feat(ci): Test sysusers in integration tests

integration_tests/arch/basic_config/expected/1_output.txt

@@ -29,7 +29,6 @@ Total Download Size:  0.01 MiB
 :: Proceed with download? [Y/n] 
 :: Retrieving packages...
  filesystem-2024.11.21-1-any downloading...
-error: restricting filesystem access failed because the landlock ruleset could not be applied!
 checking keyring...
 checking package integrity...
 Ok("# Dynamic linker/loader configuration.\n# See ld.so(8) and ldconfig(8) for details.\n\ninclude /etc/ld.so.conf.d/*.conf\ninclude /usr/lib/ld.so.conf.d/*.conf\n")
@@ -38,6 +37,21 @@ Hello world
 "output:"
 Ok("")
 "bor\nbar\nbar\nquux hi there\n"
+INFO script{phase=Main}: paketkoll_core::utils: Downloading package for systemd
+resolving dependencies...
+
+Package (1)   Old Version  New Version  Net Change  Download Size
+
+core/systemd  257-1        257-1          0.00 MiB       8.78 MiB
+
+Total Download Size:  8.78 MiB
+
+:: Proceed with download? [Y/n] 
+:: Retrieving packages...
+ systemd-257-1-x86_64 downloading...
+checking keyring...
+checking package integrity...
+INFO script{phase=Main}: konfigkoll_script::plugins::passwd: Updating GIDs/UIDs to match system (more info available with log level RUST_LOG=debug)
 INFO script{phase=Main}: konfigkoll_script::engine: Returned from script
 INFO konfigkoll: Waiting for file system scan results...
 INFO konfigkoll: Got file system scan results

integration_tests/arch/basic_config/expected/1_unsorted.rn

@@ -5,12 +5,10 @@ pub fn unsorted_additions(props, cmds) {
     ctx.cmds.chmod("/", 0o555)?;
     // /dummy.txt:  // On the system, this file is either unchanged or doesn't exist at all
     // /dummy2.txt:  // On the system, this file is either unchanged or doesn't exist at all
-    ctx.cmds.mkdir("/etc")?;
     ctx.cmds.copy("/etc/group")?; // [filesystem]
     ctx.cmds.copy("/etc/group-")?;
     ctx.cmds.copy("/etc/gshadow")?; // [filesystem]
     ctx.cmds.copy("/etc/gshadow-")?;
-    ctx.cmds.chmod("/etc/gshadow-", 0o600)?;
     ctx.cmds.copy("/etc/hostname")?;
     ctx.cmds.copy("/etc/hosts")?; // [filesystem]
     ctx.cmds.copy("/etc/ld.so.conf")?; // [filesystem]
@@ -22,7 +20,6 @@ pub fn unsorted_additions(props, cmds) {
     ctx.cmds.copy("/etc/passwd-")?;
     ctx.cmds.copy("/etc/shadow")?; // [filesystem]
     ctx.cmds.copy("/etc/shadow-")?;
-    ctx.cmds.chmod("/etc/shadow-", 0o600)?;
     ctx.cmds.copy("/etc/shells")?; // [filesystem]
     ctx.cmds.mkdir("/etc/systemd")?;
     ctx.cmds.mkdir("/etc/systemd/user")?;

