Hi, I had filed this bug already as 2365943 against ecryptfs-utils because of a severe functional regression, but no reaction. The problem: Until Kinoite 41, ecryptfs-utils could easily be installed and used with rpm-ostree to read and use ecryptfs file systems (delivered from other machines, therefore not trivial to replace with other systems). Since Fedora/Kinoite 42, the ecryptfs-utils come with executables not executable for everyone anymore, e.g. mount.ecryptfs_private is executable only for group ecryptfs. Since the group is defined in /lib/group, which is non-writable on immutable systems like Kinoite, there is no direct way to add myself to this group. I can add myself to this group after copying the line from /lib/group to /etc/group. After this step, I can use mount.ecryptfs_private. But then, rpm-ostree denies to upgrade the OS image due to divergence of /etc/group. Since I do not get any response to my bug report to ecryptfs-utils, and could not find any documentation about how to deal with that: What is the proper way to add users to groups defined in /lib/group without breaking rpm-ostree's update process? regards Reproducible: Always
Possibly https://github.com/coreos/rpm-ostree/issues/5365 which will be fixed in the next release. Can you include the exact output from the command that failed?
The original problem was when trying to run mount.ecryptfs_private a permission denied, because that is not executable anymore for everyone in Fedora 42, and I can't just change the file permissions in an immutable image. ( ecryptfs-utils package added with rpm-ostree) usermod -aG ecryptfs MYUSERNAME is not possible out of the box, since the group ecryptfs is not defined in /etc/group I then did grep ecryptfs /lib/group >> /etc/group usermod -aG ecryptfs MYUSERNAME reboot in order to allow myself to run mount.ecryptfs_private. After that, ecryptfs-utils do work as expected. But updating the OS image fails then (using the graphical tool). I don't remind the particular error message, and cannot reproduce immediately, since I am already on the latest image. We'll have to wait for the next image to be available for updates. rpm-ostree complains something about the groups. I'll reply further after the next image update.
Today, there was a new image available. When using the graphical tool (Discover) to update, it says that rpm-ostree transaction failed with error message error: While applying overrides for pkg ecryptfs-utils: Could not find group 'ecryptfs' in group file which does not happen, when package ecryptfs-utils is installed, but /etc/group has not been modified (but then, of course, the utils don't work). So the question is: How is this supposed to work? And: Is it a problem of rpm-ostree or of ecryptfs-utils?
OK in that case, yes this should be fixed by https://github.com/coreos/rpm-ostree/pull/5403, which will be in the next rpm-ostree release.
What does this mean? a) Would I still have to copy the group entry from /lib/group to /etc/group? b) When will the „next rpm-ostree release“ come? Fedora 43?
(In reply to Hadmut Danisch from comment #5) > What does this mean? > > a) Would I still have to copy the group entry from /lib/group to /etc/group? Yeah, nothing changes on that front. > b) When will the „next rpm-ostree release“ come? Fedora 43? We'll release it in f42. We're probably due for one at this point. But see also https://github.com/coreos/rpm-ostree/pull/5403#issuecomment-2981263677.
After upgrading to Kinoite 43, it still does not work: error: While applying overrides for pkg ecryptfs-utils: Could not find group 'ecryptfs' in group-file. As far as I know this problem occurs on all packages which do define their own groups.
I'm having the same issue with wireshark on Silverblue 43. I just reproduced it with a fresh install on a virtual machine: 1. Install Silverblue, let it install latest updates and reboot 2. rpm-ostree install wireshark 3. reboot 4. usermod -a -G wireshark myuser 5. reboot (just to be sure) 6. myuser is not added into wireshark group and wireshark cannot capture without root Installed groups are visible in /usr/lib/group $ cat /usr/lib/group | tail -n 2 wireshark:x:963: usbmon:x:962: Group addition is logged in rpm-ostreed journal: Dec 13 23:24:25 fedora rpm-ostree[7223]: Creating group 'wireshark' with GID 963. Dec 13 23:24:25 fedora rpm-ostree[7223]: Creating group 'usbmon' with GID 962. Dec 13 23:24:25 fedora rpm-ostree[5104]: Executed %post for wireshark-cli in 63 ms https://src.fedoraproject.org/rpms/wireshark/blob/rawhide/f/wireshark.sysusers
You want https://gitlab.com/fedora/ostree/sig/-/issues/68