Hi, On 28.04.2025 15:40, Marc Haber wrote:
As far as I was told, using sysusers is going to be mandatory soon, to help with containers, immutable /usr and empty /etc.
FWIW, switching to sysusers would break most of my CI containers -- these are orchestrated by Jenkins, and use a shell script as the root process. Changing this would require a deep dive into Java code.
My containers use "useradd" instead of "adduser" for the most part though, because these are just generic "don't run this part as root" users that require no configuration.
The same goes, I expect, for most of the Docker containers out there -- both systemd-nspawn containers and Docker containers running a copy of systemd as pid 1 are fairly niche, and will remain so until they also implement a replacement for Docker-style image distribution, and k8s-style container orchestration, and provide a stable interface for creating users inside a container during image creation.
People running Debian inside containers also do not care about immutable /usr or empty /etc, because containers are immutable anyway, and the contents of /etc are copied in from version control and switching to a database style format that uses dedicated tools creates additional overhead, and, again would require a stable interface for creating registry entries inside a container during image creation.
Frankly, I don't see that happening any time soon now, and even if it were, there would be no clear benefit to users, as they already have working solutions that would be broken by such a change, and the path of least resistance for them would be to switch to another distribution as container base image.
To get back on the original topic: I (and everyone in the company I work for) uses "adduser" to create users on shared machines, because it works, and allows us to actually get on with our main goals. That is actual value.
Simon
