From mboxrd@z Thu Jan  1 00:00:00 1970
X-GM-THRID: 7231085468566159360
X-Received: by 2002:a05:6512:21a4:b0:4f2:4e7c:e2e3 with SMTP id c4-20020a05651221a400b004f24e7ce2e3mr437327lft.9.1683618286402;
        Tue, 09 May 2023 00:44:46 -0700 (PDT)
X-BeenThere: isar-users@googlegroups.com
Received: by 2002:a2e:bea9:0:b0:2ab:4d:c40d with SMTP id a41-20020a2ebea9000000b002ab004dc40dls1515ljr.1.-pod-prod-00-eu;
 Tue, 09 May 2023 00:44:44 -0700 (PDT)
X-Google-Smtp-Source: ACHHUZ6lFYpR6DZ6/H6Tav+Y6TUs8FtRioKiqqZz38T4ASHvX7uMgr/TzwMlfRn3QFYnir5jN2lD
X-Received: by 2002:a05:651c:1728:b0:2a9:f9e0:a820 with SMTP id be40-20020a05651c172800b002a9f9e0a820mr492159ljb.11.1683618284845;
        Tue, 09 May 2023 00:44:44 -0700 (PDT)
ARC-Seal: i=2; a=rsa-sha256; t=1683618284; cv=pass;
        d=google.com; s=arc-20160816;
        b=yLVyJYvvB81tBov4sMrN14GlTfhWDGSrxpRvCuUMTbImmHaIk0/nzoq4wQiq8vEksm
         7rz5wCiWmwiHRRuajIRect/yhH9hi8dNqcawEHVR8vWZywD5eiua0qevV7Gjbjkr+aJ/
         dh8GjepAhUAau+Rs8MsaJBv8DFZ1YpoYJw6ACvdx6R5V5cxjhPPgTGd5WWwTKzn2pzST
         uck1X2FZufsyxFmUCGEvO56etUUjuC3arqjwWvzEpQkATtWARYXcaR2d2S/URC4ugguq
         5rJ88Oi4QuBuQBS0qlzoh+lWo6wfjgO+wFH7KzPcTj0Sd6RPLAudWP1nsexveSAE6a+N
         gU5A==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:dkim-signature;
        bh=nn51Thbj2GDiWjILGx8huR4gWhAsJb0XTJxRyH1YtYM=;
        b=tB148577K0IJfkWJX9ZZT46YNtnqXKo878vl7cteyN9xng+Nbl9m8ssthBsOBsOdjO
         HRWRKGjMNcITWUyEOUe+hNJUJBZVY2Lpoql5mGkLiezSAoZXUzpV7wTHuj0YhdzD2eQo
         BbhrSjfu0QXfYfsRTTYv2opMlSfk+Tb/Wn43QKrz+dwExqtMkD4BxZiQuiGrsB+TtTVN
         OQDj7sEncWf43M7nzhRHxyO3AWWVpW7SzDJzSt3iNpu95Dp30LUHhqcBpHPVTlc2iZ6D
         QH0ntcTQMqMjdt55RQPYZnpJCEp9v7RjDxfQaitlGCEM7vQt9LM4BpG+QaJ7rZBpxoIZ
         aFzQ==
ARC-Authentication-Results: i=2; gmr-mx.google.com;
       dkim=pass header.i=@siemens.com header.s=selector2 header.b=Zb7085hW;
       arc=pass (i=1 spf=pass spfdomain=siemens.com dmarc=pass fromdomain=siemens.com);
       spf=pass (google.com: domain of tobias.schaffner@siemens.com designates 2a01:111:f400:7e1a::61c as permitted sender) smtp.mailfrom=tobias.schaffner@siemens.com;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com
Return-Path: <tobias.schaffner@siemens.com>
Received: from EUR05-DB8-obe.outbound.protection.outlook.com (mail-db8eur05on2061c.outbound.protection.outlook.com. [2a01:111:f400:7e1a::61c])
        by gmr-mx.google.com with ESMTPS id h5-20020a2ebc85000000b002ac885a8f29si571025ljf.3.2023.05.09.00.44.44
        for <isar-users@googlegroups.com>
        (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
        Tue, 09 May 2023 00:44:44 -0700 (PDT)
Received-SPF: pass (google.com: domain of tobias.schaffner@siemens.com designates 2a01:111:f400:7e1a::61c as permitted sender) client-ip=2a01:111:f400:7e1a::61c;
Authentication-Results: gmr-mx.google.com;
       dkim=pass header.i=@siemens.com header.s=selector2 header.b=Zb7085hW;
       arc=pass (i=1 spf=pass spfdomain=siemens.com dmarc=pass fromdomain=siemens.com);
