fix(sys-apps/baselayout): Use custom script to generate /etc/group

I misunderstood the documentation for systemd-tmpfiles, if a string to
write to a file is provided it will always write it, even if the file
already exists and doesn't need to be created. This means that using
tmpfiles to initialize /etc/group results appending each boot.

Instead use a little script instead, also initialize passwd and shadow
so that the `passwd` command works for the core user.

Make use of the systemd eclass where applicable.

sdk_container/src/third_party/coreos-overlay/sys-apps/baselayout/baselayout-9999.ebuild

@@ -13,7 +13,7 @@ else
 	KEYWORDS="amd64 arm x86"
 fi
 
-inherit cros-workon cros-tmpfiles eutils multilib
+inherit cros-workon cros-tmpfiles eutils multilib systemd
 
 DESCRIPTION="Filesystem baselayout for CoreOS"
 HOMEPAGE="http://www.coreos.com/"
@@ -85,6 +85,19 @@ pkg_setup() {
 	fi
 }
 
+src_compile() {
+	default
+
+	# generate a tmpfiles.d config to cover our /usr symlinks
+	if use symlink-usr; then
+		local tmpfiles="${T}/baselayout-usr.conf"
+		echo -n > ${tmpfiles} || die
+		for sym in "${!USR_SYMS[@]}" ; do
+			echo "L	${sym}	-	-	-	-	${USR_SYMS[$sym]}" >> ${tmpfiles}
+		done
+	fi
+}
+
 src_install() {
 	# lib symlinks must be in place before make install
 	dodir "${BASE_DIRS[@]}"
@@ -100,20 +113,8 @@ src_install() {
 
 	emake DESTDIR="${D}" install
 
-	# generate a tmpfiles.d config to cover our /usr symlinks
 	if use symlink-usr; then
-		local tmpfiles=${D}/usr/lib/tmpfiles.d/baselayout-usr.conf
+		systemd_dotmpfilesd "${T}/baselayout-usr.conf"
-		echo -n > ${tmpfiles} || die
-		for sym in "${!USR_SYMS[@]}" ; do
-			echo "L	${sym}	-	-	-	-	${USR_SYMS[$sym]}" >> ${tmpfiles}
-		done
-	fi
-
-	if ! use cros_host; then
-		# Docker parses /etc/group directly :(
-		local docker_grp=$(grep "^docker:" "${D}"/usr/share/baselayout/group)
-		echo "f	/etc/group	-	-	-	-	${docker_grp}" > \
-			"${D}"/usr/lib/tmpfiles.d/baselayout-docker.conf || die
 	fi
 
 	# Fill in all other paths defined in tmpfiles configs
@@ -164,5 +165,11 @@ src_install() {
 				> "${D}"/etc/shadow || die
 			chmod 640 "${D}"/etc/shadow || die
 		fi
+
+		# Initialize /etc/passwd, group, and friends on boot.
+		bash "${FILESDIR}/coreos-tmpfiles" "${D}" || die
+		dosbin "${FILESDIR}/coreos-tmpfiles"
+		systemd_dounit "${FILESDIR}/coreos-tmpfiles.service"
+		systemd_enable_service sysinit.target coreos-tmpfiles.service
 	fi
 }

sdk_container/src/third_party/coreos-overlay/sys-apps/baselayout/files/coreos-tmpfiles

@@ -0,0 +1,26 @@
+#!/bin/bash
+# systemd-tmpfiles doesn't support skipping writing to files that already exist
+# - copy the docker group to /etc because docker reads /etc/group directly
+# - copy the core user to /etc so the passwd utility works correctly
+
+# Inherit root from environment or command line
+ROOT="${1:-$ROOT}"
+BASE="${ROOT}/usr/share/baselayout"
+
+# readable files
+umask 022
+if [[ ! -e "${ROOT}/etc/passwd" ]]; then
+    grep "^core:" "${BASE}/passwd" > "${ROOT}/etc/passwd"
+fi
+if [[ ! -e "${ROOT}/etc/group" ]]; then
+    grep "^docker:" "${BASE}/group" > "${ROOT}/etc/group"
+fi
+
+# secure files
+umask 027
+if [[ ! -e "${ROOT}/etc/shadow" ]]; then
+    grep "^core:" "${BASE}/shadow" > "${ROOT}/etc/shadow"
+fi
+if [[ ! -e "${ROOT}/etc/gshadow" ]]; then
+    grep "^docker:" "${BASE}/gshadow" > "${ROOT}/etc/gshadow"
+fi

sdk_container/src/third_party/coreos-overlay/sys-apps/baselayout/files/coreos-tmpfiles.service

@@ -0,0 +1,10 @@
+[Unit]
+Description=Create missing system files
+DefaultDependencies=no
+After=local-fs.target
+Before=sysinit.target
+ConditionPathIsReadWrite=/etc
+
+[Service]
+Type=oneshot
+ExecStart=/usr/sbin/coreos-tmpfiles