Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

Build fcos with coreos/fedora-coreos-config#2698, run fcos_groups and fcos_users passed.

[coreos-assembler]$ kola run -E src/config/tests/ ext.config.files.fcos_groups
=== RUN   ext.config.files.fcos_groups
--- PASS: ext.config.files.fcos_groups (42.60s)
PASS, output in tmp/kola/qemu-2023-10-30-0933-16127
[coreos-assembler]$ kola run -E src/config/tests/ ext.config.files.fcos_users
=== RUN   ext.config.files.fcos_users
--- PASS: ext.config.files.fcos_users (42.68s)
PASS, output in tmp/kola/qemu-2023-10-30-0934-16164

Tried to remove altfiles in composepost_nsswitch_altfiles with passing arg sysusers, but this does not work, find that if checking usr/etc/nsswitch.conf is symlink, then will not update the configuration file (refer to https://github.com/coreos/rpm-ostree/blob/main/rust/src/composepost.rs#L689), maybe transfer to authselect to create the configuration (see https://src.fedoraproject.org/rpms/authselect/blob/rawhide/f/authselect.spec#_315)?

Does this mean should remove altfiles in postprocess?

I'm pretty sure we need to also figure out how to disable https://src.fedoraproject.org/rpms/systemd/blob/rawhide/f/systemd.spec#_940

Add an environment variable e.g.?

Also per discussion I'd say this treefile option should also enable RPMOSTREE_EXP_BRIDGE_SYSUSERS

Edit: And if we have this enabled we also ignore (or error out) if the static check-passwd is specified.

I'm pretty sure we need to also figure out how to disable https://src.fedoraproject.org/rpms/systemd/blob/rawhide/f/systemd.spec#_940

Add an environment variable e.g.?

Another problem is when installing a package which requires a systemd users, that will also create the user during pre-script, should we also disable it? for example tcpdump:

$ sudo rpm -q --scripts tcpdump
preinstall scriptlet (using /bin/sh):

# generated from tcpdump-sysusers.conf
getent group 'tcpdump' >/dev/null || groupadd -f -g '72' -r 'tcpdump' || :
if ! getent passwd 'tcpdump' >/dev/null; then
if ! getent passwd '72' >/dev/null; then
useradd -r -u '72' -g 'tcpdump' -d '/' -s '/usr/sbin/nologin' -c 'tcpdump' 'tcpdump' || :
else
useradd -r -g 'tcpdump' -d '/' -s '/usr/sbin/nologin' -c 'tcpdump' 'tcpdump' || :
fi
fi 

exit 0

Tried to remove altfiles in composepost_nsswitch_altfiles with passing arg sysusers, but this does not work, find that if checking usr/etc/nsswitch.conf is symlink, then will not update the configuration file (refer to https://github.com/coreos/rpm-ostree/blob/main/rust/src/composepost.rs#L689), maybe transfer to authselect to create the configuration (see https://src.fedoraproject.org/rpms/authselect/blob/rawhide/f/authselect.spec#_315)?

Ah wow yes...messy. We have "dueling" sources of truth here. I guess for now we could copy the file to /etc and edit it there?

In discussion about this one now I think short term what we want is a denylist like:

sysusers-groups:

• tss

Anything in that set would be dropped from the altfiles setup at build time - and we rely on them being created at boot.

Alternatively, we could try an allowlist instead. Maybe support both.

Note #5427 proposes also adding a sysusers: knob to the treefile but a different initial purpose. Though I left it extensible for other semantics we might want as part of nss-altfiles migration.