coreos/fedora-coreos-tracker

Enable subid for service users

quentin9696 opened this issue · 6 comments

Describe the bug

There is no associated subid with service user. This prevent using service users to run containers on FCOS

Reproduction steps

  1. Create a service user useradd -r -m foo
  2. Switch to that user sudo su foo
  3. Try to run a container podman run docker.io/library/hello-world

Expected behavior

Should works correctly

Actual behavior

Got that error message:

ERRO[0000] cannot find UID/GID for user foo: no subuid ranges found for user "foo" in /etc/subuid - check rootless mode in man pages.

System details

Run on AWS

State: idle
AutomaticUpdatesDriver: Zincati
  DriverState: active; periodically polling for updates (last checked Wed 2024-05-29 22:13:46 UTC)
BootedDeployment:
● fedora:fedora/x86_64/coreos/stable
                  Version: 40.20240504.3.0 (2024-05-20T18:00:04Z)
                   Commit: 72cf2f80ba1496d478e110d03e1199d9d21382840e96ffeddf4303eb040fbb55
             GPGSignature: Valid signature by 115DF9AEF857853EE8445D0A0727707EA15B79CC

Butane or Ignition config

variant: fcos
version: 1.5.0
passwd:
  groups:
    - name: foo
      system: false

Additional information

There is an option with useradd command to setup the subids (flag -F, --add-subids-for-system add entries to sub[ud]id even when adding a system user). This works correctly if I create on runtime my user with that -F flag

Why not create the user via Ignition? It should create the user with subuid/gid allocations.

@travier I try to create with ignition but that my point, service user are not created with the subids.

Maybe it's a good feature request to butane (or ignition) project ?

You butane config above does not create the user via Ignition. If you can provide a Butane config that show the error then we can move that as an enhancement for Butane or Ignition.

In the meantime you can likely add a service unit that "fixes" your user via usermod.

@travier, to be clear:

Here is how I create my user with butane:

variant: fcos
version: 1.5.0
passwd:
  users:
    - name: foo
      system: true

The fact is, there is no option in butane to specify the user must be created with the -F flag of useradd command, which result of a service user without subids, that make podman fail.