Skip to content

generator: Fix orphaned /etc/shadow and /etc/gshadow entries before sysusers#2207

Queued
cgwalters wants to merge 2 commits into
bootc-dev:mainfrom
cgwalters:gshadow
Queued

generator: Fix orphaned /etc/shadow and /etc/gshadow entries before sysusers#2207
cgwalters wants to merge 2 commits into
bootc-dev:mainfrom
cgwalters:gshadow

Conversation

@cgwalters
Copy link
Copy Markdown
Collaborator

@cgwalters cgwalters commented May 21, 2026

There's a bit of a trap in the movement from nss-altfiles to systemd-sysusers; if users/groups migrate from the former to the latter, they may leave orphaned entires in the shadow files.

systemd-sysusers then tries to create those users/groups at boot it finds them already in the shadow files and fatally errors.

Add a generator which enables a unit detects this situation and cleans up the shadow entries.

Now in practice: we probably should have made sure that nss-altfiles users don't have shadow entries at all, but that ship has sailed.

Fixes: #1179

Assisted-by: OpenCode (Claude Sonnet 4.6)

@github-actions github-actions Bot added the area/documentation Updates to the documentation label May 21, 2026
@bootc-bot bootc-bot Bot requested a review from jeckersb May 21, 2026 14:42
@cgwalters cgwalters marked this pull request as draft May 21, 2026 14:43
gemini-code-assist[bot]
gemini-code-assist Bot reviewed May 21, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@gemini-code-assist gemini-code-assist Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request introduces a new systemd service and internal command to prune orphaned and duplicate entries from /etc/shadow and /etc/gshadow prior to systemd-sysusers execution. The implementation provides utilities for parsing shadow-style files, an RAII guard for file locking, and a systemd generator for conditional activation. Review feedback points out a potential race condition in file metadata retrieval and suggests optimizing string allocations during entry filtering.

Comment thread crates/lib/src/deploy.rs Outdated
Comment thread crates/lib/src/deploy.rs Outdated
@cgwalters cgwalters force-pushed the gshadow branch 2 times, most recently from 19368bf to f7066fc Compare May 21, 2026 16:58
@cgwalters cgwalters marked this pull request as ready for review May 21, 2026 17:15
@cgwalters cgwalters added the ci/tier-1 Run CI for tier-1 OS (centos-10) only label May 21, 2026
@cgwalters
composefs: Remove /etc/.updated on deployment initialization and fina…
ab50a32 
…lization

ostree explicitly unlinks /etc/.updated (and /var/.updated) when
finalizing a new deployment so that systemd ConditionNeedsUpdate=|/etc
services like systemd-sysusers and systemd-tmpfiles always run on the
first boot of that deployment.

The native composefs path was missing this step.  initialize_state()
copies /etc from the container image with 'cp -a', which preserves any
/etc/.updated stamp from the build environment.  composefs_backend_finalize()
merges /etc into the staged deployment directory but similarly never removes
the stamp.

The consequence is that systemd sees /etc/.updated already present and
concludes /etc needs no update, causing sysusers (and tmpfiles) to be
skipped entirely on the first boot of an upgraded deployment.

Assisted-by: OpenCode (Claude Sonnet 4.6)
Signed-off-by: Colin Walters <walters@verbum.org>
@cgwalters
generator: Fix orphaned /etc/shadow and /etc/gshadow entries before s…
f3c9b51 
…ysusers

There's a bit of a trap in the movement from nss-altfiles to systemd-sysusers;
if users/groups migrate from the former to the latter, they may leave
orphaned entires in the shadow files.

systemd-sysusers then tries to create those users/groups at boot it
finds them already in the shadow files and fatally errors.

Add a generator which enables a unit detects this situation and cleans
up the shadow entries.

Now in practice: we probably should have made sure that nss-altfiles
users don't have shadow entries at all, but that ship has sailed.

Fixes: bootc-dev#1179

Assisted-by: OpenCode (Claude Sonnet 4.6)
Signed-off-by: Colin Walters <walters@verbum.org>
@cgwalters
Copy link
Copy Markdown
Collaborator Author

cgwalters commented May 22, 2026

OK, discovered an existing bug here around ConditionNeedsUpdate with composefs backend, have a prep commit to fix that now too.

@cgwalters cgwalters enabled auto-merge May 22, 2026 23:03
@cgwalters cgwalters added this pull request to the merge queue May 25, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Johan-Liebert1 Johan-Liebert1 Johan-Liebert1 approved these changes

@jeckersb jeckersb Awaiting requested review from jeckersb

+2 more reviewers

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

@renner0e renner0e renner0e approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

area/documentation Updates to the documentation ci/tier-1 Run CI for tier-1 OS (centos-10) only

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

lint: Verify /etc/{,g}shadow

3 participants

@cgwalters @Johan-Liebert1 @renner0e