Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enable subid for service users #1742

Open
quentin9696 opened this issue May 29, 2024 · 6 comments
Open

Enable subid for service users #1742

quentin9696 opened this issue May 29, 2024 · 6 comments
Labels
kind/bug

Comments

@quentin9696
Copy link

Describe the bug

There is no associated subid with service user. This prevent using service users to run containers on FCOS

Reproduction steps

  1. Create a service user useradd -r -m foo
  2. Switch to that user sudo su foo
  3. Try to run a container podman run docker.io/library/hello-world

Expected behavior

Should works correctly

Actual behavior

Got that error message:

ERRO[0000] cannot find UID/GID for user foo: no subuid ranges found for user "foo" in /etc/subuid - check rootless mode in man pages.

System details

Run on AWS

State: idle
AutomaticUpdatesDriver: Zincati
  DriverState: active; periodically polling for updates (last checked Wed 2024-05-29 22:13:46 UTC)
BootedDeployment:
● fedora:fedora/x86_64/coreos/stable
                  Version: 40.20240504.3.0 (2024-05-20T18:00:04Z)
                   Commit: 72cf2f80ba1496d478e110d03e1199d9d21382840e96ffeddf4303eb040fbb55
             GPGSignature: Valid signature by 115DF9AEF857853EE8445D0A0727707EA15B79CC

Butane or Ignition config

variant: fcos
version: 1.5.0
passwd:
  groups:
    - name: foo
      system: false

Additional information

There is an option with useradd command to setup the subids (flag -F, --add-subids-for-system add entries to sub[ud]id even when adding a system user). This works correctly if I create on runtime my user with that -F flag
@travier
Copy link
Member

travier commented May 30, 2024

Why not create the user via Ignition? It should create the user with subuid/gid allocations.

@travier
Copy link
Member

travier commented May 30, 2024

Maybe it's coreos/butane#494?

@quentin9696
Copy link
Author

@travier I try to create with ignition but that my point, service user are not created with the subids.

Maybe it's a good feature request to butane (or ignition) project ?

@travier
Copy link
Member

travier commented May 30, 2024

You butane config above does not create the user via Ignition. If you can provide a Butane config that show the error then we can move that as an enhancement for Butane or Ignition.

In the meantime you can likely add a service unit that "fixes" your user via usermod.

@quentin9696
Copy link
Author

@travier, to be clear:

Here is how I create my user with butane:

variant: fcos
version: 1.5.0
passwd:
  users:
    - name: foo
      system: true

The fact is, there is no option in butane to specify the user must be created with the -F flag of useradd command, which result of a service user without subids, that make podman fail.

@lukasbestle
Copy link

I'm having the same issue. Users defined as system: true in Butane don't get subuids or subgids during the Ignition run.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@lukasbestle @quentin9696 @travier