       spf=pass (google.com: domain of tobias.schaffner@siemens.com designates 2a01:111:f400:7e1a::61c as permitted sender) smtp.mailfrom=tobias.schaffner@siemens.com;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
 b=aHDIXnnk2e7XD1LLngM+bN5ihtEQ9YvIOIVkzI+CJCcH/gN5ifi1y+ca7TDRTTLX9N9uUXAmU2KUT5dFZroLgArzJ3pJhKTcXrTy31/YyDn8kAAK7k8Wzu/zZ1WwrwUFo4Gq2X7+bZYtDTs7uruF7MhkotE5AHIaTM7DuFCJOqCucAzVTBjeVWQP3Lcgj1flZPZ0Lr3+fPXdHVoz4bhL2xDZYB+vzE1zFt8Oz/SElpTK822rac1PVWNXcZTLirechRrHZxom8hJObUwn63vLwpt4jJW6/XspI2BheT1p49O3oUzmhwa035GTsAspJymdxYjKRNDpJJUN18twJjFpLg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
 s=arcselector9901;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
 bh=nn51Thbj2GDiWjILGx8huR4gWhAsJb0XTJxRyH1YtYM=;
 b=P75O8IwwK/x8oB6/YQ9hubavPCvbmtTsICNuxIMspzcGYcSa88rBbdCRMgxocYOeetDiLomTSL7EGkIrVo8cx3ZBAOTlb3fIJxY54KBty4qInE/TORSpiilHBgrUa7+ZhnhImDn/iNZ0sYS140B4SkHBjy/DfKlwz6H2cFSTikqgPMtScz3jOSDraa4Zo0ZqiAoaBZ8XQDAMsvo3017cNPJxFfe5SJK6Xpr9T70irymAG68BHsF2Qt55ydaIbJajVWBChzmBocr22PHhjW2oNd9ek/iB0zg8Nlfpy9JJn2ee3UiOEknSNhmyN9wTlhWVyVBWsOcr2PqSCL0tbZjJVw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is
 194.138.21.76) smtp.rcpttodomain=googlegroups.com smtp.mailfrom=siemens.com;
 dmarc=pass (p=reject sp=reject pct=100) action=none header.from=siemens.com;
 dkim=none (message not signed); arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=siemens.com;
 s=selector2;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=nn51Thbj2GDiWjILGx8huR4gWhAsJb0XTJxRyH1YtYM=;
 b=Zb7085hWSqYJQaFqVIDo8/Dfn5VZGzeodcAyj19fAzxpl+FKxinlP7QjuqOSvhiH25CjRT7GHj7xAvJhAjPe/n7l3lagvDPXhBX20kizjq8sEGFRz1kKIs4Z3/i++t7nZ/UYQD4m3GJBoQvz2Q5U6WrgZP3J2FTRqOgApmMqzUKfSGHlqSJoC5Z9BLMAXy8e+8wie22iuSMCGNMBUtl5zRaw+gy51NiWPvMn+A8pDhq3LTM8ilf3akDDML+xxmLNuEMNrHMhMYWlHbP2Ew6K9IWQigkliASpuHx3zQXiQyZTA0XS+2Z3gu89kLL58razSSV8YBgwCJmO7kGyncgSqw==
Received: from FR3P281CA0209.DEUP281.PROD.OUTLOOK.COM (2603:10a6:d10:a5::8) by
 DU0PR10MB6801.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:10:477::22) with Microsoft
 SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.20.6363.32; Tue, 9 May 2023 07:44:41 +0000
Received: from VE1EUR01FT011.eop-EUR01.prod.protection.outlook.com
 (2603:10a6:d10:a5:cafe::ba) by FR3P281CA0209.outlook.office365.com
 (2603:10a6:d10:a5::8) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6387.18 via Frontend
 Transport; Tue, 9 May 2023 07:44:41 +0000
X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 194.138.21.76)
 smtp.mailfrom=siemens.com; dkim=none (message not signed)
 header.d=none;dmarc=pass action=none header.from=siemens.com;
Received-SPF: Pass (protection.outlook.com: domain of siemens.com designates
 194.138.21.76 as permitted sender) receiver=protection.outlook.com;
 client-ip=194.138.21.76; helo=hybrid.siemens.com; pr=C
Received: from hybrid.siemens.com (194.138.21.76) by
 VE1EUR01FT011.mail.protection.outlook.com (10.152.2.229) with Microsoft SMTP
 Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.20.6387.18 via Frontend Transport; Tue, 9 May 2023 07:44:41 +0000
Received: from DEMCHDC8WAA.ad011.siemens.net (139.25.226.104) by
 DEMCHDC8VSA.ad011.siemens.net (194.138.21.76) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.2.1118.25; Tue, 9 May 2023 09:44:41 +0200
