sysusers: remove bin entries and get systemd.post: /etc/gshadow: Group "bin" already exists.

[HuijingHei]

Refer to coreos/rpm-ostree#49 (comment), do testing with bin:

1. Remove bin line in group and passwd (refer to https://github.com/coreos/fedora-coreos-config/tree/testing-devel/manifests)
2. Build FCOS, see logs:

...
systemd.post: Creating group 'bin' with GID 1.
systemd.post: Creating user 'bin' (bin) with UID 1 and GID 1.
systemd.post: /etc/gshadow: Group "bin" already exists.
...

According to @cgwalters 's pointer, the above log will lead systemd-sysusers (during systemd.post) exit early before saving the updated /etc/{passwd,group} refer to code, and bin user/group will not be saved finally.

The root cause is the gshadow is not consistent with group, gshadow is from setup, and we override group according to fedora-coreos-config. And @cgwalters is correct, do testing with override/rootfs/etc/gshadow(from setup package) which removs the bin line, rebuild FCOS no such logs and verify bin user / group saved in /usr/lib/{passwd,group} after boot the disk.

To fix this, we should make sure gshadow is consistent with group before layering, like regenerating gshadow according to group.

[cgwalters]

Right. I think we can do this automatically in rpm-ostree.

BTW though, this issue also relates a bit to coreos/rpm-ostree#4401 - I wonder if it would work for us to just empty out (or possibly even remove) the shadow files instead of regenerating them?

[cgwalters]

So I'd probably say we should transfer this issue to rpm-ostree. This problem domain also applies to other systems using it (IoT, desktops, etc.)

[HuijingHei]

I wonder if it would work for us to just empty out (or possibly even remove) the shadow files instead of regenerating them?

Tried to remove the shadow files:
with append src/config/manifests/fedora-coreos-base.yaml under remove-from-packages:, and build fcos, no error about /etc/gshadow: Group "bin" already exists.

  - [setup, /etc/shadow,
            /etc/gshadow]

Check shadow files have mode 0000, seems they do not include all the group/user, and also not include the package prein group for example utmp, not sure there is any concern.

[root@cosa-devsh ~]# ls -l /etc/*shadow*
----------. 1 root root 100 Jul 13 02:24 /etc/gshadow
----------. 1 root root  91 Jul 13 02:23 /etc/gshadow-
----------. 1 root root 107 Jul 13 02:24 /etc/shadow
----------. 1 root root  81 Jul 13 02:23 /etc/shadow-
[root@cosa-devsh ~]# cat /etc/gshadow
bin:!*::
kvm:!*::
render:!*::
sgx:!*::
zincati:!*::
systemd-coredump:!*::
systemd-oom:!*::
core:!::

[HuijingHei]

I wonder if it would work for us to just empty out (or possibly even remove) the shadow files instead of regenerating them?

Test with empty shadow files:
Create empty file override/rootfs/etc/{,g}shadow and build fcos, no error logs.
Boot VM, check shadow files have same mode with override, and include the package prein groups.
Same with remove shadow files, they do not include all the group/user.

[HuijingHei]

IMU, we should also remove bin user and group in https://github.com/coreos/fedora-coreos-config/blob/testing-devel/overlay.d/15fcos/usr/lib/sysusers.d/10-setup-basic.conf, as they are duplicated in setup sysusers.d/20-setup-groups.conf and sysusers.d/20-setup-users.conf (refer to https://pagure.io/setup/blob/master/f/generate-sysusers-fragments.sh), is this right?

$ grep adm usr/lib/sysusers.d/*
usr/lib/sysusers.d/20-setup-groups.conf:g adm 4
usr/lib/sysusers.d/20-setup-users.conf:u adm 3:4 "adm" /var/adm -