Description of problem: FreeIPA client cannot be initialized/installed on a custom SilverBlue image (with freeipa-client installed) with ```ipa-client-install``` because directories are missing. How reproducible: Every time. Steps to Reproduce: 1. On a vanilla SilverBlue image use the following Containerfile: ``` FROM quay.io/fedora-ostree-desktops/silverblue:41 RUN dnf install freeipa-client --assumeyes ``` 2. Build a custom image: ```sudo podman build -t freeipa-bootc -f Containerfile``` 3. Switch SilverBlue to the custom image: ```sudo bootc switch --transport containers-storage localhost/freeipa-bootc``` 4. Run ```ipa-client-install --mkhomedir``` and complete a regular FreeIPA client install. Actual results: ``` [Errno 2] No such file or directory: '/var/lib/ipa-client/sysrestore/sysrestore.state' The ipa-client-install command failed. See /var/log/ipaclient-install.log for more information ``` Creating /var/lib/ipa-client by hand leads to ```certmonger.service``` failing, complaining about ```/var/lib/certmonger``` and other files missing. Expected results: Successful IPA client initialization/install. Additional info, possible fix: I added the below ```system-tmpfiles``` configuration to ```/etc/tmpfiles.d```: ``` d /var/lib/certmonger 0755 root root d /var/lib/certmonger/cas d /var/lib/certmonger/local d /var/lib/certmonger/requests d /var/lib/ipa-client 0755 root root d /var/lib/ipa-client/pki d /var/lib/ipa-client/sysrestore ``` Although obviously the package(s) would include it in ```/usr/lib/tmpfiles.d``` instead. Logging into the system fails regardless, but that seems unrelated, and I will file a separate bug for that. I also added a link to the Bluefin (Fedora uBlue image) issue I filed which is related.
Created attachment 2062510 [details] tmpfiles config that seems to fix the missing directories error
Thanks for the report. We are planning to work on bootc integration early 2025. This is not the only problem to solve, unfortunately. I mentioned some of these issues in my Flock to Fedora talk this year https://cfp.fedoraproject.org/flock-2024/talk/Q8MNVM/. We have been blocked so far by a number of issues in rpm-ostree and bootc around SELinux policy and handling of xattrs in the derived images. The latter issue was recently resolved (and, for example, SSSD started to work properly in a fully setup environment), so there is some progress. Using tmpfiles needs to be limited to specific packages. FreeIPA should not own tmpfiles for certmonger, for example, so that part cannot be merged to FreeIPA. We also need to properly handle client upgrades to be run in a systemd unit at deployment side rather than during the package upgrade. I have opened https://pagure.io/freeipa/issue/9684 for that and will intend to handle tmpfiles there as well but this will come in 2025. Moving the state to assigned to indicate it is in plans to work on this bug.
Thanks for your time Alex! I've opened a merge request with Bluefin to remove freeipa-client and sssd-ipa from their image for now. I will try and keep an eye on progress for all of this and have Bluefin add it back in once it works. YouTube seems uninterested in buffering that video at the moment for some reason. I will definitely have a look at a later time. Cheers!