers#34
debarshiray
pushed a commit
to owtaylor/toolbox
that referenced
this pull request
Jan 16, 2019
Silverblue, and rpm-ostree more generally are moving to HOME=/var/home/$USER and make the /home symlink just a compatibility feature. See: coreos/rpm-ostree#1726 Matching what the host does will reduce weird side-effects. Propagate $HOME into the container to avoid mismatches in /etc/default/useradd, and if the host has /home as a symlink to /var/home, do the same for the toolbox. containers#34
miabbott
added a commit
to miabbott/atomic-host-tests
that referenced
this pull request
Feb 4, 2019
It looks like coreos/rpm-ostree#1726 changed how `useradd` operates on `ostree` hosts, so we have to look for `/var/home/<user>` now. Except that not all the `ostree` hosts will have this change, so make it an optional part of the regex pattern.
mike-nguyen
pushed a commit
to projectatomic/atomic-host-tests
that referenced
this pull request
Feb 5, 2019
* roles/user_verify*: change grep pattern for home dir change It looks like coreos/rpm-ostree#1726 changed how `useradd` operates on `ostree` hosts, so we have to look for `/var/home/<user>` now. Except that not all the `ostree` hosts will have this change, so make it an optional part of the regex pattern. * fixup! roles/user_verify*: change grep pattern for home dir change * fixup! roles/user_verify*: change grep pattern for home dir change
jlebon
added a commit
to jlebon/rpm-ostree
that referenced
this pull request
Feb 6, 2019
It's possible for some postprocessing scripts to affect the final SELinux policy. This is the case for the new `/etc/default/useradd` edit we now do (coreos#1726), but it could've been the case beforehand too with user scripts modifying e.g. booleans (though ideally all these modifications would be part of RPMs). Do a final `semodule -nB` during postprocessing so that the final policy we commit is "up to date". Otherwise, users may only see changes take effect if they layer packages that trigger a rebuild. The motivation for this is specifically for `/etc/default/useradd`. There is magic in `selinux-policy` that parses the file and generates templated rules from the value of `HOME`. For more info, see: https://bugzilla.redhat.com/show_bug.cgi?id=1669982 https://src.fedoraproject.org/rpms/selinux-policy/pull-request/14
rh-atomic-bot
pushed a commit
that referenced
this pull request
Feb 14, 2019
It's possible for some postprocessing scripts to affect the final SELinux policy. This is the case for the new `/etc/default/useradd` edit we now do (#1726), but it could've been the case beforehand too with user scripts modifying e.g. booleans (though ideally all these modifications would be part of RPMs). Do a final `semodule -nB` during postprocessing so that the final policy we commit is "up to date". Otherwise, users may only see changes take effect if they layer packages that trigger a rebuild. The motivation for this is specifically for `/etc/default/useradd`. There is magic in `selinux-policy` that parses the file and generates templated rules from the value of `HOME`. For more info, see: https://bugzilla.redhat.com/show_bug.cgi?id=1669982 https://src.fedoraproject.org/rpms/selinux-policy/pull-request/14 Closes: #1754 Approved by: cgwalters
jlebon
added a commit
to jlebon/ignition
that referenced
this pull request
Jun 19, 2020
We shouldn't need to run `setfiles` with `-i`, which causes `setfiles` to ignore files that do not exist. All the files which we pass to `setfiles` should exist, and it should be a hard error if `setfiles` fails to find and relabel the file we wrote. This dates from coreos#632, where we added `/var/home` and `/var/roothome` for OSTree-based systems. We actually don't need to special-case OSTree systems at all anymore. The `/var/home` and `/var/roothome` directories themselves are now handled by `ignition-ostree-populate-var.service`. All we need to take care of here is to relabel the homedir files we created or modified for each user. Because `setfiles` by default doesn't follow the final symlink, we also add a check here to relabel the target if the homedir is a link. (Ideally, we'd change the home directory of `root `to be `/var/roothome` like we do in rpm-ostree based systems for regular users: coreos/rpm-ostree#1726, but it's probably not worth the ripples that would cause.)
jlebon
added a commit
to jlebon/ignition
that referenced
this pull request
Jun 22, 2020
We shouldn't need to run `setfiles` with `-i`, which causes `setfiles` to ignore files that do not exist. All the files which we pass to `setfiles` should exist, and it should be a hard error if `setfiles` fails to find and relabel the file we wrote. This dates from coreos#632, where we added `/var/home` and `/var/roothome` for OSTree-based systems. We actually don't need to special-case OSTree systems at all anymore. The `/var/home` and `/var/roothome` directories themselves are now handled by `ignition-ostree-populate-var.service`. All we need to take care of here is to relabel the homedir files we created or modified for each user. Because `setfiles` by default doesn't follow the final symlink, we also add a check here to relabel the target if the homedir is a link. (Ideally, we'd change the home directory of `root `to be `/var/roothome` like we do in rpm-ostree based systems for regular users: coreos/rpm-ostree#1726, but it's probably not worth the ripples that would cause.)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
For a long time I've resisted encoding "policy" into rpm-ostree
as much as possible. Doing so makes it more distribution specific
for example. That said, for
/var/homethere argument for doingthis in rpm-ostree is that we already make that symlink in our
hardcoded rootfs. So we might as well do the other fixups for it.
coreos/fedora-coreos-config#18
https://pagure.io/workstation-ostree-config/pull-request/121
https://discussion.fedoraproject.org/t/adapting-user-home-in-etc-passwd/487/6
justjanne/powerline-go#94