Received: from L15-Gen2.fritz.box (139.22.36.202) by
 DEMCHDC8WAA.ad011.siemens.net (139.25.226.104) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.2.1118.25; Tue, 9 May 2023 09:44:39 +0200
From: "T. Schaffner" <tobias.schaffner@siemens.com>
To: <isar-users@googlegroups.com>
CC: <quirin.gylstorff@siemens.com>, <henning.schild@siemens.com>, "Tobias
 Schaffner" <tobias.schaffner@siemens.com>
Subject: [PATCH v2 1/4] simplify image-account-extension
Date: Tue, 9 May 2023 09:44:09 +0200
Message-ID: <20230509074412.86392-2-tobias.schaffner@siemens.com>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20230509074412.86392-1-tobias.schaffner@siemens.com>
References: <20230509074412.86392-1-tobias.schaffner@siemens.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Content-Type: text/plain
Return-Path: tobias.schaffner@siemens.com
X-Originating-IP: [139.22.36.202]
X-ClientProxiedBy: DEMCHDC8WBA.ad011.siemens.net (139.25.226.105) To
 DEMCHDC8WAA.ad011.siemens.net (139.25.226.104)
X-EOPAttributedMessage: 0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: VE1EUR01FT011:EE_|DU0PR10MB6801:EE_
X-MS-Office365-Filtering-Correlation-Id: e6eb0eed-0d62-4654-ae75-08db50613fd3
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info:
	PN3Dl75Ygb2sH/f67xExHl6qa6JctyrBwPuzD1LTFBTAyF+7kDCiu3Xxy3WKG0/LoebT7hCEyDuVORWBSXpiz2UQ4o/w0Bo2YNtJaOBmSJQL/6eydzTp2bOPoM8ilSdQBexHfCQQfFfCGZmrxKx7xgkut4w8167nQ3CX2NiqHNe7tB6lW8wWR3ZYEPpn6dGZ6MTERwUZPoSavT+1wxJzKNq/v1LqYYZKO6fAopgvVJHBpyWjYB4+NQrojkHCGiGO7/HIsZaP2aLXKmGoblPMA8Ijia/xc8xScc9W+6YnZf3OaHlS0B5h0rpSvmAoDUyVeAsfA7OnbymKZwIgNJZJ/aUf1k3MFH7bSLhNUw5BAmNjI7SG15dAhTmP+rDyX1SucXgCeQ4ZU0CnvMG2ppGVNfgGupRywu66fEs5y3FfEhSl596frIRUKNKQuYEVemaSREWaR8GHOy2Yf71Rz0OjhNewLURzwhwrH1xM1LTzqJQ893ojcwcRrO8Fu4Bl3WtVqAp9VzwESU5vGxa5jj13f7F+gbo3R4xoaG2OxOj5hLddvNM6htoXEggRZkuXA1QcfOQe4MHd2zQ5IImiTk7erfEH0JfIbOMCUmv7pnb5R6gCquZ1XQRkbqLiIUMrPR0i3Rl2OkxL/cyffgyhmc+00yFUbNsfnYrYgIs3mgJbM1EdDItCDA5OjhBEY2Ij9ZQjC360wuJ7nBAQNZ73XWKxBtbGs7FNH88792ycfB4yLmM=
X-Forefront-Antispam-Report:
	CIP:194.138.21.76;CTRY:DE;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:hybrid.siemens.com;PTR:InfoDomainNonexistent;CAT:NONE;SFS:(13230028)(4636009)(346002)(39860400002)(376002)(136003)(396003)(451199021)(40470700004)(46966006)(36840700001)(86362001)(36756003)(6666004)(316002)(54906003)(4326008)(70586007)(6916009)(478600001)(70206006)(82310400005)(40480700001)(15650500001)(8936002)(30864003)(8676002)(41300700001)(2906002)(356005)(5660300002)(82960400001)(186003)(82740400003)(81166007)(16526019)(107886003)(956004)(1076003)(36860700001)(26005)(47076005)(336012)(83380400001)(2616005)(40460700003)(36900700001);DIR:OUT;SFP:1101;
X-OriginatorOrg: siemens.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 09 May 2023 07:44:41.5475
 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: e6eb0eed-0d62-4654-ae75-08db50613fd3
X-MS-Exchange-CrossTenant-Id: 38ae3bcd-9579-4fd4-adda-b42e1495d55a
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=38ae3bcd-9579-4fd4-adda-b42e1495d55a;Ip=[194.138.21.76];Helo=[hybrid.siemens.com]
X-MS-Exchange-CrossTenant-AuthSource:
	VE1EUR01FT011.eop-EUR01.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DU0PR10MB6801
X-TUID: GU9nENnU0b95

From: Tobias Schaffner <tobias.schaffner@siemens.com>

Do the complete user and group creation in python. This allows us to
drop the encoding and parsing code that was used to make the user and
group lists available in the shell function.

Signed-off-by: Tobias Schaffner <tobias.schaffner@siemens.com>
---
 meta/classes/image-account-extension.bbclass | 368 +++++++------------
 1 file changed, 124 insertions(+), 244 deletions(-)

diff --git a/meta/classes/image-account-extension.bbclass b/meta/classes/image-account-extension.bbclass
index 1a1f704d..ab7b48a4 100644
--- a/meta/classes/image-account-extension.bbclass
+++ b/meta/classes/image-account-extension.bbclass
@@ -1,5 +1,5 @@
 # This software is a part of ISAR.
-# Copyright (C) Siemens AG, 2019
+# Copyright (C) Siemens AG, 2019-2023
 #
 # SPDX-License-Identifier: MIT
 #
@@ -25,251 +25,131 @@ GROUPS ??= ""
 #GROUP_root[gid] = ""
 #GROUP_root[flags] = "system"
 
-def gen_accounts_array(d, listname, entryname, flags, verb_flags=None):
-    from itertools import chain
-
-    entries = (d.getVar(listname) or "").split()
-    return " ".join(
-        ":".join(
-            chain(
-                (entry,),
-                (
-                    (",".join(
-                        (
-                            d.getVarFlag(entryname + "_" + entry, flag, True) or ""
-                        ).split()
-                    ) if flag not in (verb_flags or []) else (
-                        d.getVarFlag(entryname + "_" + entry, flag, True) or ""
-                    )).replace(":","=")
-                    for flag in flags
-                ),
-            )
-        )
-        for entry in entries
-    )
-
-# List of space separated entries, where each entry has the format:
-# username:encryptedpassword:expiredate:inactivenumber:userid:groupid:comment:homedir:shell:group1,group2:flag1,flag2
-IMAGE_ACCOUNTS_USERS =+ "${@gen_accounts_array(d, 'USERS', 'USER', ['password',  'expire', 'inactive', 'uid', 'gid', 'comment', 'home', 'shell', 'groups', 'flags'], ['password', 'comment', 'home', 'shell'])}"
-
-# List of space separated entries, where each entry has the format:
-# groupname:groupid:flag1,flag2
-IMAGE_ACCOUNTS_GROUPS =+ "${@gen_accounts_array(d, 'GROUPS', 'GROUP', ['gid', 'flags'])}"
-
-do_rootfs_install[vardeps] += "${IMAGE_ACCOUNTS_GROUPS} ${IMAGE_ACCOUNTS_USERS}"
 
-ROOTFS_POSTPROCESS_COMMAND += "image_postprocess_accounts"
-image_postprocess_accounts() {
-    # Create groups
-    # Add space to the end of the list:
-    list='${@" ".join(d.getVar('IMAGE_ACCOUNTS_GROUPS').split())} '
-    while true; do
-        # Pop first group entry:
-        list_rest="${list#*:*:* }"
-        entry="${list%%${list_rest}}"
-        list="${list_rest}"
-
-        if [ -z "${entry}" ]; then
-            break
-        fi
-
-        # Add colon to the end of the entry and remove trailing space:
-        entry="${entry% }:"
-
