Comments (9)
I did an analysis pass on the OS content of current next
, and these are the entries that need some tweaking:
# ostree ls <REV> -R / | grep -v ' 0 0'
-00640 0 992 540 /usr/etc/chrony.keys
-00644 0 985 27981 /usr/etc/dnsmasq.conf
d00755 0 985 0 /usr/etc/dnsmasq.d
d00750 0 998 0 /usr/etc/polkit-1/localauthority
d00700 999 0 0 /usr/etc/polkit-1/rules.d
-02555 0 999 334248 /usr/libexec/openssh/ssh-keysign
d00700 999 0 0 /usr/share/polkit-1/rules.d
These are the packages and bugzilla tickets for each of those:
chrony
: could be moved to a tmpfiles.d fragment (or get a static ID) - https://bugzilla.redhat.com/show_bug.cgi?id=2104918dnsmasq
: could be moved to plainroot:root
ownership - https://bugzilla.redhat.com/show_bug.cgi?id=2104973openssh
: groupssh_keys
needs static GID - https://bugzilla.redhat.com/show_bug.cgi?id=2104595polkit
: user/grouppolkitd
need static ID - https://bugzilla.redhat.com/show_bug.cgi?id=2104615
from fedora-coreos-config.
Yes, that would help for packages that aren't directly used for base FCOS images. I'll try to put something together for fedora-devel after this initial small round of packages for our scenario is fixed.
from fedora-coreos-config.
The dnsmasq
entries have been moved to root:root
ownership in dnsmasq-2.86-10.fc36
.
from fedora-coreos-config.
The ssh_keys
group got moved to a static GID in openssh-8.8p1-3
(F37).
from fedora-coreos-config.
I think rpm-ostree should traverse the target root (it has to anyways) and warn if there are any non-root owned files in /usr
with dynamic ids.
from fedora-coreos-config.
It'd be good to socialize this on e.g. fedora-devel@ - this work conceptually isn't specific to FCOS and needs to be something that other OS developers/packagers understand. @lucab mind doing that?
from fedora-coreos-config.
May even be Change worthy. Or perhaps packaging guidelines. And/or ensure that any tests for this are e.g. executed also for other editions.
from fedora-coreos-config.
I think this should actually be an rpm-ostree builtin feature.
from fedora-coreos-config.
@cgwalters mind detailing what is the this
above? I was thinking of moving the ownership details of /etc
content to systemd-tpmfiles, which would work better with dynamic users/groups. But /usr
content is still a build-time problem open for brainstorming.
Right now we are already doing workarounds in rpm-ostree (pinning the dynamic IDs to static ones via manifest entries).
from fedora-coreos-config.
Related Issues (20)
- s390x: clhm.ignition-warnings test is failling because fetching ignition via virtio block device is still experimental HOT 6
- Find a safer alternative to check unit status HOT 1
- Add kola test to check for initrd udev rules HOT 1
- Make sure that we do not ship broken symlinks HOT 17
- Stop excluding `cowsay` HOT 3
- bad permissions on /etc/sudoers.d/coreos-sudo-group HOT 1
- Sharing information between FCOS and SCOS/RHCOS9 HOT 6
- adjust buildroot container to work same as cosa HOT 5
- tests: Convert to new "YAML format" for kola config
- Fix ShellCheck errors
- Add space after `!` in kola YAML fields that want to negate semantics
- Add kola test to verify change of SELinux to permissive mode
- Add kola test that uses a proxy and ostree
- Move downgrade test into separate CI job HOT 3
- Compose an ostree commit by rpm-ostree failed HOT 1
- Add test for big disks on multipath
- rpm-ostree install behavior change -> update tests
- s390x: ext.config.disks.lvmdevices fails ocassionally HOT 2
- Document how to override `exclude-packages`
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from fedora-coreos-config.