core: Run sysusers after doing passwd/group layering dance

[jlebon]

For now, we'll just treat sysusers entries from RPM packages like we do
scriptlets that useradd/groupadd; that is, we want them to happen
at compose time and go into altfiles in case those same sysusers own
content in the commit.

All we need to do to make that happen is to run systemd-sysusers
after we do the /etc/passwd <--> /usr/lib/passwd switcheroo so
that the new entries go into what will become /usr/lib/passwd.

And all we need to do that is to just move down the sysusers execution
a bit.

Fixes: #5365

[jlebon]

Note the second commit's message here is really important. Hmm, it probably should be its own PR to draw more attention to it.

Anyway, this is missing tests. We don't have any tests that exercise sysusers right now, but it wouldn't be hard. I did verify this unbreaks rpm-ostree install systemtap-runtime though.

[cgwalters]

Here's a test case I wrote earlier

From b108df166b4d56aa1f24dc2e673d632220505ffa Mon Sep 17 00:00:00 2001
From: Colin Walters <[email protected]>
Date: Sun, 25 May 2025 10:28:40 -0400
Subject: [PATCH] tests: Add a failing test case for layering with sysusers.d

---
 tests/kolainst/destructive/layering-useradd | 13 ++++++++++++-
 tests/kolainst/kolainst-build.sh            | 13 +++++++++++++
 2 files changed, 25 insertions(+), 1 deletion(-)

diff --git a/tests/kolainst/destructive/layering-useradd b/tests/kolainst/destructive/layering-useradd
index ee8d150cf..d9d3c97e3 100755
--- a/tests/kolainst/destructive/layering-useradd
+++ b/tests/kolainst/destructive/layering-useradd
@@ -31,6 +31,9 @@ case "${AUTOPKGTEST_REBOOT_MARK:-}" in
     fatal "found testdaemon in current passwd"
   fi
 
+  # https://github.com/coreos/rpm-ostree/issues/5365
+  rpm-ostree install ${KOLA_EXT_DATA}/rpm-repos/0/packages/x86_64/rpmostree-openvpn*.rpm
+
   /tmp/autopkgtest-reboot "1"
 ;;
 "1")
@@ -44,8 +47,13 @@ case "${AUTOPKGTEST_REBOOT_MARK:-}" in
     fatal "found testdaemon in /etc/passwd"
   fi
 
+  rpm -q rpmostree-openvpn
+  # Ensure /etc/rpmostree-openvpn.d is owned by rpmostree-openvpn
+  assert_streq $(stat -c '%U %G' /etc/rpmostree-openvpn.d) 'rpmostree-openvpn rpmostree-openvpn'
+  echo ok rpmostree-openvpn
+
   # Reset this
-  rpm-ostree uninstall testdaemon
+  rpm-ostree uninstall testdaemon rpmostree-openvpn
 
