Skip to content

feat: add ALT Linux compatibility improvements #1989

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
liannnix wants to merge 3 commits into
base: main
Choose a base branch
from
Open

feat: add ALT Linux compatibility improvements #1989

liannnix wants to merge 3 commits into from
+33 −3

Conversation

@liannnix
Copy link

@liannnix liannnix commented Jan 29, 2026
edited
Loading

This PR adds ALT Linux support to distrobox, addressing compatibility issues with ALT Linux containers. The changes include:

What was done

  1. Added --container-runuser option (-R) to use runuser instead of su inside containers when unshare_groups is enabled

    • Supported via command line, environment variable DBX_CONTAINER_RUNUSER, and configuration file
    • Defaults to disabled to maintain backward compatibility

  2. Added ALT Linux setup hooks in distrobox-init:

    • Disable pam_mktemp for AltLinux PAM stack compatibility

  3. Fixed directory creation using mkdir -p to prevent errors when /etc/tcb/$user already exists

Why this is needed

ALT Linux has specific requirements for user management and authentication:

Critical incompatibility: ALT Linux uses a different su implementation that is incompatible with the standard su from util-linux package. The ALT Linux su has different command-line options and behavior.

Alternative solution: runuser provides compatible functionality and integrates better with ALT Linux security systems.

Additional requirements:

  • pam_mktemp conflicts with container environments (private /tmp directory is unnecessary since /tmp is mounted from host)

@liannnix
fix: use mkdir -p to prevent error on existing user tcb directory
3157885 
Use mkdir -p in setup_aptrpm() to prevent command failure if
/etc/tcb/$user already exists.
@liannnix
fix: disable pam_mktemp for PAM stack compatibility
1e97ce2 
Private tmp directory is not needed as /tmp is mounted from host system.
Using pam_mktemp would break the PAM stack.

Signed-off-by: Andrey Limachko <[email protected]>
@liannnix
feat: add --container-runuser option to use runuser instead of su
0a45c12 
Add new --container-runuser/-R option that allows using runuser instead
of su inside container when unshare_groups is enabled. This can be
configured via:
- Command line: --container-runuser or -R
- Environment variable: DBX_CONTAINER_RUNUSER=1/true
- Config file: distrobox_container_runuser=1/true

The option defaults to disabled (0) to maintain backward compatibility.
@89luca89
Copy link
Owner

89luca89 commented Feb 4, 2026

Hi @liannnix is runuser a replacement for su or an addition in ALTLinux?
If it's a replacement, so it's mutually exclusive, we could just symlink it?

@liannnix
Copy link
Author

liannnix commented Feb 5, 2026
edited
Loading

Hi @liannnix is runuser a replacement for su or an addition in ALTLinux? If it's a replacement, so it's mutually exclusive, we could just symlink it?

Hi,

In ALT Linux runuser is an addition, not a drop-in replacement for su. ALT ships its own su implementation with different options/behaviour, and a bunch of tools rely on this exact su. Replacing it with a symlink to runuser would break those expectations inside ALT containers.

The actual problem is that distrobox-enter calls su with util-linux style options, but inside an ALT container /bin/su is this custom one, so it blows up. At the same time distrobox cannot reliably know which distro is inside the target container, so it cannot decide on its own when su is safe to use and when it is not.

That’s why the opt-in --container-runuser toggle in this PR is preferable: it fixes ALT containers without touching their su and without relying on symlinks or image modifications.

@89luca89
Copy link
Owner

89luca89 commented Feb 5, 2026

Got it now it's more clear
I'll be honest, I don't like adding a flag in create only for a very specific distro acting in a non posix-y way.
Distrobox's su usage is posix compliant and distrobox is a targets a posix compliant userland, if that doesn't work it's just an incompatibility on ALT Linux side, more than Distrobox itself.

I'm open to find a way to make it work that does not involve additional options, env variables, or flags.

ALT Linux has a dedicated setup section in the init (about line 967) you can use that to put in some logic in order to make it compliant. Had this problem before with Alpine and Chimera where sudo was replaced by su-exec and doas. We can work in that direction, but as explained, adding a per-distro flag for a very specific use-case is not ok for me.

cc @dottorblaster

@liannnix
Copy link
Author

liannnix commented Feb 5, 2026

Got it now it's more clear I'll be honest, I don't like adding a flag in create only for a very specific distro acting in a non posix-y way. Distrobox's su usage is posix compliant and distrobox is a targets a posix compliant userland, if that doesn't work it's just an incompatibility on ALT Linux side, more than Distrobox itself.

I'm open to find a way to make it work that does not involve additional options, env variables, or flags.

ALT Linux has a dedicated setup section in the init (about line 967) you can use that to put in some logic in order to make it compliant. Had this problem before with Alpine and Chimera where sudo was replaced by su-exec and doas. We can work in that direction, but as explained, adding a per-distro flag for a very specific use-case is not ok for me.

cc @dottorblaster

Thanks for the detailed explanation, that makes your concerns much clearer. I agree that a per-distro flag is not ideal, and it’s better to handle ALT Linux specifics in its dedicated init section instead. I’ll rework the PR to move the su/runuser handling there, following the approach you used for Alpine/Chimera, and drop the --container-runuser flag. Thanks again for the review and guidance!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@liannnix @89luca89