[rhel-9.6] OCPBUGS-82523: passwd & group: Add containers user & group

[travier]

Backport of #224

---

group: Add openvswitch to hugetlbfs group

The openvswitch user and group have been part of the passwd & group
files for, at least, as long as we've published RHCOS sources publicly:

• https://github.com/openshift/os/blame/bdb5b8153ed68c88e2485d9e7bd66ea6eb54d6c1/passwd#L27
• https://github.com/openshift/os/blame/release-4.19/group#L47

We did not remove them when we re-visited our fixed UIDs/GID in the
split between the RHEL boot image and the new OCP node image ([1], [2] &
[3]). Thus they are now part of the base RHEL boot image, even though
the openvswitch package is not included there.

Although technically unnecessary, this is fine and simplify things a bit
as we do not have to update the user & group entries during the node
image build, which is currently a problematic topic (see [4]).

Thus instead of adding openvswitch to hugetlbfs group in the node image
build, we add it here directly to simplify the logic.

[1] openshift/os#1661
[2] #29
[3] #31
[4] openshift/os#1917

---

passwd & group: Add containers user & group

Adding users and groups during a container image layered build is
currently non-ergonomic with bootable containers. Thus instead of doing
that in openshift/os for the node layer, we directly include the user &
group here, which also guarentees us that the UID/GID remain stable.

See openshift/os#1917 for the original version
of this change and the full details about what makes adding user/group
in the node layer non-ergonomic.

Unfortunately we can not use the UID/GID that were used in the last
"full" RHCOS image (4.18) as those are now used for dnsmasq (see [1]).
Thus use the first UID & GID available for both user and group, going
downward.

[1] openshift/os#1917 (comment)

Fixes: https://redhat.atlassian.net/browse/OCPBUGS-64841

[gemini-code-assist]

Code Review

This pull request adds a new 'containers' user and group (ID 790) and updates the 'hugetlbfs' group to include the 'openvswitch' user. Feedback was provided regarding the 'containers' entry in the passwd file, recommending the use of the canonical /usr/sbin/nologin shell path and a more standard home directory like / to ensure consistency with other system accounts.

[gemini-code-assist]

The shell path /sbin/nologin is inconsistent with the majority of system entries in this file (e.g., nobody, ceph, avahi-autoipd, dnsmasq, clevis) which use /usr/sbin/nologin. In RHEL 9, /usr/sbin/nologin is the preferred canonical path. Additionally, /nonexistent is not a standard home directory convention in RHEL; using / (consistent with the nobody user) or /var/empty is recommended for system accounts that do not require a home directory.

containers:x:790:790:User for rootless containers:/:/usr/sbin/nologin

[openshift-ci-robot]

@travier: This pull request references Jira Issue OCPBUGS-82523, which is invalid:

• release note text must be set and not match the template OR release note type must be set to "Release Note Not Required". For more information you can reference the OpenShift Bug Process.
• expected dependent Jira Issue OCPBUGS-64841 to be in one of the following states: VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA), but it is POST instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

Backport of #224

---

group: Add openvswitch to hugetlbfs group

The openvswitch user and group have been part of the passwd & group
files for, at least, as long as we've published RHCOS sources publicly:

• https://github.com/openshift/os/blame/bdb5b8153ed68c88e2485d9e7bd66ea6eb54d6c1/passwd#L27
• https://github.com/openshift/os/blame/release-4.19/group#L47

We did not remove them when we re-visited our fixed UIDs/GID in the
split between the RHEL boot image and the new OCP node image ([1], [2] &
[3]). Thus they are now part of the base RHEL boot image, even though
the openvswitch package is not included there.

Although technically unnecessary, this is fine and simplify things a bit
as we do not have to update the user & group entries during the node
image build, which is currently a problematic topic (see [4]).

Thus instead of adding openvswitch to hugetlbfs group in the node image
build, we add it here directly to simplify the logic.

[1] openshift/os#1661
[2] #29
[3] #31
[4] openshift/os#1917

---

passwd & group: Add containers user & group

Adding users and groups during a container image layered build is
currently non-ergonomic with bootable containers. Thus instead of doing
that in openshift/os for the node layer, we directly include the user &
group here, which also guarentees us that the UID/GID remain stable.

See openshift/os#1917 for the original version
of this change and the full details about what makes adding user/group
in the node layer non-ergonomic.

Unfortunately we can not use the UID/GID that were used in the last
"full" RHCOS image (4.18) as those are now used for dnsmasq (see [1]).
Thus use the first UID & GID available for both user and group, going
downward.

[1] openshift/os#1917 (comment)

Fixes: https://redhat.atlassian.net/browse/OCPBUGS-64841

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[dustymabe]

/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: dustymabe, travier

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [dustymabe,travier]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[travier]

/jira refresh

[openshift-ci-robot]

@travier: This pull request references Jira Issue OCPBUGS-82523, which is invalid:

• expected dependent Jira Issue OCPBUGS-64841 to be in one of the following states: VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA), but it is ON_QA instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[travier]

/jira refresh

[openshift-ci-robot]

@travier: This pull request references Jira Issue OCPBUGS-82523, which is valid. The bug has been moved to the POST state.

5 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug is in the state New, which is one of the valid states (NEW, ASSIGNED, POST)
• release note text is set and does not match the template
• dependent bug Jira Issue OCPBUGS-64841 is in the state Verified, which is one of the valid states (VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA))
• bug has dependents

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[travier]

/retest

[openshift-ci-robot]

@travier: Jira Issue OCPBUGS-82523: Some pull requests linked via external trackers have merged:

• coreos/rhel-coreos-config#236

The following pull request, linked via external tracker, has not merged:

• openshift/os#1926 is open

All associated pull requests must be merged or unlinked from the Jira bug in order for it to move to the next state. Once unlinked, request a bug refresh with /jira refresh.

Jira Issue OCPBUGS-82523 has not been moved to the MODIFIED state.

Details

In response to this:

Backport of #224

---

group: Add openvswitch to hugetlbfs group

The openvswitch user and group have been part of the passwd & group
files for, at least, as long as we've published RHCOS sources publicly:

• https://github.com/openshift/os/blame/bdb5b8153ed68c88e2485d9e7bd66ea6eb54d6c1/passwd#L27
• https://github.com/openshift/os/blame/release-4.19/group#L47

We did not remove them when we re-visited our fixed UIDs/GID in the
split between the RHEL boot image and the new OCP node image ([1], [2] &
[3]). Thus they are now part of the base RHEL boot image, even though
the openvswitch package is not included there.

Although technically unnecessary, this is fine and simplify things a bit
as we do not have to update the user & group entries during the node
image build, which is currently a problematic topic (see [4]).

Thus instead of adding openvswitch to hugetlbfs group in the node image
build, we add it here directly to simplify the logic.

[1] openshift/os#1661
[2] #29
[3] #31
[4] openshift/os#1917

---

passwd & group: Add containers user & group

Adding users and groups during a container image layered build is
currently non-ergonomic with bootable containers. Thus instead of doing
that in openshift/os for the node layer, we directly include the user &
group here, which also guarentees us that the UID/GID remain stable.

See openshift/os#1917 for the original version
of this change and the full details about what makes adding user/group
in the node layer non-ergonomic.

Unfortunately we can not use the UID/GID that were used in the last
"full" RHCOS image (4.18) as those are now used for dnsmasq (see [1]).
Thus use the first UID & GID available for both user and group, going
downward.

[1] openshift/os#1917 (comment)

Fixes: https://redhat.atlassian.net/browse/OCPBUGS-64841

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.