   /tmp/autopkgtest-reboot "2"
 ;;
@@ -53,6 +61,9 @@ case "${AUTOPKGTEST_REBOOT_MARK:-}" in
   if grep testdaemon /etc/passwd /usr/lib/passwd; then
     fatal "found testdaemon in current passwd"
   fi
+  if grep rpmostree-openvpn /etc/passwd /usr/lib/passwd; then
+    fatal "found rpmostree-openvpn in current passwd"
+  fi
 ;;
 *) echo "unexpected mark: ${AUTOPKGTEST_REBOOT_MARK}"; exit 1;;
 esac
diff --git a/tests/kolainst/kolainst-build.sh b/tests/kolainst/kolainst-build.sh
index 063bec0c8..761c53fce 100755
--- a/tests/kolainst/kolainst-build.sh
+++ b/tests/kolainst/kolainst-build.sh
@@ -60,6 +60,19 @@ build_rpm testdaemon \
                   getent passwd testdaemon-user &>/dev/null || useradd -r testdaemon-user -g testdaemon-group -s /sbin/nologin" \
              files "/usr/bin/%{name}
                     /var/lib/%{name}"
+build_rpm rpmostree-openvpn \
+             build "" \
+             summary "like openvpn" \
+             install "mkdir -p %{buildroot}/{etc/%{name}.d,var/lib/%{name},usr/lib/sysusers.d}
+                      mkdir -p %{buildroot}/usr/lib/sysusers.d
+                      cat > %{buildroot}/usr/lib/sysusers.d/10-%{name}.conf <<'EOF'
+                      u %{name} - 'Test OpenVPN' /etc/%{name}.d -
+                      EOF
+                      " \
+             files "/usr/bin/%{name}
+                    %attr(-, %{name}, %{name}) /etc/%{name}.d
+                    /usr/lib/sysusers.d/*.conf
+                    /var/lib/%{name}"
 # Will be useful for testing cancellation
 build_rpm testpkg-post-infinite-loop \
              post "echo entering testpkg-post-infinite-loop 1>&2; while true; do sleep 1h; done"
-- 
2.49.0

[cgwalters]

I noticed while hacking on #5365 that during the rpmdb writing, librpm was actually re-executing systemd-sysusers from the host context which
is not at all what we want.

Eeek!

This fixes the issue for new systems, but people who have upgraded
to f42 and overlaid packages with sysusers entries will have new entries
in /etc/passwd and /etc/group files because of this. And this can
cause problems now if the UIDs chosen were different because the /etc
entries will take precedence over nss-altfiles even though owned content
will match nss-altfiles.

Hmmm...but isn't this at least a partial argument that we should take the path of always mutating the live /etc if that's what we'd been doing accidentally anyways?

Or at least, if we choose not to do that, I think we may need to at least scrape the current /etc/passwd and merge it with the nss-altfiles content or so? This is what I was looking at changing in prepare_rpm_layering.

[jlebon]

Here's a test case I wrote earlier

Nice. Mind pushing that here?

This fixes the issue for new systems, but people who have upgraded
to f42 and overlaid packages with sysusers entries will have new entries
in /etc/passwd and /etc/group files because of this. And this can
cause problems now if the UIDs chosen were different because the /etc
entries will take precedence over nss-altfiles even though owned content
will match nss-altfiles.

Hmmm...but isn't this at least a partial argument that we should take the path of always mutating the live /etc if that's what we'd been doing accidentally anyways?

Yeah, I thought about that. Not sure... I'm not convinced the "alignment with RPM" is sufficiently beneficial if we can only do it for the non-owning subset and we still have to carry machinery around for the owning case and continue to support the legacy useradd/groupadd paths. I think if it's part of a semi-fleshed out plan of to transition over more fully to sysusers, we could take the complexity hit temporarily.

Or at least, if we choose not to do that, I think we may need to at least scrape the current /etc/passwd and merge it with the nss-altfiles content or so? This is what I was looking at changing in prepare_rpm_layering.

So let's break this down into the owning case and non-owning case. I think we can rule out the former, because that's exactly #5365 which is currently broken.

That leaves the non-owning case (which to be clear, could still own unmanaged content in /var and /etc). In that case, hmm I guess it doesn't actually matter that the altfiles and /etc UIDs may not match if the altfiles version isn't actually used anywhere. Though a corner case there is if the RPM starts owning content in a later update, then it would matter. But overall it seems narrow enough that manual intervention is good enough? One thing we could do pretty easily though is have rpm-ostree detect this and print a message in the status output with a link to a GitHub comment with instructions.

[cgwalters]

The container test is failing with

May 29 03:06:43.332255 rpm-ostreed.service[2730]: /etc/gshadow: Group "testdaemon-group" already exists.

Which is summarized in bootc-dev/bootc#1179

I think what we're hitting here really is actually quite generic to the case of dropping out sysusers entries from an image build? Though I'm a bit confused as to how this PR is triggering this now.

