/etc/passwd problem

locke496 · February 28, 2026, 10:39am

I have a custom image where I have installed additionally dovecot and opensmtpd
In /etc/passwd I added

dovecot:x:97:97:Dovecot IMAP server:/usr/libexec/dovecot:/sbin/nologin
dovenull:x:948:948:Dovecot - unauthorized user:/usr/libexec/dovecot:/sbin/nologin
smtpd:x:947:947:opensmtpd privsep user:/var/empty/smtpd:/usr/sbin/nologin
smtpq:x:946:946:opensmtpd queue user:/var/empty/smtpd:/usr/sbin/nologin

Unfortunately, it happens once in a while that /usr/etc/passwd has changed. The last example is from yesterday where /usr/etc/passwd contains

dovecot:x:97:97:Dovecot IMAP server:/usr/libexec/dovecot:/sbin/nologin
dovenull:x:949:949:Dovecot - unauthorized user:/usr/libexec/dovecot:/sbin/nologin
smtpd:x:948:948:opensmtpd privsep user:/var/empty/smtpd:/usr/sbin/nologin
smtpq:x:947:947:opensmtpd queue user:/var/empty/smtpd:/usr/sbin/nologin

The bad thing here is that then for /usr/bin/smtpctl I have

-r-xr-sr-x. 1 root smtpd 190896 Jan 1 1970 /usr/bin/smtpctl

i.e. the group is wrong, it should be smtpq

I have no idea how to prevent this changes in /usr/etc/passwd from happening.

klmcw · February 28, 2026, 12:58pm

The files in /usr/etc are mounted from the updated ostree image. They are there as the source for creating a new /etcdir if it does not exist. There are rules as to how a merge happens upon ostree update. I summarized (and linked to the original docs) in the article below.

TL;DR - once /etc is created if a file is modified as compared to its counterpart in /usr/etc it is not touched. There is detection guidance linked to in the article.

That is for the consumer host. But, you have a custom image. So, in theory, you should be able to partially manage these changes as part of your CI/CD pipeline in GitHub. But there may need to be some cooperating conversion on the consuming host as well - to address the changes to user / group id’s or names. E.g., to convert perms of dirs, files, etc.

That’s the theory I can help with. Hopefully someone who manages a custom image can offer a practical solution.

locke496 · February 28, 2026, 1:35pm

I had looked before at the link you give here.

It would be good to understand what the reason is that ids in /usr/etc/{passwd,group} do change over time.

In other words: when I install, e.g. opensmtpd in my custom image, the install process presumably decides which ids the smtpq resp. smtpd users/groups get assigned. I have no idea why this changes sometimes when a custom image gets built.

klmcw · February 28, 2026, 3:25pm

Something in upstream - bluefin, silverblue, etc. changes them in their CI/CD pipeline that is impacting your own CI/CD pipeline?

I just looked and the only line I have in passwd is for root.

$ cat /usr/etc/passwd
root:x:0:0:root:/root:/bin/bash
$ cat /usr/etc/group 
root:x:0:
wheel:x:10:

So that means that anything you are seeing comes from the custom image build process - some where…

Those user/group entries are being created by the rpm install.

I found this: https://src.fedoraproject.org/rpms/opensmtpd/blob/f30/f/opensmtpd.spec#_139

Is the order you are installing opensmtpd staying in the same position in terms of build order? Think about how UIDs are picked … first come, first served within each range of system vs user UIDs.

E.g., if you add a new rpm install, you might want to make sure you add it after any existing installs. But I am not sure what bluefin is committing to along the lines of their template in terms of which range they reserve for custom images - if any.

I notice that both the UID and GID of smtpq went from 946 to 947 which rippled through the rest. That suggests to me that in the second example something else was installed before opensmtpd that picked 946. Although I do not see evidence of that in your snippets.

I also wonder if GitHub action caching is getting in your way. Doesn’t seem probable based on what you are showing … but something I have run into with installing python pip modules, etc. where my understanding of the current state of the build was wrong.

Hope that gets you closer.

locke496 · February 28, 2026, 4:20pm

I also was thinking this way , and I will watch if something gets changed nevertheless over the next time.

Yes, something is happening here which might affect things. Don’t understand yet.

As said above, I will watch… and will give feedback when something interesting is happening.

klmcw · February 28, 2026, 5:16pm

Do you have caching enabled in a GitHub action somewhere? My issue was related to gcc building of cpython extensions built when installing a pip module. I had to explicitly delete the current cache for python 3.12 which seemed unrelated. But once I saw that worked, it was just a matter of finding the right place in my test.yml workflow file to turn off the use of caching. Things started to become more repeatable.

Point is - if you get stuck again - try to delete GitHub action caches you may have one at a time to see if you get a better clue.

Also, I am not sure which OS component stores the “next available UID” now a days - PAM, NSS? But finding a way to output that info in a few places of your build.log before installing opensmtpd might help as well.

locke496 · February 28, 2026, 5:37pm

Not that I knew. Thanks for the tip. Will look at this when it happens again.

Edit: At least when looking at caches under Actions I get: No caches. Nevertheless, I will watch things.

Topic		Replies	Views
[fix/faq] 1Password Browser Extension and CLI don’t work in my custom image General	0	531	December 3, 2023
Did You Know? How ostree update merges changes into etc and var Bluefin	1	928	June 4, 2025
Where are users and groups defined? General	8	101	February 13, 2026
Got myself into a bit of trouble (can't update) General	16	748	August 28, 2024
Looking at differences when having a custom image General	12	178	September 26, 2025

/etc/passwd problem

Related topics