(One downstream tracker: https://issues.redhat.com/browse/RHEL-82510 ) Bigger picture, we need to make it so that `dnf install <foo>` either succeeds as intended, or *errors out* to the highest degree we can. ## Subproblem domains ### Users and groups Today (when a persistent `/etc` is in use) many people have hit on RPMs which invoke `useradd`: https://containers.github.io/bootc/building/users-and-groups.html#adding-users-and-credentials-statically-in-the-container-build These post scripts are not very visible to admins by default. Ideally of course we have all of our packages using systemd-sysusers or so, but we don't live in that world today (ref https://fedoraproject.org/wiki/Changes/SystemdSysusers ) and actually, not every package can even use sysusers because they have files owned by that user (e.g. setuid binaries). Lots of prior discussion: - https://gitlab.com/fedora/bootc/tracker/-/issues/31 ### /var Historically, ostree strongly encouraged an empty `/var`, initially populated via systemd-tmpfiles. More recently we caved a bit and have `/var` initially populated once per stateroot. Crucially for a long time, rpm-ostree has automatically synthesized tmpfiles.d snippets for packages which put content in `/var`, but as we move away from rpm-ostree to dnf we dropped that. For packages like `audit` then (not currently part of the base image and does not include tmpfiles.d snippets) this then causes the service to fail when it's later added. I think ultimately we are going to need to make it easy to auto-generate tmpfiles.d snippets for `/var` content. That said we should also push for upstream to ship these. ## bootc-side widely scoped fix One thing that would greatly help here is: https://github.com/bootc-dev/bootc/issues/1263 ## Solution: modify DNF or add post-checking/reconcilation tooling Ultimately I think we should teach `dnf` (or something it invokes) to handle this. The "something it invokes" is probably easiest to make be rpm-ostree (ref https://github.com/coreos/rpm-ostree/issues/5230 ) Although I was also thinking about having `bootc container lint` detect some of this. That's quite doable for `/var` and tmpfiles, but the giant problem with `useradd` is *we don't know* if the user was allocated "floating" or static. That's why we ended up intercepting those CLI invocations in rpm-ostree.