[GrigoryEvko]

Just faced this issue upgrading from f41 kinoite, hoping for a quick resolution!

[jlebon]

OK, pushed another commit here which hopefully fixes that.

[openshift-ci]

@jlebon: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/fcos-e2e	0c8abe7	link	true	/test fcos-e2e
ci/prow/kola-upgrade	0c8abe7	link	true	/test kola-upgrade

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[Fale]

How will the upgrade path be like? The people that have those kind of issues are not able to install or update packages at the moment

[cgwalters]

In the short term, having this merged allows folks to pull from our automatic builds from git main to test out the fix as it stands now.

How will the upgrade path be like?

The most likely thing here is:

• We'll get a release out with this after a bit more post-merge testing is done
• Users will need to manually rpm-ostree usroverlay + rpm -Uvh (or dnf install) on the updated rpm-ostree rpm
• Then continue with the upgrade

[Fale]

Thanks! let's make sure that it will be clearly documented :)

[maxgio92]

@Fale @cgwalters what would be the best place to document it?
I'm asking that as a Fedora Silverblue user, in order to help that community as well, so that we can provide reference, as consumers of rpm-ostree.
Thanks

[miabbott]

@maxgio92 IMO, since this workaround should only be temporarily needed, I would suggest proposing a Common Issue on discussion.fedoraproject.org

https://discussion.fedoraproject.org/t/about-the-proposed-common-issues-category/69491

Alternatively, you could submit docs to the Silverblue docs repo; perhaps under the Troubleshooting section: https://github.com/fedora-silverblue/silverblue-docs

[outbackdingo]

@cgwalters @Fale nothing at all explains how to upgrade to this rpm-ostree from an now installed rpm-ostree based system, nor is there a document anywhere that says how to achieve a working a system again, its quite useless to have a fix that many people want without a a known document pointer that tells people how they can recover to a working state

[Procsiab]

@outbackdingo I will leave here the steps I followed to upgrade from a Fedora IoT 42 install with a deployment from early June, suffering from this bug with rpm-ostree and groups added by layered packages:

• Download the RPM packages for rpm-ostree from the CI builds of CoreOS COPR:

curl https://download.copr.fedorainfracloud.org/results/@CoreOS/continuous/fedora-42-x86_64/09239680-rpm-ostree/rpm-ostree-libs-2025.8.63.ga07e7661-1.fc42.x86_64.rpm -o rpm-ostree-libs-2025.8.63.ga07e7661-1.fc42.x86_64.rpm

curl https://download.copr.fedorainfracloud.org/results/@CoreOS/continuous/fedora-42-x86_64/09239680-rpm-ostree/rpm-ostree-2025.8.63.ga07e7661-1.fc42.x86_64.rpm -o rpm-ostree-2025.8.63.ga07e7661-1.fc42.x86_64.rpm

• Set the system in overlay mode to temporarily install the fixed RPM, then install the deployment in that state:

rpm-ostree usroverlay
dnf install -y rpm-ostree-2025.8.63.ga07e7661-1.fc42.x86_64.rpm rpm-ostree-libs-2025.8.63.ga07e7661-1.fc42.x86_64.rpm
rpm-ostree deploy 42.20250706.0
ostree admin finalize-staged -v

Until the new rpm-ostree package hits the repositories, the above step should be repeated every time you need to install a new deployment.

