setting /etc/subuid and /etc/subgid doesn't work well on enterprise systems that use FreeIPA about podman-static HOT 6 CLOSED

Note that I am trying to avoid bringing pods/containers up separately in order to provide separate command-line user/group ID mappings. My goal is to use podman kube play to bring up a stack of services at once, and let the namespace apply to each pod/container that I bring up. If we could either entirely bypass the way the system is configured in nsswitch.conf to use sss, and use whatever we set up in /etc/subuid and /etc/subgid, or let static podman use the subordinate ID mappings that are set up with FreeIPA, that would be ideal.

from podman-static.

Hi @Steve973, thanks for creating the issue and sorry for my late response.
I am not sure how FreeIPA sets things up.
It would be great if you could provide a small reproducible example to illustrate your use-case.
Generally, you could mount a custom /etc/subuid//etc/subgid.
Fwiw I changed the podman-static image recently to use a smaller id range when aligning it with the official, fedora based podman container image.

from podman-static.

I am not sure how I could create an example. Our system admins (at my workplace) manage our servers, and I don't have the knowledge/experience to readily know how to set up an idm server, freeipa, etc, with a container, and I do not know if that is feasible or possible. However, I can point you to some redhat reference material. This link describes using sssd with nss:

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system-level_authentication_guide/Configuring_Services#Configuration_Options-NSS_Configuration_Options

You can also set "subid sss" in nsswitch.conf, though you cannot specify both "files" and "sss" for subids.

Perhaps a similar issue with toolbox would be helpful, as well: containers/toolbox#1074

Of a recent-historical note, I found a ticket for SSSD where they discuss adding support for subid resources with IPA back in June of 2020: SSSD/sssd#5197 and the first comment includes a link to the corresponding ticket in the FreeIPA issue tracker.

While those links are more use-case driven, perhaps the most comprehensive documentation that I can find on how FreeIPA manages subordinate IDs is here: https://freeipa.readthedocs.io/en/latest/designs/subordinate-ids.html

I apologize for virtually smothering you in documentation, since system administration is not my specialty, and I am only a "devops-as-needed-when-nobody-else-will-do-it" variety of dangerous. However, if there is anything that I can test for you, I would be glad to do it. Speaking of that, are you suggesting that I mount /etc/subuid and /etc/subgid in containers that I am launching? Presently, I am going to assume that this is your meaning, so I can try that. If that works, particularly on systems that use FreeIPA, then this issue would be moot, and I would feel comfortable in closing it. I will give it a try, and if that serves as a workaround for my subordinate ID issue, then perhaps the documentation could include that information.

Please let me know if you would like me to try anything else in the meantime, and I will comment further if the subid files have the intended effect.

from podman-static.

Sorry, but I don't find the time to dig into that currently. I hope you solved it already - good luck otherwise.

If you need to make changes to podman-static, we can discuss them here and I'd be happy to review a PR if any. Anyway, if you find a solution to your problem, please let us know.

from podman-static.

That sounds like you are not interested in fixing this. It would be extremely useful, but that is up to you. If you are not going to fix this (very thoroughly detailed issue) then feel free to close this ticket if you want.

from podman-static.

To be clear, the issue is not thoroughly detailed because it does not fully explain what the problem is, how to reproduce it and what needs to be changed to fix it. It looks like you didn't even try mounting the configuration files with your changes as I suggested. I am sharing this repo as part of a solution to a problem I had once. To solve your specific integration problem, you'd have to spend a bit more time investigating and fixing it.

In case anybody else has the same problem, please feel free to reopen the issue.
Though, I guess changing the default configuration would be more of a discussion within the upstream podman repo anyway since the configuration shipped by this repo is supposed to be aligned with the upstream config/image.

from podman-static.