Shift user/group creation earlier in image build for rootfs image types (#6957)

This commit is contained in:
Elaheh Dehghani 2024-01-31 14:06:22 -08:00 committed by GitHub
parent acd481aa09
commit b5f92064f6
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
3 changed files with 34 additions and 14 deletions

View File

@ -6,7 +6,8 @@
"cronie-anacron",
"logrotate",
"core-packages-base-image",
"initramfs"
"initramfs",
"shadow-utils"
],
"_comment": "Install 'initramfs' last to avoid unnecessary regeneration when other packages, such as 'kernel', are installed."
}

View File

@ -119,6 +119,7 @@ func validatePackages(config configuration.Config) (err error) {
verityDebugPkgName = "verity-read-only-root-debug-tools"
dracutFipsPkgName = "dracut-fips"
fipsKernelCmdLine = "fips=1"
userAddPkgName = "shadow-utils"
)
for _, systemConfig := range config.SystemConfigs {
@ -130,6 +131,7 @@ func validatePackages(config configuration.Config) (err error) {
foundVerityInitramfsPackage := false
foundVerityInitramfsDebugPackage := false
foundDracutFipsPackage := false
foundUserAddPackage := false
kernelCmdLineString := systemConfig.KernelCommandLine.ExtraCommandLine
selinuxPkgName := systemConfig.KernelCommandLine.SELinuxPolicy
if selinuxPkgName == "" {
@ -152,6 +154,9 @@ func validatePackages(config configuration.Config) (err error) {
if pkg == selinuxPkgName {
foundSELinuxPackage = true
}
if pkg == userAddPkgName {
foundUserAddPackage = true
}
}
if systemConfig.ReadOnlyVerityRoot.Enable {
if !foundVerityInitramfsPackage {
@ -171,6 +176,11 @@ func validatePackages(config configuration.Config) (err error) {
return fmt.Errorf("%s: [SELinux] selected, but '%s' package is not included in the package lists", validateError, selinuxPkgName)
}
}
if len(systemConfig.Users) > 0 || len(systemConfig.Groups) > 0 {
if !foundUserAddPackage {
return fmt.Errorf("%s: add users require '%s' package that is not included in the package lists", validateError, userAddPkgName)
}
}
}
return

View File

@ -388,6 +388,7 @@ func PopulateInstallRoot(installChroot *safechroot.Chroot, packagesToInstall []s
const (
filesystemPkg = "filesystem"
shadowUtilsPkg = "shadow-utils"
)
defer stopGPGAgent(installChroot)
@ -439,6 +440,14 @@ func PopulateInstallRoot(installChroot *safechroot.Chroot, packagesToInstall []s
if err != nil {
return
}
if len(config.Users) > 0 || len(config.Groups) > 0 {
shadowUtilsInstalled := 0
shadowUtilsInstalled, err = TdnfInstallWithProgress(shadowUtilsPkg, installRoot, packagesInstalled, totalPackages, true)
if err != nil {
return
}
packagesInstalled += shadowUtilsInstalled
}
hostname := config.Hostname
if !isRootFS && mountPointToFsTypeMap[rootMountPoint] != overlay {
@ -449,6 +458,18 @@ func PopulateInstallRoot(installChroot *safechroot.Chroot, packagesToInstall []s
}
}
// Add groups
err = addGroups(installChroot, config.Groups)
if err != nil {
return
}
// Add users
err = addUsers(installChroot, config.Users)
if err != nil {
return
}
// Install packages one-by-one to avoid exhausting memory
// on low resource systems
for _, pkg := range packagesToInstall {
@ -473,18 +494,6 @@ func PopulateInstallRoot(installChroot *safechroot.Chroot, packagesToInstall []s
if err != nil {
return
}
// Add groups
err = addGroups(installChroot, config.Groups)
if err != nil {
return
}
}
// Add users
err = addUsers(installChroot, config.Users)
if err != nil {
return
}
// Add machine-id