Bug 2218209

Summary: useradd: invalid user ID '389:389': installing 389-ds-base in container fails to create the dirsrv user
Product: Red Hat Enterprise Linux 9 Reporter: Jan Pazdziora <jpazdziora>
Component: 389-ds-baseAssignee: LDAP Maintainers <idm-ds-dev-bugs>
Status: VERIFIED --- QA Contact: LDAP QA Team <idm-ds-qe-bugs>
Severity: high Docs Contact:
Priority: high    
Version: CentOS StreamCC: bsmejkal, bstinson, idm-ds-dev-bugs, jpazdziora, jwboyer, mreynolds, vashirov
Target Milestone: rcKeywords: Regression, Triaged
Target Release: 9.3   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: sync-to-jira
Fixed In Version: 389-ds-base-2.3.6-2.el9 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jan Pazdziora 2023-06-28 13:05:43 UTC 
Description of problem:

When installing 389-ds-base package in container, the dirsrv with uid 389 no longer gets created.

Version-Release number of selected component (if applicable):

389-ds-base-2.3.4-2.el9.x86_64

How reproducible:

Deterministic.

Steps to Reproduce:
1. $ podman run --rm quay.io/centos/centos:stream9 bash -c 'dnf install -y 389-ds-base && grep dirsrv /etc/passwd'

Actual results:

$ podman run --rm quay.io/centos/centos:stream9 bash -c 'dnf install -y 389-ds-base && grep dirsrv /etc/passwd'
CentOS Stream 9 - BaseOS                        7.0 MB/s | 6.2 MB     00:00    
CentOS Stream 9 - AppStream                      13 MB/s |  17 MB     00:01    
CentOS Stream 9 - Extras packages               115 kB/s |  12 kB     00:00    
Dependencies resolved.
================================================================================
 Package                        Arch     Version              Repository   Size
================================================================================
Installing:
 389-ds-base                    x86_64   2.3.4-2.el9          appstream   2.9 M
Installing dependencies:
 389-ds-base-libs               x86_64   2.3.4-2.el9          appstream   1.5 M
 acl                            x86_64   2.3.1-3.el9          baseos       73 k

[...]

  Installing       : cyrus-sasl-gssapi-2.1.27-21.el9.x86_64             148/151 
  Installing       : python3-lib389-2.3.4-2.el9.noarch                  149/151 
  Installing       : 389-ds-base-2.3.4-2.el9.x86_64                     150/151 
  Running scriptlet: 389-ds-base-2.3.4-2.el9.x86_64                     150/151 
useradd: invalid user ID '389:389'

  Installing       : rpm-plugin-selinux-4.16.1.3-23.el9.x86_64          151/151 
  Running scriptlet: nss-3.79.0-18.el9.x86_64                           151/151 
  Running scriptlet: selinux-policy-targeted-38.1.15-1.el9.noarch       151/151 

[...]

  util-linux-2.37.4-11.el9.x86_64                                               
  util-linux-core-2.37.4-11.el9.x86_64                                          

Complete!
$

Expected results:

[...]

  systemd-rpm-macros-252-15.el9.noarch                                          
  util-linux-2.37.4-11.el9.x86_64                                               
  util-linux-core-2.37.4-11.el9.x86_64                                          

Complete!
dirsrv:x:389:389:user for 389-ds-base:/usr/share/dirsrv/:/sbin/nologin
$

Additional info:
Comment 1 Jan Pazdziora 2023-06-28 14:20:55 UTC 
The %sysusers_create_compat in https://gitlab.com/redhat/centos-stream/rpms/389-ds-base/-/blob/c9s/389-ds-base.spec expands using /usr/lib/rpm/sysusers.generate-pre.sh from systemd-rpm-macros-252-15.el9.noarch. That code is different from the respective one in Fedora and does not understand the

  u     dirsrv   389:389

entry.
Comment 2 Jan Pazdziora 2023-06-29 07:42:16 UTC 
Note bug 2217149 which talks about sysusers.generate-pre.sh. It might make sense with the systemd maintainers about the correct approach / timing.
Comment 3 Viktor Ashirov 2023-08-03 14:12:45 UTC 
This is fixed in systemd-252-16.el9, but we need to rebuild 389-ds-base against the new systemd package to generate new script snippet.
Moving to POST to be picked up by the next build.
Comment 4 Viktor Ashirov 2023-08-14 15:52:27 UTC 
$ podman run --rm quay.io/centos/centos:stream9 bash -c 'dnf install -y 389-ds-base && grep dirsrv /etc/passwd'

...

Installed:
  389-ds-base-2.3.4-3.el9.x86_64
  389-ds-base-libs-2.3.4-3.el9.x86_64
...
  systemd-252-16.el9.x86_64
  systemd-libs-252-16.el9.x86_64
  systemd-pam-252-16.el9.x86_64
  systemd-rpm-macros-252-16.el9.noarch
...

Complete!
dirsrv:x:389:389:user for 389-ds-base:/usr/share/dirsrv/:/sbin/nologin


Marking as Verified:Tested.
Comment 7 bsmejkal 2023-08-17 08:30:07 UTC 
As per comment #c5 marking as VERIFIED.