integration_tests/arch/basic_config/expected/2_output.txt

@@ -23,21 +23,22 @@ Hello world
 "output:"
 Ok("")
 "bor\nbar\nbar\nquux hi there\n"
+INFO script{phase=Main}: konfigkoll_script::plugins::passwd: Updating GIDs/UIDs to match system (more info available with log level RUST_LOG=debug)
 INFO script{phase=Main}: konfigkoll_script::engine: Returned from script
 INFO konfigkoll: Waiting for file system scan results...
 INFO konfigkoll: Got file system scan results
 INFO konfigkoll: Computing diff
-/etc/passwd: Would restore to original package manager state
 --- /etc/passwd	 +0000
 +++ /dev/stdin	 +0000
-@@ -1,22 +1 @@
- root:x:0:0::/root:/usr/bin/bash
+@@ -1,22 +1,14 @@
+-root:x:0:0::/root:/usr/bin/bash
 -alpm:x:980:980:Arch Linux Package Management:/:/usr/bin/nologin
--bin:x:1:1::/:/usr/bin/nologin
--daemon:x:2:2::/:/usr/bin/nologin
--mail:x:8:12::/var/spool/mail:/usr/bin/nologin
--ftp:x:14:11::/srv/ftp:/usr/bin/nologin
--http:x:33:33::/srv/http:/usr/bin/nologin
++root:x:0:0:Super User:/root:/usr/bin/nologin
+ bin:x:1:1::/:/usr/bin/nologin
+ daemon:x:2:2::/:/usr/bin/nologin
+ mail:x:8:12::/var/spool/mail:/usr/bin/nologin
+ ftp:x:14:11::/srv/ftp:/usr/bin/nologin
+ http:x:33:33::/srv/http:/usr/bin/nologin
 -nobody:x:65534:65534:Kernel Overflow User:/:/usr/bin/nologin
 -dbus:x:81:81:System Message Bus:/:/usr/bin/nologin
 -systemd-coredump:x:979:979:systemd Core Dumper:/:/usr/bin/nologin
@@ -50,6 +51,13 @@ INFO konfigkoll: Computing diff
 -uuidd:x:68:68::/:/usr/bin/nologin
 -avahi:x:972:972:Avahi mDNS/DNS-SD daemon:/:/usr/bin/nologin
 -flatpak:x:971:971:Flatpak system helper:/:/usr/bin/nologin
--git:x:970:970:git daemon user:/:/usr/bin/git-shell
+ git:x:970:970:git daemon user:/:/usr/bin/git-shell
 -polkitd:x:102:102:User for polkitd:/:/usr/bin/nologin
 -rtkit:x:133:133:RealtimeKit:/proc:/usr/bin/nologin
++flatpak:x:971:971:Flatpak system helper:/:/usr/bin/nologin
++systemd-timesync:x:974:974:systemd Time Synchronization:/:/usr/bin/nologin
++systemd-resolve:x:975:975:systemd Resolver:/:/usr/bin/nologin
++systemd-journal-remote:x:976:976:systemd Journal Remote:/:/usr/bin/nologin
++systemd-oom:x:977:977:systemd Userspace OOM Killer:/:/usr/bin/nologin
++systemd-coredump:x:979:979:systemd Core Dumper:/:/usr/bin/nologin
++nobody:x:65534:65534:Kernel Overflow User:/:/usr/bin/nologin

integration_tests/arch/basic_config/expected/3_output.txt

@@ -24,49 +24,47 @@ Hello world
 "output:"
 Ok("")
 "bor\nbar\nbar\nquux hi there\n"
+INFO script{phase=Main}: konfigkoll_script::plugins::passwd: Updating GIDs/UIDs to match system (more info available with log level RUST_LOG=debug)
 INFO script{phase=Main}: konfigkoll_script::engine: Returned from script
 INFO konfigkoll: Waiting for file system scan results...
 INFO konfigkoll: Got file system scan results
 WARN konfigkoll: Applying changes
-INFO konfigkoll_core::apply: Would apply 5 file instructions
-INFO konfigkoll_core::apply:  /etc/group: restore (from package manager)
-INFO konfigkoll_core::apply:  /etc/gshadow: restore (from package manager)
+INFO konfigkoll_core::apply: Would apply 1 file instructions
 INFO konfigkoll_core::apply:  /etc/pacman.conf: restore (from package manager)
-INFO konfigkoll_core::apply:  /etc/passwd: restore (from package manager)
-INFO konfigkoll_core::apply:  /etc/shadow: restore (from package manager)
-INFO konfigkoll_core::apply: Would apply 2 file instructions
-INFO konfigkoll_core::apply:  /etc/gshadow: chmod 600
-INFO konfigkoll_core::apply:  /etc/shadow: chmod 600
+INFO konfigkoll_core::apply: Would apply 4 file instructions
+INFO konfigkoll_core::apply:  /etc/group: create file (with sha256:6341b6f97c7fa7cb43c9b8cb7812eb9718e7b713d0c24e7ad013e533104806a1)
+INFO konfigkoll_core::apply:  /etc/gshadow: create file (with sha256:dbdaa27be5b58d77675b38c1c9e03c80a3064022a73a59481d5ef1262e42a5a6)
+INFO konfigkoll_core::apply:  /etc/passwd: create file (with sha256:82b0240478f72b5009c823c5cdad0b9f2cf8ada30b35594811125727f45eb9c6)
+INFO konfigkoll_core::apply:  /etc/shadow: create file (with sha256:c4a9700370dc59fa9c6108d9b1c4bee38991823dd8f4aa557540d2a8905dfbfb)
 INFO konfigkoll_core::apply: Would install 1, mark 0 explicit and uninstall 1 with backend Pacman
 INFO konfigkoll_core::apply:  + nano
 INFO konfigkoll_core::apply:  - git
-INFO konfigkoll_core::apply: Would apply 10 file instructions
+INFO konfigkoll_core::apply: Would apply 6 file instructions
 INFO konfigkoll_core::apply:  /var/lib/libuuid: remove
 INFO konfigkoll_core::apply:  /var/lib/lastlog: remove
 INFO konfigkoll_core::apply:  /etc/systemd/user/sockets.target.wants/pipewire.socket: remove
 INFO konfigkoll_core::apply:  /etc/systemd/user/sockets.target.wants: remove
-INFO konfigkoll_core::apply:  /etc/shadow-: remove
-INFO konfigkoll_core::apply:  /etc/passwd-: remove
 INFO konfigkoll_core::apply:  /etc/locale.conf: remove
 INFO konfigkoll_core::apply:  /etc/hostname: remove
-INFO konfigkoll_core::apply:  /etc/gshadow-: remove
-INFO konfigkoll_core::apply:  /etc/group-: remove
 INFO konfigkoll_core::apply: Would apply 4 file instructions
 INFO konfigkoll_core::apply:  /etc/hosts: restore (from package manager)
 INFO konfigkoll_core::apply:  /etc/ld.so.conf: restore (from package manager)
 INFO konfigkoll_core::apply:  /etc/pacman.d/mirrorlist: restore (from package manager)
 INFO konfigkoll_core::apply:  /etc/shells: restore (from package manager)
-INFO konfigkoll_core::apply: Would apply 7 file instructions
-INFO konfigkoll_core::apply:  /etc: mkdir
+INFO konfigkoll_core::apply: Would apply 6 file instructions
 INFO konfigkoll_core::apply:  /etc/pacman.d: mkdir
 INFO konfigkoll_core::apply:  /etc/systemd: mkdir
 INFO konfigkoll_core::apply:  /etc/systemd/user: mkdir
 INFO konfigkoll_core::apply:  /nosuchdir: mkdir
 INFO konfigkoll_core::apply:  /var: mkdir
 INFO konfigkoll_core::apply:  /var/lib: mkdir
-INFO konfigkoll_core::apply: Would apply 2 file instructions
+INFO konfigkoll_core::apply: Would apply 6 file instructions
 INFO konfigkoll_core::apply:  /dummy.txt: create file (with sha256:0ba904eae8773b70c75333db4de2f3ac45a8ad4ddba1b242f0b3cfc199391dd8)
 INFO konfigkoll_core::apply:  /dummy2.txt: create file (with sha256:e5e9beba29f1b4589fd1c77c01fadba4319cce965db7c2b4967666664311226c)
+INFO konfigkoll_core::apply:  /etc/group-: create file (with sha256:6341b6f97c7fa7cb43c9b8cb7812eb9718e7b713d0c24e7ad013e533104806a1)
+INFO konfigkoll_core::apply:  /etc/gshadow-: create file (with sha256:dbdaa27be5b58d77675b38c1c9e03c80a3064022a73a59481d5ef1262e42a5a6)
+INFO konfigkoll_core::apply:  /etc/passwd-: create file (with sha256:82b0240478f72b5009c823c5cdad0b9f2cf8ada30b35594811125727f45eb9c6)
+INFO konfigkoll_core::apply:  /etc/shadow-: create file (with sha256:c4a9700370dc59fa9c6108d9b1c4bee38991823dd8f4aa557540d2a8905dfbfb)
 INFO konfigkoll_core::apply: Would apply 3 file instructions
 INFO konfigkoll_core::apply:  /: chmod 755
 INFO konfigkoll_core::apply:  /srv/ftp: chmod 555

integration_tests/arch/basic_config/main.rn

@@ -42,7 +42,6 @@ pub fn phase_ignores(props, cmds) {
     cmds.ignore_path("/usr/share/man");
     cmds.ignore_path("/usr/share/X11/locale");
 
-
     // Systemd
     cmds.ignore_path("/etc/.updated");
     cmds.ignore_path("/etc/machine-id");
@@ -91,7 +90,6 @@ pub fn phase_ignores(props, cmds) {
     cmds.ignore_path("/var/lib/rkhunter");
     cmds.ignore_path("/var/lib/upower");
 
-
     cmds.ignore_path("/var/cache"); // tmpfiles.d
     cmds.ignore_path("/var/empty"); // tmpfiles.d
     cmds.ignore_path("/var/lib/colord"); // tmpfiles.d
@@ -168,7 +166,9 @@ pub async fn phase_main(props, cmds, package_managers) {
     dbg(props.get("user.test"));
 
     let pkgs = package_managers.get("pacman")?;
-    dbg(String::from_utf8(pkgs.original_file_contents("filesystem", "/etc/ld.so.conf")?));
+    dbg(
+        String::from_utf8(pkgs.original_file_contents("filesystem", "/etc/ld.so.conf")?),
+    );
 
     let ldso = filesystem::File::open("/etc/ld.so.conf")?;
     dbg(ldso.read_all_string());
@@ -205,7 +205,74 @@ pub async fn phase_main(props, cmds, package_managers) {
     // This we want to add
     cmds.add_pkg("pacman", "nano")?; // Basic tools to build Arch Linux packages
 
+    // Test sysusers integration
+    let passwd = passwd::Passwd::new(USER_MAPPING, GROUP_MAPPING)?;
+    let files = package_managers.files();
+    passwd.add_from_sysusers(files, "systemd", "/usr/lib/sysusers.d/basic.conf")?;
+    passwd.add_from_sysusers(files, "filesystem", "/usr/lib/sysusers.d/arch.conf")?;
+
+    passwd.add_from_sysusers(files, "flatpak", "/usr/lib/sysusers.d/flatpak.conf")?;
+    passwd.add_from_sysusers(files, "git", "/usr/lib/sysusers.d/git.conf")?;
+    passwd.add_from_sysusers(files, "systemd", "/usr/lib/sysusers.d/systemd-coredump.conf")?;
+    passwd.add_from_sysusers(files, "systemd", "/usr/lib/sysusers.d/systemd-journal.conf")?;
+    passwd.add_from_sysusers(files, "systemd", "/usr/lib/sysusers.d/systemd-oom.conf")?;
+    passwd.add_from_sysusers(files, "systemd", "/usr/lib/sysusers.d/systemd-remote.conf")?;
+    passwd.add_from_sysusers(files, "systemd", "/usr/lib/sysusers.d/systemd-resolve.conf")?;
+    passwd.add_from_sysusers(files, "systemd", "/usr/lib/sysusers.d/systemd-timesync.conf")?;
+    passwd.align_ids_with_system()?;
+    passwd.apply(cmds)?;
+
     // We skip out on git (which is in our image) so we can test that case
 
     Ok(())
 }
+
+pub const USER_MAPPING = [
+    ("polkitd", 102),
+    ("systemd-journal-upload", 962),
+    ("flatpak", 969),
+    ("geoclue", 970),
+    ("colord", 971),
+    ("avahi", 972),
+    ("chrony", 973),
+    ("dnsmasq", 974),
+    ("git", 975),
+    ("systemd-timesync", 976),
+    ("systemd-resolve", 977),
+    ("systemd-journal-remote", 978),
+    ("systemd-oom", 979),
+    ("systemd-network", 980),
+    ("systemd-coredump", 981),
+];
+
+pub const GROUP_MAPPING = [
+    ("groups", 959),
+    ("systemd-journal-upload", 962),
+    ("flatpak", 969),
+    ("git", 975),
+    ("systemd-timesync", 976),
+    ("systemd-resolve", 977),
+    ("systemd-journal-remote", 978),
+    ("systemd-oom", 979),
+    ("systemd-network", 980),
+    ("systemd-coredump", 981),
+    ("rfkill", 982),
+    ("systemd-journal", 983),
+
+    ("users", 984),
+    ("video", 985),
+    ("uucp", 986),
+    ("storage", 987),
+    ("sgx", 988),
+    ("render", 989),
+    ("optical", 990),
+    ("lp", 991),
+    ("kvm", 992),
+    ("kmem", 993),
+    ("input", 994),
+    ("disk", 995),
+    ("audio", 996),
+    ("utmp", 997),
+    ("wheel", 998),
+    ("adm", 999),
+];

integration_tests/images/arch/Containerfile

@@ -2,7 +2,7 @@ FROM docker.io/archlinux/archlinux:base-devel-20241216.0.289606 AS base_image
 
 # Signatures expire, repos expire, and so on. Make this image reproducible
 # (update this once in a while)
-RUN sed -i "s/^SigLevel.*/SigLevel = Never/" /etc/pacman.conf && \
+RUN sed -i "s/^SigLevel.*/SigLevel = Never/;/DisableSandbox/s/^#//" /etc/pacman.conf && \
     echo 'Server=https://archive.archlinux.org/repos/2024/12/16/$repo/os/$arch' > /etc/pacman.d/mirrorlist
 
 RUN pacman -Syyuu --noconfirm && \