Failed unit : rpm-ostree-fix-shadow-mode.service

[Nemric]

Describe the bug

Booting a next stream FCOS 40 I can see when login to node :

[systemd]
Failed Units: 1
  rpm-ostree-fix-shadow-mode.service

I'm using a diskless PXE provisionned machine

I have this logs

journalctl -eu rpm-ostree-fix-shadow-mode.service
Apr 30 17:30:45 Turing systemd[1]: Starting rpm-ostree-fix-shadow-mode.service - Update permissions for /etc/shadow...
Apr 30 17:30:45 Turing rpm-ostree[1250]: error: Read-only file system
Apr 30 17:30:45 Turing systemd[1]: rpm-ostree-fix-shadow-mode.service: Main process exited, code=exited, status=1/FAILURE
Apr 30 17:30:45 Turing systemd[1]: rpm-ostree-fix-shadow-mode.service: Failed with result 'exit-code'.
Apr 30 17:30:45 Turing systemd[1]: Failed to start rpm-ostree-fix-shadow-mode.service - Update permissions for /etc/shadow.

Reproduction steps

Boot from PXE with http ign provisionning

Expected behavior

No failed units

Actual behavior

Failed Unit

System details

Bare metal PXE booted and provisonned node

Butane or Ignition config

No response

Additional information

No response

[jmarrero]

looking at https://docs.fedoraproject.org/en-US/fedora-coreos/live-booting/#_booting_via_iso
if that is how we support diskless systems, maybe we should check for the coreos.liveiso.fromram karg before starting the service.

[Nemric]

I'm using this https://docs.fedoraproject.org/en-US/fedora-coreos/live-booting/#_booting_via_pxe
A mix between pxe and ipxe, but that works fine
Do we need this service to run as it seems to be here for updating an installed FCOS ?
I think the shadow mode is correct on a stock pxe booted node isn't it ?

[jlebon]

Yeah, I think we basically just need a ConditionPathExists=!/run/ostree-live in that unit.

Or... maybe ConditionKernelCommandLine=ostree would be more accurate. /run/ostree-live, while it sounds like an ostree thing, is actually written by CoreOS code. Whereas ConditionKernelCommandLine=ostree is pretty canon and a more generic fix.

[dustymabe]

Upstream fix in coreos/rpm-ostree#4944

[Nemric]

Did this PR was merged into current (40.20240519.1.0) "next stream" ? I still see this failed service :/

[jlebon]

Did this PR was merged into current (40.20240519.1.0) "next stream" ? I still see this failed service :/

It just made it into a new rpm-ostree release. It should show up in the next releases of next and testing.

[Nemric]

Ok, works great on 40.20240616.1.0 (mid june next stream)
Is there something else to check before closing this issue ? Like ... is "rpm-ostree-shadow-mode" fixed ^^

[jbtrystram]

You can look that the permissions on /etc/shadow are correct (600)
On live systems it doesn't matter that's why we disabled it.

[travier]

This landed in rpm-ostree 2024.6 which landed in Fedora CoreOS next in 40.20240616.1.0, testing in 40.20240616.2.0. It's not yet in stable.

[marmijo]

The fix for this went into stable stream release 40.20240616.3.0. Please try out the new release and report issues.

[jbtrystram]

I booted a liveISO of 40.20240616.3.0 yesterday and did not see the message