Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Bug#1019929: podman: Subordinate UID/GID ranges not fetched from libsubid
398 views
Skip to first unread message
Sam Morris
Sep 16, 2022, 7:20:03 AM9/16/22
to
Package: podman
Version: 4.2.0+ds1-3
Severity: normal
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
I've not got anything in /etc/subuid or /etc/subgid because subordinate
id range info is stored in LDAP.
$ grep ^subid: /etc/nsswitch.conf
subid: sss
This is transparent to clients using libsubid:
$ getsubids sam
0: sam 2147483648 65536
... but it looks like podman doesn't use this library yet:
$ podman system info
ERRO[0000] cannot find UID/GID for user sam: no subuid ranges found for user "sam" in /etc/subuid - check rootless mode in man pages.
WARN[0000] Using rootless single mapping into the namespace. This might break some images. Check /etc/subuid and /etc/subgid for adding sub*ids if not using a network user
[...]
idMappings:
gidmap:
- container_id: 0
host_id: 1000
size: 1
uidmap:
- container_id: 0
host_id: 1000
size: 1
[...]
- -- System Information:
Debian Release: bookworm/sid
APT prefers testing
APT policy: (530, 'testing'), (520, 'unstable'), (1, 'experimental')
merged-usr: no
Architecture: amd64 (x86_64)
Kernel: Linux 5.19.0-1-amd64 (SMP w/2 CPU threads; PREEMPT)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages podman depends on:
ii conmon 2.1.3+ds1-1
ii crun 1.5+dfsg-1+b1
ii golang-github-containers-common 0.48.0+ds1-1
ii libc6 2.34-7
ii libdevmapper1.02.1 2:1.02.185-1
ii libgpgme11 1.17.1-4.1
ii libseccomp2 2.5.4-1+b1
ii systemd [systemd-tmpfiles] 251.4-3
Versions of packages podman recommends:
ii buildah 1.26.1+ds1-1
ii catatonit 0.1.7-1
ii dbus-user-session 1.14.0-2
ii fuse-overlayfs 1.9-1
ii slirp4netns 1.2.0-1
ii uidmap 1:4.11.1+dfsg1-2
Versions of packages podman suggests:
ii containers-storage 1.37.2+ds1-1+b2
pn docker-compose <none>
ii iptables 1.8.8-1
- -- no debconf information
-----BEGIN PGP SIGNATURE-----
iIgEARYIADAWIQTWOGqGn6HETecdzqZOEaKLhlAYigUCYyRZrhIcc2FtQHJvYm90
cy5vcmcudWsACgkQThGii4ZQGIra+wEA9cSULDer04xzpg1djBcsaxdK78eH6avT
szoQ8hl2ERMA/08sN17EOvYQOLB8WwleW1kPCQZdDztMiapcY5Ep7CYI
=DI3R
-----END PGP SIGNATURE-----
Version: 4.2.0+ds1-3
Severity: normal
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
I've not got anything in /etc/subuid or /etc/subgid because subordinate
id range info is stored in LDAP.
$ grep ^subid: /etc/nsswitch.conf
subid: sss
This is transparent to clients using libsubid:
$ getsubids sam
0: sam 2147483648 65536
... but it looks like podman doesn't use this library yet:
$ podman system info
ERRO[0000] cannot find UID/GID for user sam: no subuid ranges found for user "sam" in /etc/subuid - check rootless mode in man pages.
WARN[0000] Using rootless single mapping into the namespace. This might break some images. Check /etc/subuid and /etc/subgid for adding sub*ids if not using a network user
[...]
idMappings:
gidmap:
- container_id: 0
host_id: 1000
size: 1
uidmap:
- container_id: 0
host_id: 1000
size: 1
[...]
- -- System Information:
Debian Release: bookworm/sid
APT prefers testing
APT policy: (530, 'testing'), (520, 'unstable'), (1, 'experimental')
merged-usr: no
Architecture: amd64 (x86_64)
Kernel: Linux 5.19.0-1-amd64 (SMP w/2 CPU threads; PREEMPT)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages podman depends on:
ii conmon 2.1.3+ds1-1
ii crun 1.5+dfsg-1+b1
ii golang-github-containers-common 0.48.0+ds1-1
ii libc6 2.34-7
ii libdevmapper1.02.1 2:1.02.185-1
ii libgpgme11 1.17.1-4.1
ii libseccomp2 2.5.4-1+b1
ii systemd [systemd-tmpfiles] 251.4-3
Versions of packages podman recommends:
ii buildah 1.26.1+ds1-1
ii catatonit 0.1.7-1
ii dbus-user-session 1.14.0-2
ii fuse-overlayfs 1.9-1
ii slirp4netns 1.2.0-1
ii uidmap 1:4.11.1+dfsg1-2
Versions of packages podman suggests:
ii containers-storage 1.37.2+ds1-1+b2
pn docker-compose <none>
ii iptables 1.8.8-1
- -- no debconf information
-----BEGIN PGP SIGNATURE-----
iIgEARYIADAWIQTWOGqGn6HETecdzqZOEaKLhlAYigUCYyRZrhIcc2FtQHJvYm90
cy5vcmcudWsACgkQThGii4ZQGIra+wEA9cSULDer04xzpg1djBcsaxdK78eH6avT
szoQ8hl2ERMA/08sN17EOvYQOLB8WwleW1kPCQZdDztMiapcY5Ep7CYI
=DI3R
-----END PGP SIGNATURE-----
Sam Morris
Sep 30, 2022, 7:30:04 AM9/30/22
to
Control: tag -1 + patch
On Fri, Sep 16, 2022 at 12:10:43PM +0100, Sam Morris wrote:
> ... but it looks like podman doesn't use this library yet:
I've prepared a patch that builds libpod against libsubid:
<https://salsa.debian.org/debian/libpod/-/merge_requests/6>
Regards,
--
Sam Morris <https://robots.org.uk/>
PGP: rsa4096/CAAA AA1A CA69 A83A 892B 1855 D20B 4202 5CDA 27B9
On Fri, Sep 16, 2022 at 12:10:43PM +0100, Sam Morris wrote:
> ... but it looks like podman doesn't use this library yet:
<https://salsa.debian.org/debian/libpod/-/merge_requests/6>
Regards,
--
Sam Morris <https://robots.org.uk/>
PGP: rsa4096/CAAA AA1A CA69 A83A 892B 1855 D20B 4202 5CDA 27B9
0 new messages