3:05 p.m.
On 4/21/20 02:02, Gordon Messmer wrote:
Is there a limit on the size of UID ranges usable for subuid?
I'm trying to run a rootless container, and in that container use sssd
user info from Active Directory. sssd produces very large UID and GID
values, which I think is the problem that's being reported.
First of all, the host system can resolve information for a user named
build:
[gitlab-runner@dvpackerbld03 ~]$ id build
uid=1985001175(build) gid=1985001156(development)
groups=1985001156(development),987(docker)
And I can run the container that I've created, and resolve information
for that user there, too:
[gitlab-runner@dvpackerbld03 ~]$ podman run -it \
> --volume=/var/lib/sss/pipes/:/var/lib/sss/pipes/:rw \
> --volume=/etc/sssd/:/etc/sssd/:ro \
> --volume=/etc/krb5.conf:/etc/krb5.conf:ro \
> --volume=/etc/ipa/ca.crt:/etc/ipa/ca.crt:ro \
> --volume=/etc/nsswitch.conf:/etc/nsswitch.conf:ro \
> e1f5919f1888 id build
uid=1985001175(build) gid=1985001156(development)
groups=1985001156(development),996(docker)
But if I try to run "su build" within that container, I get an error:
[gitlab-runner@dvpackerbld03 ~]$ podman run -it \
--volume=/var/lib/sss/pipes/:/var/lib/sss/pipes/:rw \
--volume=/etc/sssd/:/etc/sssd/:ro \
--volume=/etc/krb5.conf:/etc/krb5.conf:ro \
--volume=/etc/ipa/ca.crt:/etc/ipa/ca.crt:ro \
--volume=/etc/nsswitch.conf:/etc/nsswitch.conf:ro \
e1f5919f1888 su build -c ls
su: cannot set groups: Invalid argument
This looks like su is complaining about something.
cat /proc/self/uid_map
Inside of your container.
I think we would need to know what part of su is blowing up? Any ideas
Giueseppe?
subuid and subgid are set up as:
[gitlab-runner@dvpackerbld03 ~]$ cat /etc/subuid
gitlab-runner:110000:3000000000
[gitlab-runner@dvpackerbld03 ~]$ cat /etc/subgid
gitlab-runner:110000:3000000000
_______________________________________________
Podman mailing list -- podman(a)lists.podman.io
To unsubscribe send an email to podman-leave(a)lists.podman.io