This is a tracking bug for Change: Adopting sysusers.d format For more details, see: https://fedoraproject.org/wiki/Changes/Adopting_sysusers.d_format Files in sysusers.d format will be used to declare systems users so it will be possible to introspect system users. Users will still be created using old-style useradd calls.
The basic machinery (rpm macros) in systemd-rpm-macros is now done. Unfortunately I missed the mass rebuild, which means that packages will not get the new Provides:user() and group() until they are rebuilt. Packages which do not use sysusers require more work. I converted munge as an example: https://src.fedoraproject.org/rpms/munge/pull-request/1. I'll have time to work more on this two weeks from now, and I'll submit some no-op rebuilds and PRs then.
Branching Fedora 32 Changes from rawhide. Today is the Code Complete (testable) deadline. Please make sure your bug status is set appropriately: Complete (testable) -> MODIFIED Complete (100% code complete) -> ON_QA (deadline is 25 February) If you need to defer this change until Fedora 33, please set the version back to 'rawhide'.
The Code Complete (100% Complete) deadline has passed. If your Change is 100% complete, please set the status of this bug to ON_QA. If you need to defer to Fedora 33, please set the version to rawhide. A list of incomplete changes is being submitted to FESCo for review.
The implementation on systemd side is there. Now all packages need to be converted...
Fedora 32 is released!
(In reply to Zbigniew Jędrzejewski-Szmek from comment #4) > The implementation on systemd side is there. Now all packages need to be > converted... It is the time for another feature change to enforce sysusers to all packages? The usage of useradd/groupadd in %pre seems already removed from the guidline https://docs.fedoraproject.org/en-US/packaging-guidelines/UsersAndGroups/ . That's would be a great benefit for Silverblue/CoreOS users.
Just to xref here quite a while ago we added code in rpm-ostree to auto-synthesize sysusers.d entries from useradd/groupadd invocations from package scripts in https://github.com/coreos/rpm-ostree/pull/3897 But yes, it'd be really helpful to have a push to do this conversion. That said there is a larger story here, see https://docs.fedoraproject.org/en-US/bootc/building-containers/#_invoking_useradd_as_part_of_a_container_build - I think especially it's notable to use DynamicUser=yes where possible, but also sysusers owning file content is a problem for image-based systems.
I'm not sure if you meant to comment on this particular ticket, but it I got the message. > https://github.com/coreos/rpm-ostree/pull/3897 This is a very interesting link. I just spent most of today creating a spec file munger to convert spec file %pre sections back into sysusers files ;) (Though I don't think my work is wasted. The rpm-ostree interceptor only catches the calls and runs at a different time, but I needed to change the spec files and remove more of the scriptlet logic.) > I think especially it's notable to use DynamicUser=yes where possible, but also sysusers owning file content is a problem for image-based systems. Yeah, DynamicUser= is generally nice and works nicely. As for sysusers owning file content, I don't think this is something that we can get rid of. There is maybe a few hundred of packages which do that, so image-based systems will need to support this.