-        # Decode entries:
-        name="${entry%%:*}"
-        entry="${entry#${name}:}"
-
-        gid="${entry%%:*}"
-        entry="${entry#${gid}:}"
-
-        flags="${entry%%:*}"
-        entry="${entry#${flags}:}"
-
-        flags=",${flags}," # Needed for searching for substrings
-
-        # Check if user already exists:
-        if grep -q "^${name}:" '${ROOTFSDIR}/etc/group'; then
-            exists="y"
-        else
-            exists="n"
-        fi
-
-        # Create arguments:
-        set -- # clear arguments
-
-        if [ -n "$gid" ]; then
-            set -- "$@" --gid "$gid"
-        fi
-
-        if [ "n" = "$exists" ]; then
-            if [ "${flags}" != "${flags%*,system,*}" ]; then
-                set -- "$@" --system
-            fi
-        fi
-
-        # Create or modify groups:
-        if [ "y" = "$exists" ]; then
-            if [ -z "$@" ]; then
-                echo "Do not execute groupmod (no changes)."
-            else
-                echo "Execute groupmod with \"$@\" for \"$name\""
-                sudo -E chroot '${ROOTFSDIR}' \
-                    /usr/sbin/groupmod "$@" "$name"
-            fi
-        else
-            echo "Execute groupadd with \"$@\" for \"$name\""
-            sudo -E chroot '${ROOTFSDIR}' \
-                /usr/sbin/groupadd "$@" "$name"
-        fi
-    done
-
-    # Create users
-    list='${@" ".join(d.getVar('IMAGE_ACCOUNTS_USERS').split())} '
-    while true; do
-        # Pop first user entry:
-        list_rest="${list#*:*:*:*:*:*:*:*:*:*:* }"
-        entry="${list%%${list_rest}}"
-        list="${list_rest}"
-
-        if [ -z "${entry}" ]; then
-            break
-        fi
-
-        # Add colon to the end of the entry and remove trailing space:
-        entry="${entry% }:"
-
-        # Decode entries:
-        name="${entry%%:*}"
-        entry="${entry#${name}:}"
-
-        password="${entry%%:*}"
-        entry="${entry#${password}:}"
-
-        expire="${entry%%:*}"
-        entry="${entry#${expire}:}"
-
-        inactive="${entry%%:*}"
-        entry="${entry#${inactive}:}"
-
-        uid="${entry%%:*}"
-        entry="${entry#${uid}:}"
-
-        gid="${entry%%:*}"
-        entry="${entry#${gid}:}"
-
-        comment="${entry%%:*}"
-        entry="${entry#${comment}:}"
-
-        home="${entry%%:*}"
-        entry="${entry#${home}:}"
-
-        shell="${entry%%:*}"
-        entry="${entry#${shell}:}"
-
-        groups="${entry%%:*}"
-        entry="${entry#${groups}:}"
-
-        flags="${entry%%:*}"
-        entry="${entry#${flags}:}"
-
-        flags=",${flags}," # Needed for searching for substrings
-
-        # Check if user already exists:
-        if grep -q "^${name}:" '${ROOTFSDIR}/etc/passwd'; then
-            exists="y"
-        else
-            exists="n"
-        fi
-
-        # Create arguments:
-        set -- # clear arguments
-
-        if [ -n "$expire" ]; then
-            set -- "$@" --expiredate "$expire"
-        fi
-
-        if [ -n "$inactive" ]; then
-            set -- "$@" --inactive "$inactive"
-        fi
-
-        if [ -n "$uid" ]; then
