-
Notifications
You must be signed in to change notification settings - Fork 195
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
compose: Change /etc/default/useradd to use HOME=/var/home #1726
Conversation
Prep for more code.
For a long time I've resisted encoding "policy" into rpm-ostree as much as possible. Doing so makes it more distribution specific for example. That said, for `/var/home` there argument for doing this in rpm-ostree is that we already make that symlink in our hardcoded rootfs. So we might as well do the other fixups for it. coreos/fedora-coreos-config#18 https://pagure.io/workstation-ostree-config/pull-request/121 https://discussion.fedoraproject.org/t/adapting-user-home-in-etc-passwd/487/6 justjanne/powerline-go#94
Question: the ostree docs document two possible arrangements, depending on whether $HOME is shared between operating systems or not: /home -> /var/home Do you consider both to legitimate ways to use rpm-ostree, or is only the first supported? Who choses between the two setups? |
I'd discourage people from doing anything but Now specifically for rpm-ostree, as noted in the commit message we actually hardcode the current symlink. |
Oh yuck; we need to do an |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Makes sense high-level. Just some minor comments.
rust/src/composepost.rs
Outdated
fn postprocess_useradd(rootfs_dfd: &openat::Dir) -> Fallible<()> | ||
{ | ||
let path = Path::new("usr/etc/default/useradd"); | ||
if let Some(f) = openat_optional(rootfs_dfd, path, openat::Dir::open_file)? { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Minor: we can avoid the indentation here by returning early in the None
case.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I used to have an early return here but it feels like...bad style? We don't have a huge amount of indentation here anyways.
For a long time I've resisted encoding "policy" into rpm-ostree as much as possible. Doing so makes it more distribution specific for example. That said, for `/var/home` there argument for doing this in rpm-ostree is that we already make that symlink in our hardcoded rootfs. So we might as well do the other fixups for it. coreos/fedora-coreos-config#18 https://pagure.io/workstation-ostree-config/pull-request/121 https://discussion.fedoraproject.org/t/adapting-user-home-in-etc-passwd/487/6 justjanne/powerline-go#94 Closes: #1726 Approved by: jlebon
☀️ Test successful - status-atomicjenkins |
Silverblue, and rpm-ostree more generally are moving to HOME=/var/home/$USER and make the /home symlink just a compatibility feature. See: coreos/rpm-ostree#1726 Matching what the host does will reduce weird side-effects, so propagate $HOME into the container, and if the host has /home as a symlink to /var/home, do the same for the toolbox.
Silverblue, and rpm-ostree more generally are moving to HOME=/var/home/$USER and make the /home symlink just a compatibility feature. See: coreos/rpm-ostree#1726 Matching what the host does will reduce weird side-effects, so propagate $HOME into the container, and if the host has /home as a symlink to /var/home, do the same for the toolbox.
I'll expand a bit more here re Anaconda before I forget; I think there are two issues. First, this change also needs to be made in e.g. https://pagure.io/fedora-lorax-templates/blob/master/f/ostree-based-installer because Anaconda will add a user from the install environment, not via The second problem (deriving from the first) is that last I looked anaconda uses |
Silverblue, and rpm-ostree more generally are moving to HOME=/var/home/$USER and make the /home symlink just a compatibility feature. See: coreos/rpm-ostree#1726 Matching what the host does will reduce weird side-effects, so propagate $HOME into the container, and if the host has /home as a symlink to /var/home, do the same for the toolbox. containers#34
Silverblue, and rpm-ostree more generally are moving to HOME=/var/home/$USER and make the /home symlink just a compatibility feature. See: coreos/rpm-ostree#1726 Matching what the host does will reduce weird side-effects. Propagate $HOME into the container to avoid mismatches in /etc/default/useradd, and if the host has /home as a symlink to /var/home, do the same for the toolbox. containers#34
It looks like coreos/rpm-ostree#1726 changed how `useradd` operates on `ostree` hosts, so we have to look for `/var/home/<user>` now. Except that not all the `ostree` hosts will have this change, so make it an optional part of the regex pattern.
