[Podman] Re: SubUID limitations?

On 4/21/20 02:02, Gordon Messmer wrote: > Is there a limit on the size of UID ranges usable for subuid? > > I'm trying to run a rootless container, and in that container use sssd > user info from Active Directory.  sssd produces very large UID and GID > values, which I think is the problem that's being reported. > > First of all, the host system can resolve information for a user named > build: > > [gitlab-runner@dvpackerbld03 ~]$ id build > uid=1985001175(build) gid=1985001156(development) > groups=1985001156(development),987(docker) > > And I can run the container that I've created, and resolve information > for that user there, too: > > [gitlab-runner@dvpackerbld03 ~]$ podman run -it \ > >   --volume=/var/lib/sss/pipes/:/var/lib/sss/pipes/:rw \ > >   --volume=/etc/sssd/:/etc/sssd/:ro \ > >   --volume=/etc/krb5.conf:/etc/krb5.conf:ro \ > >   --volume=/etc/ipa/ca.crt:/etc/ipa/ca.crt:ro \ > >   --volume=/etc/nsswitch.conf:/etc/nsswitch.conf:ro \ > >  e1f5919f1888 id build > uid=1985001175(build) gid=1985001156(development) > groups=1985001156(development),996(docker) > > But if I try to run "su build" within that container, I get an error: > > [gitlab-runner@dvpackerbld03 ~]$ podman run -it \ >   --volume=/var/lib/sss/pipes/:/var/lib/sss/pipes/:rw \ >   --volume=/etc/sssd/:/etc/sssd/:ro \ >   --volume=/etc/krb5.conf:/etc/krb5.conf:ro \ >   --volume=/etc/ipa/ca.crt:/etc/ipa/ca.crt:ro \ >   --volume=/etc/nsswitch.conf:/etc/nsswitch.conf:ro \ >  e1f5919f1888 su build -c ls > su: cannot set groups: Invalid argument > This looks like su is complaining about something. cat /proc/self/uid_map Inside of your container. I think we would need to know what part of su is blowing up?  Any ideas Giueseppe?