Bootc issues for rdesktop

[gbraad]

generate-certs

░░ A start job for unit generate-certs.service has begun execution.
░░
░░ The job identifier is 1439.
Feb 23 08:44:38 bogon bash[1295]: ...+..+.+............+...+..+.......+...+..+.........+++++++++++++++++++++++++++++++++++++++*..........................+..........+......+...........+.............+.....+++++++++++++++++++++++++++++++++++++++*....+....+..............+...+...............+....+...........+...+.......+..>
Feb 23 08:44:38 bogon bash[1295]: ......+........+....+..+.+++++++++++++++++++++++++++++++++++++++*.+..+...+....+.........+..+...+....+..+...+++++++++++++++++++++++++++++++++++++++*................+.......+.........+.........+...+..................+......+......+.....+...+......+...+..........+........+...+......+...+>
Feb 23 08:44:38 bogon bash[1295]: -----
Feb 23 08:44:38 bogon systemd[1]: generate-certs.service: Deactivated successfully.
░░ Subject: Unit succeeded
░░ Defined-By: systemd
░░ Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel
░░
░░ The unit generate-certs.service has successfully entered the 'dead' state.
Feb 23 08:44:38 bogon systemd[1]: Finished generate-certs.service - Generate certificates for rdesktop services.
░░ Subject: A start job for unit generate-certs.service has finished successfully

kclient

Feb 23 08:44:39 bogon env[1299]: node:fs:561
Feb 23 08:44:39 bogon env[1299]:   return binding.open(
Feb 23 08:44:39 bogon env[1299]:                  ^
Feb 23 08:44:39 bogon env[1299]: Error: EACCES: permission denied, open '/etc/rdesktop/privatekey.key'
Feb 23 08:44:39 bogon env[1299]:     at Object.openSync (node:fs:561:18)
Feb 23 08:44:39 bogon env[1299]:     at Object.readFileSync (node:fs:445:35)
Feb 23 08:44:39 bogon env[1299]:     at Object.<anonymous> (/opt/kclient/index.js:28:21)
Feb 23 08:44:39 bogon env[1299]:     at Module._compile (node:internal/modules/cjs/loader:1546:14)
Feb 23 08:44:39 bogon env[1299]:     at Module._extensions..js (node:internal/modules/cjs/loader:1689:10)
Feb 23 08:44:39 bogon env[1299]:     at Module.load (node:internal/modules/cjs/loader:1318:32)
Feb 23 08:44:39 bogon env[1299]:     at Module._load (node:internal/modules/cjs/loader:1128:12)
Feb 23 08:44:39 bogon env[1299]:     at TracingChannel.traceSync (node:diagnostics_channel:315:14)
Feb 23 08:44:39 bogon env[1299]:     at wrapModuleLoad (node:internal/modules/cjs/loader:218:24)
Feb 23 08:44:39 bogon env[1299]:     at Function.executeUserEntryPoint [as runMain] (node:internal/modules/run_main:170:5) {
Feb 23 08:44:39 bogon env[1299]:   errno: -13,
Feb 23 08:44:39 bogon env[1299]:   code: 'EACCES',
Feb 23 08:44:39 bogon env[1299]:   syscall: 'open',
Feb 23 08:44:39 bogon env[1299]:   path: '/etc/rdesktop/privatekey.key'
Feb 23 08:44:39 bogon env[1299]: }
Feb 23 08:44:39 bogon env[1299]: Node.js v22.11.0
Feb 23 08:44:39 bogon systemd[1]: kclient.service: Main process exited, code=exited, status=1/FAILURE

kasmvncserver

Feb 23 08:44:37 fedora kasmvncserver[1176]: Creating default config /var/home/gbraad/.vnc/kasmvnc.yaml
Feb 23 08:44:37 fedora kasmvncserver[1201]: xauth:  file /var/home/gbraad/.Xauthority does not exist
Feb 23 08:44:37 fedora kasmvncserver[1176]: /etc/rdesktop/privatekey.key: certificate isn't readable.
Feb 23 08:44:37 fedora kasmvncserver[1176]: Make the certificate readable by adding your user to group "users":
Feb 23 08:44:37 fedora kasmvncserver[1176]:   'usermod -a -G users $USER'
Feb 23 08:44:37 fedora systemd[1]: kasmvncserver.service: Control process exited, code=exited, status=1/FAILURE

[gbraad]

$ ls -al /etc/rdesktop/
total 28
drwxr-xr-x.   2 root root    96 Feb 23 08:44 .
drwxr-xr-x. 109 root root  8192 Feb 23 08:44 ..
-rw-r--r--.   1 root users 1310 Feb 23 08:44 certificate.pem
-rwxr-xr-x.   1 root root   342 Feb 23 07:58 generate-certs.sh
-rw-r-----.   1 root users 1704 Feb 23 08:44 privatekey.key
-rw-rw-r--.   1 root root   126 Feb 23 07:58 rdesktop.ini

$ cat /etc/group
root:x:0:
adm:x:4:
wheel:x:10:gbraad
sudo:x:16:
systemd-journal:x:190:
unbound:x:995:
gbraad:x:1000:
davfs2:x:981:
rtkit:x:172:
pulse-access:x:980:gbraad
pulse-rt:x:979:
pulse:x:171:
geoclue:x:978:
pipewire:x:977:
usbmuxd:x:113:
kasmvnc-cert:x:976:gbraad

[gbraad]

On a regular Fedora system I find the following:

$ cat /etc/group | grep users
users:x:100:

[gbraad]

File upstream:

• https://gitlab.com/fedora/bootc/base-images/-/issues/42

Also reproducible using AlmaLinux as a base:

• [BUG]: Unable to add user to the users group AlmaLinux/bootc-images#12

[gbraad]

Going to add a workaround for this:

grep -qF "users:x:100:" /etc/group || echo "users:x:100:" | sudo tee -a /etc/group

[gbraad]

Most likely related to systemd-sysusers as in coreos/fedora-coreos-tracker#155 they went ahead (and probably dropped in bootc).

Feb 24 07:35:36 dotfedora systemd[1]: systemd-sysusers.service - Create System Users was skipped because no trigger condition checks were met.

So something prevents the creation of users/groups.

[gbraad]

Currently adding the users:-line to /etc/group is the only way to work around this. This is related to altfiles that resides in /usr/lib.