How do I use rootless podman with an LDAP user?

[dylanmtaylor]

Hello,

My organization lets me have an LDAP-joined Amazon Workspace running Ubuntu 22.04. This workspace authenticates me with an LDAP/AD joined user, taylord. There is no local user. I do have sudo rights, so I can do sudo [podman command], but I'd like to not have to enter my password every time I run a container, and it's much saner to not run everything as root. Short of creating a local user and doing su to become them for running containers, how can I configure this? I did notice these warnings when attempting to run containers:

ERRO[0000] cannot find UID/GID for user taylord@[my org's domain here]: No subuid ranges found for user "taylord@[my org's domain here]" in /etc/subuid - check rootless mode in man pages.
WARN[0000] using rootless single mapping into the namespace. This might break some images. Check /etc/subuid and /etc/subgid for adding sub*ids

I also see this error when trying to pull an image, in this case alpine.
➜ ~ podman pull alpine
Resolved "alpine" as an alias (/etc/containers/registries.conf.d/shortnames.conf)
Trying to pull docker.io/library/alpine:latest...
Getting image source signatures
Copying blob 9d16cba9fb96 done
Error: writing blob: adding layer with blob "sha256:9d16cba9fb961d1aafec9542f2bf7cb64acfc55245f9e4eb5abecd4cdc38d749": Error processing tar file(exit status 1): potentially insufficient UIDs or GIDs available in user namespace (requested 0:42 for /etc/shadow): Check /etc/subuid and /etc/subgid: lchown /etc/shadow: invalid argument

Interestingly, the podman socket appears to be owned by the 'domain users' group.

➜ ~ ls -lah /run/user/1757820988/podman/podman.sock

srw------- 1 taylord domain users 0 Oct 21 03:12 /run/user/1757820988/podman/podman.sock

I'd appreciate any help. I'd hate to have to just run all my containers as root as a workaround.

[dylanmtaylor]

I tried editing these files, and this did not work:

➜ ~ cat /etc/subuid
taylord:100000:65536
➜ ~ cat /etc/subgid
taylord:100000:65536

[mheon]

Are the newuidmap and newgidmap binaries installed, and do they have the appropriate file permissions (usually cap_setuid=ep)?

[dylanmtaylor]

I'm not sure about the cap_setuid=ep

➜ ~ which newuidmap
/usr/bin/newuidmap
➜ ~ which newgidmap
/usr/bin/newgidmap
➜ ~ ls -lah /usr/bin/newuidmap
-rwsr-xr-x 1 root root 28K Mar 14 2022 /usr/bin/newuidmap
➜ ~ ls -lah /usr/bin/newgidmap
-rwsr-xr-x 1 root root 28K Mar 14 2022 /usr/bin/newgidmap

[rhatdan]

They would work, but the issue is you do not have ntries in /etc/subuid and /etc/subgid for your user. These need to be populated.

[rhatdan]

You could squash your containers down to a single UID and run them. But this would not allow you to build images.

[debarshiray]

the issue is you do not have ntries in /etc/subuid and /etc/subgid for your user

It seems like he already tried adding those entries. See above.

[debarshiray]

This discussion jumped out at me, because @mhjacks recently made Toolbx work on enterprise FreeIPA set-ups.

It was a matter of using libsubid.so to check the subordinate ID ranges, instead of directly looking at /etc/subgid and /etc/subuid. On an enterprise FreeIPA set-up, the subordinate IDs are provided by SSSD's sss plugin for the GNU Name Service Switch (or NSS) functionality of the GNU C Library. libsubid.so picks those up, in addition to the files in /etc on non-enterprise set-ups.

I don't have access to an Active Directory set-up, so I am totally guessing here, but I won't be surprised if it somehow doesn't work if the subordinate IDs are listed in /etc/subgid and /etc/subuid, and instead requires a NSS plug-in.

Here we have someone complaining that Toolbx isn't working with Active Directory, but it seems that they have managed to proceed quite a bit. eg., they were able to create a container, which means podman pull and podman create worked for them.

[Steve973]

How does podman use sss and libsubid.so? My organization has a portable version of podman, but it won't look at the subordinate IDs that FreeIPA provides in our RHEL 8 enterprise servers. I'd like to see if I can figure out how to add that into their portable distribution for them.

[tooji]

when you say portable do you mean statically linked? I assume that a statically linked binary will not be able to leverage the system's libsubid.so and hence will ignore nsswitch conf

[mhjacks]

On Sat, 2023-04-22 at 15:33 -0700, Steve Storck wrote: How does podman use sss and libsubid.so? My organization has a portable version of podman, but it won't look at the subordinate IDs that FreeIPA provides in our RHEL 8 enterprise servers. I'd like to see if I can figure out how to add that into their portable distribution for them.

The line subid: sss in /etc/nsswitch.conf will make the system use ipa-provided subids. Podman works well with them (I have been using them for a while). HOWEVER, because of oddities in shadow-utils, podman must either use IPA provided subids or file-based ones, it cannot use both at the same time. (There's no fallback mechanism for subids as there are for most nss-provided data types). Thanks,

…

-- Martin Jackson ***@***.***>

[Steve973]

Thanks. We have a stand-alone podman installation running, and it does not seem to be checking /etc/nsswitch.conf. I am looking for ways to force it to either look at that file, so that it can use the system-configured namespace, or force it to use subuid and subgid files in some other location. If you have any suggestions, I'd be grateful.

[Allethrium]

Hello,
Was this issue ever resolved? I'm running a local domain + user, and still running into the same issue using Podman 5.2.4