Enable subid for service users
quentin9696 opened this issue · 6 comments
Describe the bug
There is no associated subid with service user. This prevent using service users to run containers on FCOS
Reproduction steps
- Create a service user
useradd -r -m foo
- Switch to that user
sudo su foo
- Try to run a container
podman run docker.io/library/hello-world
Expected behavior
Should works correctly
Actual behavior
Got that error message:
ERRO[0000] cannot find UID/GID for user foo: no subuid ranges found for user "foo" in /etc/subuid - check rootless mode in man pages.
System details
Run on AWS
State: idle
AutomaticUpdatesDriver: Zincati
DriverState: active; periodically polling for updates (last checked Wed 2024-05-29 22:13:46 UTC)
BootedDeployment:
● fedora:fedora/x86_64/coreos/stable
Version: 40.20240504.3.0 (2024-05-20T18:00:04Z)
Commit: 72cf2f80ba1496d478e110d03e1199d9d21382840e96ffeddf4303eb040fbb55
GPGSignature: Valid signature by 115DF9AEF857853EE8445D0A0727707EA15B79CC
Butane or Ignition config
variant: fcos
version: 1.5.0
passwd:
groups:
- name: foo
system: false
Additional information
There is an option with useradd
command to setup the subids (flag -F, --add-subids-for-system add entries to sub[ud]id even when adding a system user
). This works correctly if I create on runtime my user with that -F
flag
Why not create the user via Ignition? It should create the user with subuid/gid allocations.
Maybe it's coreos/butane#494?
@travier I try to create with ignition but that my point, service user are not created with the subids.
Maybe it's a good feature request to butane (or ignition) project ?
You butane config above does not create the user via Ignition. If you can provide a Butane config that show the error then we can move that as an enhancement for Butane or Ignition.
In the meantime you can likely add a service unit that "fixes" your user via usermod.
@travier, to be clear:
Here is how I create my user with butane:
variant: fcos
version: 1.5.0
passwd:
users:
- name: foo
system: true
The fact is, there is no option in butane to specify the user must be created with the -F
flag of useradd
command, which result of a service user without subids, that make podman fail.