-            set -- "$@" --uid "$uid"
-        fi
-
-        if [ -n "$gid" ]; then
-            set -- "$@" --gid "$gid"
-        fi
-
-        if [ -n "$comment" ]; then
-            set -- "$@" --comment "$comment"
-        fi
-
-        if [ -n "$home" ]; then
-            if [ "y" = "$exists" ]; then
-                set -- "$@" --home "$home" --move-home
-            else
-                set -- "$@" --home-dir "$home"
-            fi
-        fi
-
-        if [ -n "$shell" ]; then
-            set -- "$@" --shell "$shell"
-        fi
-
-        if [ -n "$groups" ]; then
-            set -- "$@" --groups "$groups"
-        fi
-
-        if [ "n" = "$exists" ]; then
-            if [ "${flags}" != "${flags%*,system,*}" ]; then
-                set -- "$@" --system
-            fi
-            if [ "${flags}" != "${flags%*,no-create-home,*}" ]; then
-                set -- "$@" --no-create-home
-            else
-                if [ "${flags}" != "${flags%*,create-home,*}" ]; then
-                    set -- "$@" --create-home
-                fi
-            fi
-        fi
-
-        # Create or modify users:
-        if [ "y" = "$exists" ]; then
-            if [ -z "$@" ]; then
-                echo "Do not execute usermod (no changes)."
-            else
-                echo "Execute usermod with \"$@\" for \"$name\""
-                sudo -E chroot '${ROOTFSDIR}' \
-                    /usr/sbin/usermod "$@" "$name"
-            fi
-        else
-            echo "Execute useradd with \"$@\" for \"$name\""
-            sudo -E chroot '${ROOTFSDIR}' \
-                /usr/sbin/useradd "$@" "$name"
-        fi
-
-        # Set password:
-        if [ -n "$password" -o "${flags}" != "${flags%*,allow-empty-password,*}" ]; then
-            chpasswd_args="-e"
-            if [ "${flags}" != "${flags%*,clear-text-password,*}" ]; then
+def image_create_groups(d: "DataSmart") -> None:
+    """Creates the groups defined in the ``GROUPS`` bitbake variable.
+
+    Args:
+        d (DataSmart): The bitbake datastore.
+
+    Returns:
+        None
+    """
+    entries = (d.getVar("GROUPS") or "").split()
+    rootfsdir = d.getVar("ROOTFSDIR")
+    chroot = ["sudo", "-E", "chroot", rootfsdir]
+
+    for entry in entries:
+        args = []
+        group_entry = "GROUP_{}".format(entry)
+
+        with open("{}/etc/group".format(rootfsdir), "r") as group_file:
+            exists = any(line.startswith("{}:".format(entry)) for line in group_file)
+
+        gid = d.getVarFlag(group_entry, "gid") or ""
+        if gid:
+            args.append("--gid")
+            args.append(gid)
+
+        flags = (d.getVarFlag(group_entry, "flags") or "").split()
+        if "system" in flags:
+            args.append("--system")
+
+        if exists:
+            if args:
+                bb.process.run([*chroot, "/usr/sbin/groupmod", *args, entry])
+        else:
+            bb.process.run([*chroot, "/usr/sbin/groupadd", *args, entry])
+
+
+def image_create_users(d: "DataSmart") -> None:
+    """Creates the users defined in the ``USERS`` bitbake variable.
