New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Create users at install time for image and edge installers #2375
Create users at install time for image and edge installers #2375
Conversation
131d431
to
169eaab
Compare
This is really great! Thanks for picking it up :) |
1e6b0a1
to
c9b4392
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Needs an exception I think.
@achilleas-k Is this PR ready for testing? May I add edge-installer test in this PR? Thanks! |
Yes, please do. I was trying to figure out where the failure is coming from, but maybe we should test the feature first and see how that goes. Thanks |
c9b4392
to
ce1e532
Compare
Pushed a rebase on |
@achilleas-k @gicmo I added
Full boot log can be found from https://paste.centos.org/view/3e9f6764
|
296fc86
to
5fc50cb
Compare
I just rebased on top of |
1e0eec8
to
5e254af
Compare
@henrywang To confirm: We have issues with libvirt on CS9 because of the mixed versions in the compose, right? Are we also hitting the bootloader bug? |
I filed a bug https://bugzilla.redhat.com/show_bug.cgi?id=2065708 to track this issue. This issue should block |
2d180af
to
ed01242
Compare
All the edge-installer tests are passing here. The only failure is the 8.6 installer test. |
The latest commit works around the installer issue by adding |
ad9126f
to
0a63c84
Compare
Reverted this and added a proper, permanent workaround. See commit for details. |
Use single NewUsersStageOptions() from osbuild2 instead of implementing in each distro.
Use single NewGroupsStageOptions() from osbuild2 instead of implementing in each distro. The new function does not set the Group.Name field anymore. The field does not exist in the osbuild schema and was silently ignored. The field in the stage has been marked 'omitempty' and the relevant manifests have been updated.
Use single NewKickstartStageOptions() and replace image-type-specific implementations from each distro.
Use single NewAnacondaStageOptions() from osbuild2 instead of implementing in each distro. The new function conditionally adds the user module when there are users that need to be created at install time (image- and edge-installers).
Users are created at install time now.
Add two new test cases: - image-installer-with-users - edge-installer-with-users
New test cases for edge- and image-installer with users.
Enable the user module unconditionally for the image-installer: - If users are specified for the kickstart file, the module is required to set up the users. - If no users are specified, the module can be used at install time to create users. Updated relevant test cases (manifests).
Same as with ostree tests.
CI will not run RHEL 8.4 test any more, remove it.
If a home directory has a trailing slash, the `useradd` command fails to set the correct selinux contexts for the home directory on creation. This can lead to various issues, but the one that we came across was that the ~/.ssh directory and authorized_keys file cannot be read by sshd and we couldn't log in to the system. This only manifests if the user is created through the kickstart file because: 1. `useradd` does not set the selinux contexts when creating the directory 2. Anaconda runs `restorecon` on the home directory and authorized_keys file when it creates them, but uses the install-time mount path `/mnt/sysroot/...` for which selinux does not have contexts. In most cases we get around this bug because we run `setfiles` on the tree at the end of our pipelines. For the ostree case, the relabeling in Anaconda is done correctly.
0a63c84
to
08ecc60
Compare
360f9ed
to
615bc90
Compare
The nightly compose (currently) only has a 'latest' directory for 8.7. Switching to the development composes which have 'latest' for 8.4 onwards. Enable -x in script for easier troubleshooting.
615bc90
to
f771ed6
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Great stuff!
I added a few comments. None of them are critical, but I would like to wait for their resolution before approving.
I love the de-duplication of various functions and their move to the osbuild2
package. I would suggest to de-duplicate these functions also in older distro definitions. Although some of them would slightly change manifests, those changes have no effect on the functionality and backward compatibility of these images. This should be completely OK as an exception to our policy. The policy should IMO not prevent us from doing "the right thing" and cleaning up old code. If we do not want to maintain these definitions for the next 10 years as they are currently implemented, but want to eventually replace them with their equivalents using new code, then we should be cleaning them up and de-duplicating the code in them along the way.
In addition, I do not think that we should be blocking the merge of this PR due to waiting on RHEL exception. The reason is that we can selectively backport specific commits to RHEL or cherry-pick them on some other branch in upstream for that release. Blocking development changes on main
for this reason IMO does not make sense.
With respect to deduplicating calls and changing manifests in other distros, since this is specifically about an exception we want to get into 8.6 and 9.0, I wanted to minimise any side-effects to other image types and distributions. The priority here is getting the user-creation to be a bit more sane to fix the relevant bug and to minimise potential issues during the lifetime of the next version. |
I understand why you didn't do it. However I'm not sure about the implied consequences of your comment, since the deduplication could have been done in a separate commit, which would not be backported to 8.6 and 9.0. Does this mean that you still plan to deduplicate the code in older distros eventually in a separate PR? Or not at all? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It turns out that there is a time pressure to get a working version of these changes in, so that they can be backported to 8.6 and 9.0.
As I mentioned, none of my comments are critical. So I'm approving this PR with the expectation that the raised points will be considered for a follow-up PR.
Rewrite of #1700 for RHEL 8.6 and RHEL 9.0 (and CentOS 8 and CentOS 9).
Instead of "baking in" users to the payload, create them at install time. For the edge-installer, this has the benefit that we no longer need to work around the ssh key creation on first boot.
For the image-installer, this is functionally equivalent.
The edge-installer previously did not allow any customizations at build time. Now users and groups are allowed.
Added test cases to generate manifests for the image- and edge-installer with users.