[rootlesskit:parent] error: failed to setup UID/GID map: failed to compute uid map: no matching entries in passwd file

[jaredbancroft]

Command producing the error was ./bin/dockerd-rootless.sh --experimental --storage-driver vfs

Trying to get this working on RHEL 7.6 kernel 3.10.0-957.1.3.el7.x86_64. We use NIS and SSSD so local /etc/passwd and /etc/group do not contain any network user specific information. ypcat passwd would be able to match uid.

[AkihiroSuda]

Thanks for the report.

We use NIS and SSSD so local /etc/passwd and /etc/group do not contain any network user specific information.

How do you configure subuid/subgid?
If you don't have subuid/subgid, most images won't work even if we fix dependency on /etc/passwd.

[jaredbancroft]

Manually editing it for my account. Without doing that first the install script throws errors like:

Could not find records for the current user jaredb from /etc/subuid . Please make sure valid subuid range is set there.
For example:
echo "jaredb:100000:65536" >> /etc/subuid

[jaredbancroft]

This issue moby/moby#20191 seems to deal with external auth for user namespaces and the pr here moby/moby#27599 seems to fix it. I can manage maps for /etc/subuid and /etc/subgid via configuration management. Just need lookups to work.

[jaredbancroft]

I hacked this together using idtools to get the user and subid mappings in newuidmapArgs/newgidmapArgs.

master...jaredbancroft:jb_idtools

rootlesskit runs and dockerd-rootless.sh --experimental starts but attempting to run any container blows up in the following manner.

$ docker run alpine echo Hello rootless!
Unable to find image 'alpine:latest' locally
latest: Pulling from library/alpine
8e402f1a9c57: Extracting [==================================================>]  2.755MB/2.755MB
INFO[2019-03-20T04:23:33.169055267Z] Attempting next endpoint for pull after error: failed to register layer: ApplyLayer exit status 1 stdout:  stderr: lchown /etc/shadow: invalid argument 
docker: failed to register layer: ApplyLayer exit status 1 stdout:  stderr: lchown /etc/shadow: invalid argument.
See 'docker run --help'.

[AkihiroSuda]

Looks like number of subuid is insufficient.

cat /proc/DOCKERD_PID/uid_map?

[jaredbancroft]

$ cat /proc/341149/uid_map
         0      10932         1
         1     231072      66537

My uid appears mapped to root and the rest seems sufficient typos and all (was supposed to be 65537 for a full range of 65536 since count is the upper limit of an exclusive interval).

[AkihiroSuda]

also gid_map please?

[jaredbancroft]

$ cat /proc/405469/gid_map
         0       1015          1
         1     231072      66537

[jaredbancroft]

Deleted my entire XDG_RUNTIME_DIR and --data-root dir and started up from scratch and everything is working now. Must have been some crufty artifacts from earlier attempts causing the issue.

$ docker run -it alpine
/ # id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),20(dialout),26(tape),27(video)
/ # 

[AkihiroSuda]

👍 could you open PR for idtools ?

[jaredbancroft]

#53 opened