+
+    Args:
+        d (DataSmart): The bitbake datastore.
+
+    Returns:
+        None
+    """
+    import hashlib
+    import crypt
+
+    entries = (d.getVar("USERS") or "").split()
+    rootfsdir = d.getVar("ROOTFSDIR")
+    chroot = ["sudo", "-E", "chroot", rootfsdir]
+
+    for entry in entries:
+        args = []
+        user_entry = "USER_{}".format(entry)
+
+        with open("{}/etc/passwd".format(rootfsdir), "r") as passwd_file:
+            exists = any(line.startswith("{}:".format(entry)) for line in passwd_file)
+
+        def add_user_option(option_name, flag_name):
+            flag_value = d.getVarFlag(user_entry, flag_name) or ""
+            if flag_value:
+                args.append(option_name)
+                args.append(flag_value)
+
+        add_user_option("--expire", "expiredate")
+        add_user_option("--inactive", "inactive")
+        add_user_option("--uid", "uid")
+        add_user_option("--gid", "gid")
+        add_user_option("--comment", "comment")
+        add_user_option("--shell", "shell")
+
+        groups = d.getVarFlag(user_entry, "groups") or ""
+        if groups:
+            args.append("--groups")
+            args.append(groups.replace(' ', ','))
+
+        flags = (d.getVarFlag(user_entry, "flags") or "").split()
+
+        if exists:
+            add_user_option("--home", "home")
+            if d.getVarFlag(user_entry, "home") or "":
+                args.append("--move-home")
+        else:
+            add_user_option("--home-dir", "home")
+
+            if "system" in flags:
+                args.append("--system")
+            if "no-create-home" in flags:
+                args.append("--no-create-home")
+            if "create-home" in flags:
+                args.append("--create-home")
+
+        if exists:
+            if args:
+                bb.process.run([*chroot, "/usr/sbin/usermod", *args, entry])
+        else:
+            bb.process.run([*chroot, "/usr/sbin/useradd", *args, entry])
+
+        command = [*chroot, "/usr/sbin/chpasswd"]
+        password = d.getVarFlag(user_entry, "password") or ""
+        if password or "allow-empty-password" in flags:
+            if "clear-text-password" in flags:
+
                 # chpasswd adds a random salt when running against a clear-text password.
                 # For reproducible images, we manually generate the password and use the
                 # SOURCE_DATE_EPOCH to generate the salt in a deterministic way.
-                if [ -z "${SOURCE_DATE_EPOCH}" ]; then
-                    chpasswd_args=""
-                else
-                    salt="$(echo "${SOURCE_DATE_EPOCH}" | sha256sum -z | cut -c 1-15)"
-                    password="$(openssl passwd -6 -salt $salt "$password")"
-                fi
-            fi
-            printf '%s:%s' "$name" "$password" | sudo chroot '${ROOTFSDIR}' \
-                /usr/sbin/chpasswd $chpasswd_args
-        fi
-        if [ "${flags}" != "${flags%*,force-passwd-change,*}" ]; then
-            echo "Execute passwd to force password change on first boot for \"$name\""
-            sudo -E chroot '${ROOTFSDIR}' \
-                /usr/bin/passwd --expire "$name"
-        fi
-    done
+                source_date_epoch = d.getVar("SOURCE_DATE_EPOCH") or ""
+                if source_date_epoch:
+                    command.append("-e")
+                    salt = hashlib.sha256("{}\n".format(source_date_epoch).encode()).hexdigest()[0:15]
+                    password = crypt.crypt(password, "$6${}".format(salt))
+
+            else:
+                command.append("-e")
+
+            bb.process.run(command, "{}:{}".format(entry, password).encode())
+
+        if "force-passwd-change" in flags:
+            bb.process.run([*chroot, "/usr/sbin/passwd", "--expire", entry])
+
+
+ROOTFS_POSTPROCESS_COMMAND += "image_postprocess_accounts"
+python image_postprocess_accounts() {
+    image_create_groups(d)
+    image_create_users(d)
 }
-- 
2.34.1