[outbackdingo]

@outbackdingo I will leave here the steps I followed to upgrade from a Fedora IoT 42 install with a deployment from early June, suffering from this bug with rpm-ostree and groups added by layered packages:

• Download the RPM packages for rpm-ostree from the CI builds of CoreOS COPR:

curl https://download.copr.fedorainfracloud.org/results/@CoreOS/continuous/fedora-42-x86_64/09239680-rpm-ostree/rpm-ostree-libs-2025.8.63.ga07e7661-1.fc42.x86_64.rpm -o rpm-ostree-libs-2025.8.63.ga07e7661-1.fc42.x86_64.rpm

curl https://download.copr.fedorainfracloud.org/results/@CoreOS/continuous/fedora-42-x86_64/09239680-rpm-ostree/rpm-ostree-2025.8.63.ga07e7661-1.fc42.x86_64.rpm -o rpm-ostree-2025.8.63.ga07e7661-1.fc42.x86_64.rpm

• Set the system in overlay mode to temporarily install the fixed RPM, then install the deployment in that state:

rpm-ostree usroverlay
dnf install -y rpm-ostree-2025.8.63.ga07e7661-1.fc42.x86_64.rpm rpm-ostree-libs-2025.8.63.ga07e7661-1.fc42.x86_64.rpm
rpm-ostree deploy 42.20250706.0
ostree admin finalize-staged -v

Until the new rpm-ostree package hits the repositories, the above step should be repeated every time you need to install a new deployment.

rpm-ostree override replace rpm-ostree-2025.8.63.ga07e7661-1.fc43.x86_64.rpm rpm-ostree-libs-2025.8.63.ga07e7661-1.fc43.x86_64.rpm

fedora:fedora/42/x86_64/cosmic-atomic
Version: 42.20250707.0 (2025-07-07T00:28:50Z)
BaseCommit: e7b84f467d32b686560a0aed97bb4a6b7eb1e8edc238551c1afc7574b2d5fde6
GPGSignature: Valid signature by B0F4950458F69E1150C6C5EDC8AC4916105EF944
LocalOverrides: rpm-ostree-libs rpm-ostree 2025.8-2.fc42 -> 2025.8.63.ga07e7661-1.fc43
LayeredPackages: 'g++' chrpath containerd.io diffstat dmg2img docker-buildx-plugin docker-ce docker-ce-cli docker-compose-plugin dtc fontawesome-fonts gcc gdisk glances libvirt make mc minicom netbird netbird-ui
patch perl picocom powerline-fonts rpcgen screen tailscale telegram-desktop virt-manager zen-browser zsh
LocalPackages: rpmfusion-free-release-42-1.noarch rpmfusion-nonfree-release-42-1.noarch sdkmanager-2.3.0.12617-1.el7.x86_64 slack-4.43.51-0.1.el8.x86_64 vivaldi-stable-7.4.3684.55-1.x86_64

rpm -qa | grep rpm-ostree
rpm-ostree-libs-2025.8.63.ga07e7661-1.fc43.x86_64
rpm-ostree-2025.8.63.ga07e7661-1.fc43.x86_64

and it still fails
rpm-ostree install openvpn NetworkManager-openvpn
Checking out tree e7b84f4... done
Enabled rpm-md repositories: fedora-cisco-openh264 updates fedora rpmfusion-free-updates rpmfusion-free rpmfusion-nonfree-updates rpmfusion-nonfree vivaldi copr:copr.fedorainfracloud.org:sneexy:zen-browser NetBird docker-ce-stable copr:copr.fedorainfracloud.org:group_CoreOS:continuous updates-archive
Importing rpm-md... done
rpm-md repo 'fedora-cisco-openh264' (cached); generated: 2025-03-19T16:53:39Z solvables: 6
rpm-md repo 'updates' (cached); generated: 2025-07-07T00:46:11Z solvables: 18407
rpm-md repo 'fedora' (cached); generated: 2025-04-09T11:06:59Z solvables: 76879
rpm-md repo 'rpmfusion-free-updates' (cached); generated: 2025-07-03T10:38:48Z solvables: 76
rpm-md repo 'rpmfusion-free' (cached); generated: 2025-04-12T09:12:27Z solvables: 358
rpm-md repo 'rpmfusion-nonfree-updates' (cached); generated: 2025-07-03T10:57:46Z solvables: 37
rpm-md repo 'rpmfusion-nonfree' (cached); generated: 2025-04-12T09:32:45Z solvables: 218
rpm-md repo 'vivaldi' (cached); generated: 2025-07-03T20:25:15Z solvables: 4
rpm-md repo 'copr:copr.fedorainfracloud.org:sneexy:zen-browser' (cached); generated: 2025-07-07T03:42:04Z solvables: 136
rpm-md repo 'NetBird' (cached); generated: 2025-07-06T13:52:43Z solvables: 1046
rpm-md repo 'docker-ce-stable' (cached); generated: 2025-07-02T22:47:24Z solvables: 34
rpm-md repo 'copr:copr.fedorainfracloud.org:group_CoreOS:continuous' (cached); generated: 2025-07-07T20:52:05Z solvables: 167
rpm-md repo 'updates-archive' (cached); generated: 2025-07-07T01:02:51Z solvables: 25351
Resolving dependencies... done
Will download: 3 packages (1.1 MB)
Downloading from 'fedora'... done
Downloading from 'updates'... done
Importing packages... done
Applying 2 overrides and 518 overlays
Processing packages... done
Running systemd-sysusers... done
Running pre scripts... done
Running post scripts... done
error: While applying overrides for pkg openvpn: Could not find group 'openvpn' in group file

