-
Notifications
You must be signed in to change notification settings - Fork 83
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
uid/gid drift possible when switching between different host builds #673
Comments
The following work around can be implemented in a bootc container file to address this issue.
|
You will likely hit the following once you rebase to a CentOS Stream/RHEL version with this openssh change: |
( I've added a link to https://issues.redhat.com/browse/USHIFT-3749 where this was discussed originally to avoid duplicate discussion where relevant) But again, this issue is not about "ostree vs bootc", it's specially about "ostree commits as built by RHEL for Edge" vs "fedora/c9s/rhel derived bootc" which happen to allocate different uids/gids due to buildsystem drift. It could also occur when switching between bootc images that have different defined ssh_key gids, and it could also occur when switching between ostree images (again if the buildsystem generating those hasn't ensured they're the same). Because of this, I don't think this is really a bootc issue at a technical level. It's more a higher level buildsystem issue. I would accept though that in practice, it may make sense for us to at least track the overall issue here, but...if we were to do something like that ssh key chown hack, I would probably say the code would logically be owned by e.g. https://gitlab.com/fedora/bootc/base-images Except for the fact that the world does not need more load bearing bash scripts run as unrestricted root, and maybe we actually implement it in Rust here as an opt-in...similarly to coreos/rpm-ostree#4913 in many ways. |
The problem can certainly occur when switching between images of the same type, but only in the case when different image parents are used for the base image vs update image. To mitigate this issue, the way we usually build our image hierarchies is to have a base (parent) image and then derive all the updates from it. The ostree-to-bootc upgrade is a special case because we're guaranteed to have different parents, so it's a 100% failure. While I prefer this to be handled by the base images we produce, the fallback would be to document all the known pitfalls, which goes back to the #671 issue. P.S. The title of this issue was changed to be more generic and we may want to go back to the specific problem of ostree-to-bootc upgrade because the generic one is a "known" issue. |
No - it's equally possible to build a custom base image using the same buildsystem that produces ostree commits today. In fact, there's significant tooling to streamline exactly that process, such as e.g. |
I did not know this tooling was in place. I will investigate this direction asap. |
Further investigation on installing bootc images on top of an unrelated ostree commit led me to a dead end. The problem with the uid/gid is serious. In my case, I got Next, I followed up on using the I did encounter a few small issues that might be worth mentioning in the upgrade instructions:
|
@cgwalters , based on my recent experience described in the previous comment, I wonder if we should be stricter in our instructions for ostree-to-bootc upgrade? I mean, should we state that the upgrade is likely to fail unless the bootc container image is derived from the base ostree commit? |
Yeah, it is a really annoying problem. See also openshift/os#1318 where we worked around this just in RHCOS...and that code isn't inherited elsewhere right. IMO |
ci: Add cross-arch builds
Import generic prep
Since the But what travier said is also really important to emphasize - in current Fedora and C10S I think we can just drop the |
Let's again narrow in on However, openvswitch also has a specific problem in that The most direct hack for the openvswitch case today is (at build time) is basically adding a systemd unit that does But what would be better here...is to not have the user at build time! We should have tooling to "flush" /etc/passwd and /etc/group - basically for each user/group that has a However, even better again than all of that for openvswitch would be |
Related to this, cockpit just switched to DynamicUser=yes for similar reasons. |
I filed https://issues.redhat.com/browse/RHEL-68655 to engage the openvswitch maintainers. |
When upgrading from an ostree to a bootc image, the SSH key file permissions may get invalidated in the
/etc/ssh
directory. This is causing SSH service to fail its startup, effectively preventing the user from remotely accessing the host following the upgrade.(edit by @cgwalters) Originally: https://issues.redhat.com/browse/USHIFT-3749
The text was updated successfully, but these errors were encountered: