passwd: implement systemd-userdb mechanism to fallback on if useradd does not work

[tormath1]

Feature Request

Hi, with Flatcar we noticed back in the days that an update changed the behavior to add user into a group:

passwd:
  users:
    - name: tormath1
      groups:
        - docker
        - kvm
        - sudo

This configuration fails the following message:

[failed]   creating or modifying user "build": exit status 6: Cmd: "useradd" "--root" "/sysroot" "--create-home" "--password" "*" "--groups" "docker,sudo,kvm" "tormath1" Stdout: "" Stderr: "useradd: group 'kvm' does not exist\n"

The group kvm does exist but it's present under an alternative location (/usr/share/baselayout/group), it's just that there is no active NSS switch configuration, useradd only tries to find the group in /etc/group.

Note: with an older useradd binary it was failing too but it was not throwing an error.

This led us to try an alternative way to add user into a group: systemd-userdb¹ - with this configuration:

variant: flatcar
version: 1.0.0
storage:
  files:
    - path: /etc/userdb/tormath1:docker.membership
      contents:
        inline: |
          some content
    - path: /etc/userdb/tormath1:kvm.membership
      contents:
        inline: |
          some content
    - path: /etc/userdb/tormath1:sudo.membership
      contents:
        inline: |
          some content

We can create the user with the correct group membership.

Desired Feature

The idea would be to use systemd-userdb as a last resort if useradd fails because of non-existing group.

Footnotes

1. https://www.freedesktop.org/software/systemd/man/nss-systemd.html ↩

[bgilbert]

xref #1596, which proposes a different workaround.