[outbackdingo]

@Procsiab and note.. your method now says
sudo rpm-ostree usroverlay
sudo dnf install -y rpm-ostree-2025.8.63.ga07e7661-1.fc43.x86_64.rpm rpm-ostree-libs-2025.8.63.ga07e7661-1.fc43.x86_64.rpm

error: Deployment is already in unlocked state: transient
Updating and loading repositories:
Repositories loaded.
Package "rpm-ostree-2025.8.63.ga07e7661-1.fc43.x86_64" is already installed.
Package "rpm-ostree-libs-2025.8.63.ga07e7661-1.fc43.x86_64" is already installed.

Nothing to do. So it seems this fix does not in fact resolve the issue of missing users when trying to install openvpn

[Procsiab]

@outbackdingo Try to start from a deployment not in an "override" state: I could deploy successfully after I was stuck with the same issue on the nut package because of the group missing bug.

[outbackdingo]

@outbackdingo Try to start from a deployment not in an "override" state: I could deploy successfully after I was stuck with the same issue on the nut package because of the group missing bug.

interestingly, now after a third reboot, openvpn did in fact install ... i still show overlays however

[Drino-San]

In my case the package that is causing issue is qemu, and to install this merged code, I've used the below Steps :

1. uninstall the problematic package

sudo rpm-ostree uninstall qemu qemu-kvm

2. reboot
3. download the repo config for the Continuous repo :

sudo curl -o /etc/yum.repos.d/CoreOS-continuous.repo https://copr.fedorainfracloud.org/coprs/g/CoreOS/continuous/repo/fedora-42/group_CoreOS-continuous-fedora-42.repo

4. Install the fixed version

sudo rpm-ostree override replace --experimental --freeze --from repo='copr:copr.fedorainfracloud.org:group_CoreOS:continuous' rpm-ostree rpm-ostree-libs

5. reboot
6. re-install the problematic package (in my case qemu)

sudo rpm-ostree install qemu qemu-kvm

My plan is to keep those overrides in place until the default base image contain the fixed version of rpm-ostree
@cgwalters How long do you think this will take ?
Once those fixes in the base image I would do a

sudo rpm-ostree override reset -a

Is this a sound plan ?
Those steps are for FCOS.42 (because it doens't update for 2 month now)
For my main Silverblue 41 , I still haves update so this bug is only preventing me to re-base into 42.
I hope that once all the QA test have passed, the fixed rpm-ostree will be included in the based images of Sivleblue 41 and that I will be able to re-base to 42 (at that point).

I'm asking this because my internet gateway is running as a Virtual Machine on a Silverblue 41 , and the 6 step above will not work (Step 1 will cut my internet connection ).

