sysusers: handle NSS errors gracefully

If the io.systemd.DynamicUser or io.systemd.Machine files exist,
but nothing is listening on them, the nss-systemd module returns
ECONNREFUSED and systemd-sysusers fails to creat the user/group.

This is problematic when ran by packaging scripts, as the package
assumes that after this has run, the user/group exist and can
be used. adduser does not fail in the same situation.

Change sysusers to print a loud warning but otherwise continue
when NSS returns an error.

(cherry picked from commit fc9938d6f8e7081df5420bf88bf98f683b1391c0)

src/sysusers/sysusers.c

@@ -1051,7 +1051,7 @@ static int uid_is_ok(
                 if (r >= 0)
                         return 0;
                 if (r != -ESRCH)
-                        return r;
+                        log_warning_errno(r, "Unexpected failure while looking up UID '" UID_FMT "' via NSS, assuming it doesn't exist: %m", uid);
 
                 if (check_with_gid) {
                         r = getgrgid_malloc((gid_t) uid, &g);
@@ -1059,7 +1059,7 @@ static int uid_is_ok(
                                 if (!streq(g->gr_name, name))
                                         return 0;
                         } else if (r != -ESRCH)
-                                return r;
+                                log_warning_errno(r, "Unexpected failure while looking up GID '" GID_FMT "' via NSS, assuming it doesn't exist: %m", uid);
                 }
         }
 
@@ -1164,7 +1164,7 @@ static int add_user(Context *c, Item *i) {
                         return 0;
                 }
                 if (r != -ESRCH)
-                        return log_error_errno(r, "Failed to check if user %s already exists: %m", i->name);
+                        log_warning_errno(r, "Unexpected failure while looking up user '%s' via NSS, assuming it doesn't exist: %m", i->name);
         }
 
         /* Try to use the suggested numeric UID */
@@ -1284,14 +1284,14 @@ static int gid_is_ok(
                 if (r >= 0)
                         return 0;
                 if (r != -ESRCH)
-                        return r;
+                        log_warning_errno(r, "Unexpected failure while looking up GID '" GID_FMT "' via NSS, assuming it doesn't exist: %m", gid);
 
                 if (check_with_uid) {
                         r = getpwuid_malloc(gid, /* ret= */ NULL);
                         if (r >= 0)
                                 return 0;
                         if (r != -ESRCH)
-                                return r;
+                                log_warning_errno(r, "Unexpected failure while looking up GID '" GID_FMT "' via NSS, assuming it doesn't exist: %m", gid);
                 }
         }
 
@@ -1326,7 +1326,7 @@ static int get_gid_by_name(
                         return 0;
                 }
                 if (r != -ESRCH)
-                        return log_error_errno(r, "Failed to check if group %s already exists: %m", name);
+                        log_warning_errno(r, "Unexpected failure while looking up group '%s' via NSS, assuming it doesn't exist: %m", name);
         }
 
         return -ENOENT;

test/units/TEST-74-AUX-UTILS.sysusers.sh

@@ -0,0 +1,24 @@
+#!/usr/bin/env bash
+# SPDX-License-Identifier: LGPL-2.1-or-later
+set -eux
+set -o pipefail
+
+# shellcheck source=test/units/util.sh
+. "$(dirname "$0")"/util.sh
+
+at_exit() {
+    set +e
+    userdel -r foobarbaz
+    umount /run/systemd/userdb/
+}
+
+# Check that we indeed run under root to make the rest of the test work
+[[ "$(id -u)" -eq 0 ]]
+
+trap at_exit EXIT
+
+# Ensure that a non-responsive NSS socket doesn't make sysusers fail
+mount -t tmpfs tmpfs /run/systemd/userdb/
+touch /run/systemd/userdb/io.systemd.DynamicUser
+echo 'u foobarbaz' | SYSTEMD_LOG_LEVEL=debug systemd-sysusers -
+grep -q foobarbaz /etc/passwd