Can't configure root user

[achilleas-k]

Having a root user configuration breaks the build because, when an existing user is modified, osbuild runs mkhomedir_helper and the following error occurs:

[sss_cache] [confdb_init] (0x0010): Unable to open config database [/var/lib/sss/db/config.ldb]
Could not open available domains
[sss_cache] [confdb_init] (0x0010): Unable to open config database [/var/lib/sss/db/config.ldb]
Could not open available domains
Creating mailbox file: No such file or directory
[sss_cache] [confdb_init] (0x0010): Unable to open config database [/var/lib/sss/db/config.ldb]
Could not open available domains
[sss_cache] [confdb_init] (0x0010): Unable to open config database [/var/lib/sss/db/config.ldb]
Could not open available domains
Traceback (most recent call last):
  File "/run/osbuild/bin/org.osbuild.users", line 199, in <module>
    r = main(args["tree"], args["options"])
        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/run/osbuild/bin/org.osbuild.users", line 182, in main
    ensure_homedir(tree, name, home)
  File "/run/osbuild/bin/org.osbuild.users", line 157, in ensure_homedir
    subprocess.run(["chroot", root, "mkhomedir_helper", name], check=True)
  File "/usr/lib64/python3.12/subprocess.py", line 571, in run
    raise CalledProcessError(retcode, process.args,
subprocess.CalledProcessError: Command '['chroot', '/run/osbuild/tree', 'mkhomedir_helper', 'root']' returned non-zero exit status 6.

Reproduce by running bib with the following config:

{
  "blueprint": {
    "customizations": {
      "user": [
        {
          "name": "root",
          "key": "whatever"
        }
      ]
    }
  }
}

[ondrejbudai]

We will drop the user customization from bib fairly soon, let's close this.

[cgwalters]

While I am generally in favor of doing user customization via other mechanisms of:

• Dynamic injection (systemd creds, cloud-init, ignition, etc.)
• Configuring the container image

I think there are clear enough use cases for doing it via bib.

We ended up adding a very specific bootc install argument for this.

Once bib uses bootc install there's a clear use case to pass through to that, right?

[mrguitar]

if I create an ISO from BIB, how should I set passwords and ssh keys? The only way I can figure out is to use mkksiso to over write the kickstart and that feels more prone to problems. I totally agree w/ cloud-init and what not for AMIs, but BIB creates bootable media too. What am I missing?

[cgwalters]

It's always valid to embed SSH keys into the container image, see https://centos.github.io/centos-bootc/builds/#injecting-users-at-build-time

It's also possible to use the network as SSH source of truth (this is what IPA etc. are about, but it's doable at smaller scales too).

This said, it is known that the ISO is totally unconfigurable, and that needs to be fixed.

[cgwalters]

So as far as fixing the ssh key injection, today anaconda does this:
https://github.com/rhinstaller/anaconda/blob/c473364cebc2e6b8c3e0fb37cc5146055dec9a15/pyanaconda/modules/payloads/payload/rpm_ostree/installation.py#L219

We could do the same here; or just create the target of /root if it doesn't exist.

But as of lately we are backpedaling a bit on the "strictly empty /var" model, so CentOS/centos-bootc#354 would also likely fix this.

In the end though my preference is to default to matching bootc is doing here (and systemd suggests upstream with tmpfiles.d) because to briefly repeat myself: It keeps this critical system configuration in /etc (or /usr to more strictly bind it) instead of mutable persistent state. The downside of this is not many tools will understand that tmpfiles.d is writing the root ssh key.

[cgwalters]

For reference, this works around it:

FROM quay.io/centos-bootc/centos-bootc:stream9
RUN mkdir /var/roothome

[martinpitt]

Thanks @cgwalters, that trick works 💯 ⭐