[Procsiab]

I had to perform again the steps I described in my previous comment (#5403 (comment)) to deploy 42.20250730.0 starting from 42.20250706.0; however, I could not use the previously mentioned rpm-ostree RPM version 2.8.63, because it lead to the same error with the groups file.
Instead, I downloaded the release 2025.9.1 from the following locations:

• https://dl.fedoraproject.org/pub/fedora/linux/updates/42/Everything/x86_64/Packages/r/rpm-ostree-libs-2025.9-1.fc42.x86_64.rpm
• https://dl.fedoraproject.org/pub/fedora/linux/updates/42/Everything/x86_64/Packages/r/rpm-ostree-2025.9-1.fc42.x86_64.rpm

By using this release I could complete successfully the deployment and the finalize staged step.

[westurner]

Here's a workaround solution script that installs the latest stable version of rpm-ostree and rpm-ostree-libs in usroverlay so that rpm-ostree upgrade can complete: https://gist.github.com/westurner/055d3f2c629e8c8238ca544a85e59463 ; Thanks @Procsiab this worked!

#!/bin/sh
# # fix_rpmostree.sh
# Install latest rpm-ostree in order to workaround [sysusers] package layering issues
#
# ## References:
# - https://github.com/coreos/rpm-ostree/pull/5403#issuecomment-3046706179
# - https://github.com/coreos/rpm-ostree/pull/5403#issuecomment-3139129186
# - https://packages.fedoraproject.org/pkgs/rpm-ostree/rpm-ostree-libs/
# - https://packages.fedoraproject.org/pkgs/rpm-ostree/rpm-ostree/
# - https://bodhi.fedoraproject.org/updates/?packages=rpm-ostree
# - https://dl.fedoraproject.org/pub/fedora/linux/updates/42/Everything/x86_64/Packages/r/rpm-ostree-2025.9-1.fc42.x86_64.rpm
# - https://dl.fedoraproject.org/pub/fedora/linux/updates/42/Everything/x86_64/Packages/r/rpm-ostree-libs-2025.9-1.fc42.x86_64.rpm

set -x

VERSION="${VERSION:-"2025.9-1"}"
#VERSION="${VERSION:-"2025.10-1"}"
RELEASE="${RELEASE:-"fc42"}"
ARCH="${ARCH:-"x86_64"}"

PACKAGE_SUFFIX="${VERSION}.${RELEASE}.${ARCH}.rpm"
RPMOSTREELIBS_RPM="rpm-ostree-libs-${PACKAGE_SUFFIX}"
RPMOSTREELIBS_RPM_URL="https://dl.fedoraproject.org/pub/fedora/linux/updates/42/Everything/x86_64/Packages/r/${RPMOSTREELIBS_RPM}"
RPMOSTREE_RPM="rpm-ostree-${PACKAGE_SUFFIX}"
RPMOSTREE_RPM_URL="https://dl.fedoraproject.org/pub/fedora/linux/updates/42/Everything/x86_64/Packages/r/${RPMOSTREE_RPM}"


DNF="dnf"
DNF="/usr/bin/python -m dnf.cli.main"

sudo rpm-ostree usroverlay
sudo ${DNF} install -y "${RPMOSTREELIBS_RPM_URL}" "${RPMOSTREE_RPM_URL}"


sudo rpm-ostree status
sudo rpm-ostree status -b -J '$.deployments[*].version'
pending_base_version=$(sudo rpm-ostree status -b -J '$..pending-base-version' | tail -n+2 | head -n1 | sed 's/  "\(.*\)"/\1/')

sudo rpm-ostree deploy "${pending_base_version}"
sudo ostree admin finalize-staged -v

[westurner]

Note that I have dnf[TODO] installed, so DNF="/usr/bin/python -m dnf.cli.main" works.

Does dnf normally work in usroverlay?