Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-26594

buildah can't be used rootless by FreeIPA users because it is not linked with libsubid

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done-Errata
    • Icon: Major Major
    • rhel-8.10
    • CentOS Stream 8
    • buildah
    • None
    • None
    • Moderate
    • 1
    • rhel-sst-container-tools
    • 3
    • False
    • Hide

      None

      Show
      None
    • None
    • Red Hat Enterprise Linux
    • RUN 252
    • x86_64
    • None

      What were you trying to do that didn't work?

      Using rootless buildah as a user from a FreeIPA directory, with subuids/subgids allocated to the user in the directory.

      It appears buildah is only consulting /etc/subuid//etc/subgid rather than looking up subuid/subgid information via sssd. ldd /usr/bin/buildah indicates that buildah is not linked with libsubid.

      On Fedora, where buildah works, it is linked with libsubid.

      Please provide the package NVR for which bug is seen:

      buildah-1.33.5-1.module_el8+885+7da147f3.x86_64
      buildah-1.31.3-3.module+el8.9.0+21243+a586538b.x86_64
      buildah-1.33.5-1.el9.x86_64

      How reproducible:

      Very

      Steps to reproduce

      1. Create a FreeIPA user
      2. Assign a subid range to the user: ipa subid-generate --owner=$USER
      3. Join the FreeIPA domain using ipa-client-install --subid (/etc/nsswitch.conf should have a line subid: sss)
      4. Confirm that libsubid consults sssd when fetching subuid/subgid information (getsubid $USER should return a subuid range)
      5. As the user, run buildah from registry.access.redhat.com/ubi9/ubi

      Expected results

      buildah container should be created

      Actual results

      buildah can't pull the image:

      $ buildah from registry.access.redhat.com/ubi9/ubi:latest
WARN[0000] Reading allowed ID mappings: reading subuid mappings for user "sam" and subgid mappings for group "sam": no subuid ranges found for user "sam" in /etc/subuid 
WARN[0000] Found no UID ranges set aside for user "sam" in /etc/subuid. 
WARN[0000] Found no GID ranges set aside for user "sam" in /etc/subgid. 
Trying to pull registry.access.redhat.com/ubi9/ubi:latest...
Getting image source signatures
Checking if image destination supports signatures
Copying blob 1bd75c368cb5 done  
Error: copying system image from manifest list: writing blob: adding layer with blob "sha256:1bd75c368cb585e77e0b3234a750db4235fa64ff8b5b9ca8da8bf7a34ec9ecaa": processing tar file(potentially insufficient UIDs or GIDs available in user namespace (requested 0:5 for /usr/bin/write): Check /etc/subuid and /etc/subgid if configured locally and run "podman system migrate": lchown /usr/bin/write: invalid argument): exit status 1

$ buildah unshare cat /proc/self/uid_map
WARN[0000] Reading allowed ID mappings: reading subuid mappings for user "sam" and subgid mappings for group "sam": no subuid ranges found for user "sam" in /etc/subuid 
WARN[0000] Found no UID ranges set aside for user "sam" in /etc/subuid. 
WARN[0000] Found no GID ranges set aside for user "sam" in /etc/subgid. 
         0 1673000001          1

      Compare this to podman, which is linked with libsubid and so is able to pull subuid/subgid information from the directory:

      sam@xoanon:~$ podman unshare cat /proc/self/uid_map
         0 1673000001          1
         1 2147483648      65536

              rhn-support-jnovy Jindrich Novy
              staticyrro7 Sam Morris
              Nalin Dahyabhai (Inactive)
              Container Runtime Eng Bot Container Runtime Eng Bot
              Container Runtime Bugs Bot Container Runtime Bugs Bot
              Votes:
              0 Vote for this issue
              Watchers:
              12 Start watching this issue

                Created:
                Updated:
                Resolved: