-
Notifications
You must be signed in to change notification settings - Fork 17
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Tracking upstream projects that do not support hermetic-usr for configuration #76
Comments
A first bunch, starting with a minimal OS running containers.
|
APT and dpkg both don't support it. I haven't figured out the behavior for APT yet, tbh, it's weird because essentially everything is drop-ins for apt.conf these days. |
|
I dare to add to the list :
There's currently systemd/systemd#28919 to address this issue by giving the possibility to downstream to ship the config files in /usr/lib but for some reasons the idea has not been well received. |
This comment was marked as outdated.
This comment was marked as outdated.
@fbuihuu systemd's config files in /etc/ are just decoration. Entirely redundant, they are pretty much just helpful hints to people who want to sue traditional populated /etc/. If you delete them for modern systems that come up without /etc/ then behaviour is not changed whatsoever. All options listed in them just give users hints on the available settings and their defaults, and those options are fully commented, hence these files are NOPs. |
Next package list:
|
For glibc I missed yesterday:
This are now all packages from our minimal installation of MicroOS as ContainerHost beside openssh. Question is how far do we want to go with that list? I could go as next through a typical server installation and desktop system, but I don't know if this would be really helpful, as the list is already long and it would mix up packages with different priority. |
Yeah I had the same experience some years past, openssh as a project is just not interested in anything that doesn't directly benefit BSD. Should we set up a Linux-focused fork, where we can co-maintain patches?
I think this is a good starting point, being core packages they are the highest value to fix. Once we have made a dent in the current list, then we could start looking at a server installation. |
nscd is on its way out: https://fedoraproject.org/wiki/Changes/RemoveNSCD. |
Apparmor is another one that doesn't support any kind of vendordir at the moment. |
/etc/rsyncd.conf should be solved with: util-linux (/etc/blkid.conf): |
I have fixed mailx (/etc/mail.rc) in SUSE OBS: https://build.opensuse.org/request/show/1131341 |
In Debian we ship bsd-mailx: https://tracker.debian.org/pkg/bsd-mailx which according to package metadata comes from https://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/mail/ |
Thanks for hint ! I have sent a patch to [email protected] . |
I filed this bug against Fedora's authselect now: |
I have made a PR for fcoe-utils: |
I have submitted a patch for selinux: |
DNF 5 supports hermetic configuration since 5.1.4. rpm-software-management/dnf5#813 |
What about ca-certificates? That one seems to be prominently missing from the list? Debian already seems to put certificates in /usr/share/ca-certificates, whereas Fedora uses /etc/pki and OpenSUSE /var/lib/ca-certificates? It'd be great if we could standardize on /usr/share/ca-certificates in some form (not familiar with the details) |
I have submitted a patch for open-iscsi: |
A |
Another one that seems to be missing is openssl |
This issue will be used to track Linux projects that do not currently support hermetic-usr configuration style (ie: /usr/lib/foo as default, /run/foo as ephemeral local override, /etc/foo as persistent local override). The purpose is to have a cross-distribution list of items to slowly work through, to be able to have a bootable and working minimal Linux image-based system with only /usr.
This list is not definitive and will get updated as we go.
/etc/shells
(ref: Support for vendor locations (pam_shells and /etc/shells) linux-pam/linux-pam#498 (comment))/etc/services
(used bygetservbyname
/getservbyport
, which make little sense and are not widely used, but there still are some applications which do). It should be moved under/usr
./etc/dnf/dnf.conf
/etc/systemd
/etc/udev
/etc/X11/xinit/xinitrc.d/50-systemd-user.sh
The text was updated successfully, but these errors were encountered: