### Description We have hit a lot of issues with how we split users between the configuration in the image (`/usr/lib/passwd` & `group`, `/usr/etc/passwd`, `group`, `shadow` & `gshadow`) and the local configuration (`/etc/passwd`, `group`, `shadow` & `gshadow`) using `nss-altfiles`: - https://forge.fedoraproject.org/atomic-desktops/tracker/issues/90 - https://forge.fedoraproject.org/kde/tracker/issues/684 - https://github.com/fedora-silverblue/issue-tracker/issues/362 - https://docs.fedoraproject.org/en-US/atomic-desktops/troubleshooting/#_unable_to_add_user_to_group - https://forge.fedoraproject.org/kde/tracker/issues/109#issuecomment-555155 and others in Fedora bootc & Fedora CoreOS. The solution is mostly described by https://github.com/coreos/fedora-coreos-tracker/issues/1599: We should stop using `nss-altfiles`. There are two main tasks to make that happen: - Build images without `nss-altfiles` that work properly: - They should likely ship with a default copy of `/usr/etc/passwd`, `group`, `shadow` & `gshadow`, maybe only with a limited set of static users (the ones used by files & packages in the image) - And then use `systemd-sysusers` for the rest - Create a migration path for existing systems to merge the config from the image into the local config, preserving local modifications. - This is probably something that would be good to put in bootc or rpm-ostree. ### Additional information See also: - https://gitlab.com/fedora/bootc/tracker/-/work_items/50 - https://gitlab.com/fedora/bootc/tracker/-/work_items/31 - https://github.com/bootc-dev/bootc/issues/673 - https://github.com/bootc-dev/bootc/issues/1179 - https://github.com/bootc-dev/bootc/issues/1263 - https://github.com/coreos/rpm-ostree/issues/49 - https://github.com/coreos/fedora-coreos-tracker/issues/1599 - https://github.com/coreos/fedora-coreos-tracker/issues/155 - https://forge.fedoraproject.org/atomic-desktops/tracker/issues/108