From 4b3fb22e2f74a17bf7879395b6f6418192430163 Mon Sep 17 00:00:00 2001 From: Martin Jackson Date: Wed, 10 Jan 2024 13:21:59 -0600 Subject: [PATCH] Allow shadow-utils to run in buildroot by exception if necessary --- mock/docs/site-defaults.cfg | 10 ++++++++++ mock/py/mockbuild/config.py | 7 +++++++ mock/py/mockbuild/shadow_utils.py | 16 +++++++++------- .../use_host_shadow_utils.config | 6 ++++++ 4 files changed, 32 insertions(+), 7 deletions(-) create mode 100644 releng/release-notes-next/use_host_shadow_utils.config diff --git a/mock/docs/site-defaults.cfg b/mock/docs/site-defaults.cfg index 92aefb500..7bd478c4b 100644 --- a/mock/docs/site-defaults.cfg +++ b/mock/docs/site-defaults.cfg @@ -653,3 +653,13 @@ # 'BuildRequires: pesign' package which would overwrite the ownership of the # socket file. See https://github.com/rpm-software-management/mock/issues/1091 #config_opts["copy_host_users"] = [] + +# Whether to use host's shadow-utils to provision users and groups in the +# buildroot, which we normally want to do because host shadow-utils are +# newer and more flexible than buildroot ones. However, there is an issue in shadow-utils +# where even using the --prefix (or, even --root if we did it that way) option, the host +# config will "leak" into the chroot. This is not an issue if the configs are +# effectively the same between host and buildroot, but will cause problems if, for +# example, the host is configured to use FreeIPA-provided subids. +# See https://github.com/shadow-maint/shadow/issues/897 +# config_opts["use_host_shadow_utils"] = True diff --git a/mock/py/mockbuild/config.py b/mock/py/mockbuild/config.py index 406c33e3b..2bbd34682 100644 --- a/mock/py/mockbuild/config.py +++ b/mock/py/mockbuild/config.py @@ -355,6 +355,13 @@ def setup_default_config_opts(): config_opts["copy_host_users"] = [] + # shadow-utils --prefix and --root options do not play well with + # FreeIPA-provided subids. Using the shadow-utils inside the + # chroot works around this but this is a niche situation so it is + # not the default. + # Upstream issue https://github.com/shadow-maint/shadow/issues/897 + config_opts["use_host_shadow_utils"] = True + # mapping from target_arch (or forcearch) to arch in /usr/bin/qemu-*-static config_opts["qemu_user_static_mapping"] = { 'aarch64': 'aarch64', diff --git a/mock/py/mockbuild/shadow_utils.py b/mock/py/mockbuild/shadow_utils.py index 06cbe200a..7496758ab 100644 --- a/mock/py/mockbuild/shadow_utils.py +++ b/mock/py/mockbuild/shadow_utils.py @@ -14,15 +14,17 @@ class ShadowUtils: def __init__(self, root): self.root = root - @property - def _chroot_opts(self): - return ["--prefix", self.root.make_chroot_path()] - def _execute_command(self, command, can_fail=False): with self.root.uid_manager.elevated_privileges(): - # Execute the command _on host_, not in bootstrap (where we're not - # sure how old shadow-utils are). - do_with_status(command + self._chroot_opts, raiseExc=not can_fail) + # Ordinarily we do not want to depend on shadow-utils in the buildroot, but + # configuring certain options (such as FreeIPA-provided subids) can make it + # impossible to create users in the buildroot using host shadow-utils so we + # provide this workaround. + # Tracking upstream bug https://github.com/shadow-maint/shadow/issues/897 + if self.root.config['use_host_shadow_utils']: + do_with_status(command + ['--prefix', self.root.make_chroot_path()], raiseExc=not can_fail) + else: + self.root.doChroot(command, raiseExc=not can_fail) def delete_user(self, username, can_fail=False): """ diff --git a/releng/release-notes-next/use_host_shadow_utils.config b/releng/release-notes-next/use_host_shadow_utils.config new file mode 100644 index 000000000..5ef50b9a1 --- /dev/null +++ b/releng/release-notes-next/use_host_shadow_utils.config @@ -0,0 +1,6 @@ +Added a config option called "use_host_shadow_utils", to account for situations where +users have host shadow-utils configurations that cannot provision or destroy users and +groups in the buildroot; one example of this kind of configuration is using +FreeIPA-provided subids on the buildhost. The option defaults to True since mock has made a conscious +design decision to prefer using the host's shadow-utils, and we hope that this is a +temporary workaround. Upstream issue is being tracked [here](https://github.com/shadow-maint/shadow/issues/897).