* roles/user_verify*: change grep pattern for home dir change It looks like coreos/rpm-ostree#1726 changed how `useradd` operates on `ostree` hosts, so we have to look for `/var/home/<user>` now. Except that not all the `ostree` hosts will have this change, so make it an optional part of the regex pattern. * fixup! roles/user_verify*: change grep pattern for home dir change * fixup! roles/user_verify*: change grep pattern for home dir change
It's possible for some postprocessing scripts to affect the final SELinux policy. This is the case for the new `/etc/default/useradd` edit we now do (coreos#1726), but it could've been the case beforehand too with user scripts modifying e.g. booleans (though ideally all these modifications would be part of RPMs). Do a final `semodule -nB` during postprocessing so that the final policy we commit is "up to date". Otherwise, users may only see changes take effect if they layer packages that trigger a rebuild. The motivation for this is specifically for `/etc/default/useradd`. There is magic in `selinux-policy` that parses the file and generates templated rules from the value of `HOME`. For more info, see: https://bugzilla.redhat.com/show_bug.cgi?id=1669982 https://src.fedoraproject.org/rpms/selinux-policy/pull-request/14
It's possible for some postprocessing scripts to affect the final SELinux policy. This is the case for the new `/etc/default/useradd` edit we now do (#1726), but it could've been the case beforehand too with user scripts modifying e.g. booleans (though ideally all these modifications would be part of RPMs). Do a final `semodule -nB` during postprocessing so that the final policy we commit is "up to date". Otherwise, users may only see changes take effect if they layer packages that trigger a rebuild. The motivation for this is specifically for `/etc/default/useradd`. There is magic in `selinux-policy` that parses the file and generates templated rules from the value of `HOME`. For more info, see: https://bugzilla.redhat.com/show_bug.cgi?id=1669982 https://src.fedoraproject.org/rpms/selinux-policy/pull-request/14 Closes: #1754 Approved by: cgwalters
We shouldn't need to run `setfiles` with `-i`, which causes `setfiles` to ignore files that do not exist. All the files which we pass to `setfiles` should exist, and it should be a hard error if `setfiles` fails to find and relabel the file we wrote. This dates from coreos#632, where we added `/var/home` and `/var/roothome` for OSTree-based systems. We actually don't need to special-case OSTree systems at all anymore. The `/var/home` and `/var/roothome` directories themselves are now handled by `ignition-ostree-populate-var.service`. All we need to take care of here is to relabel the homedir files we created or modified for each user. Because `setfiles` by default doesn't follow the final symlink, we also add a check here to relabel the target if the homedir is a link. (Ideally, we'd change the home directory of `root `to be `/var/roothome` like we do in rpm-ostree based systems for regular users: coreos/rpm-ostree#1726, but it's probably not worth the ripples that would cause.)
We shouldn't need to run `setfiles` with `-i`, which causes `setfiles` to ignore files that do not exist. All the files which we pass to `setfiles` should exist, and it should be a hard error if `setfiles` fails to find and relabel the file we wrote. This dates from coreos#632, where we added `/var/home` and `/var/roothome` for OSTree-based systems. We actually don't need to special-case OSTree systems at all anymore. The `/var/home` and `/var/roothome` directories themselves are now handled by `ignition-ostree-populate-var.service`. All we need to take care of here is to relabel the homedir files we created or modified for each user. Because `setfiles` by default doesn't follow the final symlink, we also add a check here to relabel the target if the homedir is a link. (Ideally, we'd change the home directory of `root `to be `/var/roothome` like we do in rpm-ostree based systems for regular users: coreos/rpm-ostree#1726, but it's probably not worth the ripples that would cause.)
For a long time I've resisted encoding "policy" into rpm-ostree
as much as possible. Doing so makes it more distribution specific
for example. That said, for
/var/home
there argument for doingthis in rpm-ostree is that we already make that symlink in our
hardcoded rootfs. So we might as well do the other fixups for it.
coreos/fedora-coreos-config#18
https://pagure.io/workstation-ostree-config/pull-request/121
https://discussion.fedoraproject.org/t/adapting-user-home-in-etc-passwd/487/6
justjanne/powerline-go#94