15:14 <dustymabe> spresti[m]: need any help with https://github.com/coreos/fedora-coreos-tracker/issues/1364#issuecomment-1353776140 ?

15:46 <jlebon> spresti[m]: one semi-convention for test failure tracker issues btw is to add the console and journal logs as attachments. that way others can easily also take a look and help diagnose

15:47 <dustymabe> 👍

17:03 <spresti[m]> jlebon: ok I will see about adding those :)

17:56 <dustymabe> ravanelli: do you know any context on why the kernel on ppc64le is so much larger? https://github.com/coreos/fedora-coreos-tracker/issues/1247#issuecomment-1355314761

17:56 <dustymabe> is it uncompressed?

18:05 <spresti[m]> jlebon: ok I updated with the documents, going to go ahead and look into posting a BZ dustymabe

18:05 <dustymabe> spresti[m]: awesome! i'm going to grab some food, will help out if you need it when I get back

18:06 <spresti[m]> Kk, I will let you know!

18:31 <spresti[m]> Honestly I might want some help posting the BZ as I am not sure what team to post it to?

18:31 <spresti[m]> The only team I found was Red Hat Enterprise Linux Fast Datapath: which has "SElinux policy for OVS" as one of the rpms it supports.

18:31 <spresti[m]> After clicking into making a BZ for them I became less confident that that was the correct team to put a bz against? sigh what am I missing?

18:34 <ravanelli> dustymabe: I don't, but I can ask around. I would say, it is probably ppc64le backports/fix things.

18:53 <dustymabe> spresti[m]: go to https://bugzilla.redhat.com/ -> "File a Bug" -> "Fedora" -> "Fedora" -> Under "Component" select "selinux-policy"

18:53 <dustymabe> then fill out the summary and description

18:53 <dustymabe> ravanelli: thanks!

19:03 <alebastr[m]> How would one handle sysusers stuff in a way completely compatible with rpm-ostree?

19:03 <alebastr[m]> To elaborate, `%sysusers_create_compat` modifies `/usr/etc/passwd` and `/usr/etc/group` and nss_altfiles can handle that. What does not happen though is merge of `/usr/etc/shadow` to `/etc/shadow`, so anything that relies on shadow db still thinks that the user is not there.

19:13 <alebastr[m]> I'm suspecting that the solution would include 1. %sysusers_create_package, 2. making sure that nothing in the package itself is owned by a new user and creating all such dirs/files with tmpfiles. Do I miss something?

19:14 <dustymabe> alebastr[m]: jlebon or travier[m] might know

19:17 <spresti[m]> dustymabe: ty

19:17 <travier[m]> alebastr: You need the application doing the look up to use the glibc nss that will then use nss-altfiles

19:20 <alebastr[m]> travier[m]: The application is somewhere deep in the system stuff. It's something that screams to the journal "no such user in pam database: sddm" when the system starts. (I suspect logind)

19:30 <travier[m]> alebastr: sddm is not in Fedora CoreOS 🙂

19:31 <alebastr[m]> Is there a generic rpm-ostree support channel though? :)

19:31 <travier[m]> As a workaround, you can create a sysusers entry that will add it to the files in /etc

19:32 <travier[m]> The question is more: what are you trying to do and on which Fedora variant

19:34 <alebastr[m]> The package already uses sysusers, and I saw that rpm-ostree supposed to intercept legacy useradd/groupadd scriptlets. But something doesn't work and the users are created in the /usr/etc (which promptly breaks sysusers processing on target system)

19:37 <jlebon> i haven't looked at this in a while, and there were enhancements there recently-ish, but the status quo right now is that system accounts are added in /usr/lib/ and only user accounts live in /etc

19:38 <jlebon> i think to help you debug this more, it'd be better to file an rpm-ostree issue with the pkg you're trying to install and the scriptlets it runs

19:39 <jlebon> but one possible thing to verify is that the scriptlet is indeed trying to add a system user

19:41 <travier[m]> alebastr: Know I remember why I should know you. You're working on the Sway variant right? We have a workaround in sddm related to users/group ids

19:41 <alebastr[m]> I think `get rid of nss_altfiles` silverblue issue already contains more details that I can provide.

19:41 <alebastr[m]> "but the status quo right now" - Ok, it seems like this should be fixed on the other side.

19:42 <travier[m]> https://pagure.io/fedora-kde/SIG/issue/87

19:43 <travier[m]> https://github.com/fedora-silverblue/issue-tracker/issues/362

19:43 <alebastr[m]> travier: the workaround is insufficient. If you rebase to a tree that adds sddm (as opposed to installing a system that has it from the beginning), it won't be added to /etc/shadow. Which causes issues with logind, and leads to not being able to start systemd user session for the system user

19:44 <travier[m]> It should not be in /etc/shadow, only in /usr/lib/shadow if it's part of an ostree image

19:44 <alebastr[m]> uh, I need a real system to grab the relevant logs, and it's at home. but anyways, I'll look at systemd side if we believe that unmerged /etc/shadow should be working

19:48 <travier[m]> Hum, we don't have a /usr/lib/shadow, it's only in /usr/etc/shadow

19:49 <travier[m]> But sddm is there for me

19:52 <spresti[m]> dustymabe: I created the BZ let me know if anything is not correct or needed :) https://bugzilla.redhat.com/show_bug.cgi?id=2154428

19:54 <alebastr[m]> (checks logs) Yep, that's clearly on systemd side.... (full message at <https://libera.ems.host/_matrix/media/v3/download/libera.chat/e654321a73ebdfa92320fa0b3151b1adc4858b1e>)

19:56 <dustymabe> spresti[m]: we probably need to copy in the selinux denial messages into the BZ

19:56 <dustymabe> they should be in the journal I would assume

19:56 <dustymabe> look for any AVC messages that have the string `denied` in them

20:00 <spresti[m]> Ok, I will add those.

20:43 <alebastr[m]> travier: actually, was it considered to update nss-altfiles to a newer version with shadow db support? I believe that would solve the problem

20:49 <gursewak> dustymabe, one last quick lgtm to https://github.com/coreos/fedora-coreos-config/pull/2131 whenever you can:)

21:01 <dustymabe> gursewak: stamped!

21:06 <travier[m]> alebastr: there is a PR up. Reviews welcomed

22:53 <alebastr[m]> travier: it works with new altfiles. Just needed to deploy shadow to /usr/lib/shadow and update nsswitch.conf entry.