rpm parity or bust

(One downstream tracker: https://issues.redhat.com/browse/RHEL-82510 )

Bigger picture, we need to make it so that dnf install <foo> either succeeds as intended, or errors out to the highest degree we can.

Subproblem domains

Users and groups

Today (when a persistent /etc is in use) many people have hit on RPMs which invoke useradd: https://containers.github.io/bootc/building/users-and-groups.html#adding-users-and-credentials-statically-in-the-container-build

These post scripts are not very visible to admins by default.

Ideally of course we have all of our packages using systemd-sysusers or so, but we don't live in that world today (ref https://fedoraproject.org/wiki/Changes/SystemdSysusers ) and actually, not every package can even use sysusers because they have files owned by that user (e.g. setuid binaries).

Lots of prior discussion:

• #31 (closed)

/var

Historically, ostree strongly encouraged an empty /var, initially populated via systemd-tmpfiles. More recently we caved a bit and have /var initially populated once per stateroot.

Crucially for a long time, rpm-ostree has automatically synthesized tmpfiles.d snippets for packages which put content in /var, but as we move away from rpm-ostree to dnf we dropped that.

For packages like audit then (not currently part of the base image and does not include tmpfiles.d snippets) this then causes the service to fail when it's later added.

I think ultimately we are going to need to make it easy to auto-generate tmpfiles.d snippets for /var content. That said we should also push for upstream to ship these.

bootc-side widely scoped fix

One thing that would greatly help here is: https://github.com/bootc-dev/bootc/issues/1263

Solution: modify DNF or add post-checking/reconcilation tooling

Ultimately I think we should teach dnf (or something it invokes) to handle this. The "something it invokes" is probably easiest to make be rpm-ostree (ref https://github.com/coreos/rpm-ostree/issues/5230 )

Although I was also thinking about having bootc container lint detect some of this. That's quite doable for /var and tmpfiles, but the giant problem with useradd is we don't know if the user was allocated "floating" or static. That's why we ended up intercepting those CLI invocations in rpm-ostree.