Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-56626

redhat.rhel_system_roles.podman fails to configure and run containers with podman rootless using different username and groupname.

XMLWordPrintable

    • rhel-system-roles-1.88.9-0.1.el9_5
    • No
    • Low
    • 2
    • rhel-sst-system-roles
    • 2
    • Dev ack
    • False
    • Hide

      None

      Show
      None
    • Yes
    • Red Hat Enterprise Linux
    • System Roles Sprint 4, System Roles Sprint 5
    • Approved Blocker
    • Bug Fix
    • Hide
      .The `podman` RHEL system role now correctly searches for `subgid` values

      Subordinate group IDs (`subgid`) is a range of group ID values assigned to non-root users. By using these values, you can run processes with different group IDs inside a container compared to the host system. Previously, the `podman` RHEL system role was incorrectly searching in the `subgid` values using the group name instead of using the user name. Consequently, the difference between the user name and the group name made `podman` fail to look up the `subgid` values. This update fixes `podman` to correctly search for `subgid` values and the problem no longer appears in this scenario.
      Show
      .The `podman` RHEL system role now correctly searches for `subgid` values Subordinate group IDs (`subgid`) is a range of group ID values assigned to non-root users. By using these values, you can run processes with different group IDs inside a container compared to the host system. Previously, the `podman` RHEL system role was incorrectly searching in the `subgid` values using the group name instead of using the user name. Consequently, the difference between the user name and the group name made `podman` fail to look up the `subgid` values. This update fixes `podman` to correctly search for `subgid` values and the problem no longer appears in this scenario.
    • Done
    • None

      What were you trying to do that didn't work?

      • Customer is using redhat.rhel_system_roles version 1.23.0, to configure and run containers with podman rootless, but the podman role fails in the task "Check group with getsubids" because it is passing the group name to the getsubids, instead of the user.
      • According to the subgid (5) man page:
        Each line in /etc/subgid contains a user name and a range of subordinate group ids that user is allowed to use. This is specified with three fields delimited by colons (":"). These fields are: - login name or UID - numerical subordinate group ID - numerical subordinate group ID count.
      • According to the getsubids man page this command expects a USER:
        SYNOPSIS getsubids [options] USERHowever, the podman role is calling the getsubids command with the group name, not the user name: 
      - name: Check group with getsubids
  command: getsubids -g {{ __podman_group_name | quote }}
  changed_when: false

      Please provide the package NVR for which bug is seen:

      Steps to reproduce

      1. Create a playbook as below
      ---
- name: Despliegue de contenedor con podman quadlet
  hosts: all
  gather_facts: yes
  become: false
  vars:
    podman_activate_systemd_unit: false
    podman_quadlet_specs:
      - name: "{{ _contenedores_service_name }}"
        type: container
        run_as_user: "{{ _contenedores_run_as_user }}"
        run_as_group: "{{ _contenedores_run_as_group }}"
        pull_image: false
        activate_systemd_unit: true
        file_content: "{{ _contenedores_file_content }}"
  tasks:
    - name: Ejecucion de rol podman
      ansible.builtin.include_role:
        name: redhat.rhel_system_roles.podman
      1.  Pass the variable to playbook as below with different username and groupname.
      "_contenedores_service_name": "lnx_httpd",
  "_contenedores_run_as_user": "vplnx",
  "_contenedores_run_as_group": "gplnx",
  "_contenedores_file_content": "[Unit]\nDescription=Linux httpd server\nAfter=sss-proxy.service\n\n[Container]\nImage=localhost/ubi9:latest\nExec=sleep 1000\n\n[Service]\nRestart=always\n\n[Install]\nWantedBy=multi-user.target default.target"
      1. Run the playbook and below error is observed.
      TASK [redhat.rhel_system_roles.podman : Check group with getsubids] ************
fatal: [hostname]: FAILED! => {"changed": false, "cmd": ["getsubids", "-g", "gplnx"], "delta": "0:00:00.005115", "end": "2024-08-27 13:24:54.995264", "msg": "non-zero return code", "rc": 1, "start": "2024-08-27 13:24:54.990149", "stderr": "Error fetching ranges", "stderr_lines": ["Error fetching ranges"], "stdout": "", "stdout_lines": []}

      Expected results:

      Playbook job should complete without any error and should not check for groupname and need to verify the username as per man page.

      Actual results:

      Playbook fails with below error.

      TASK [redhat.rhel_system_roles.podman : Check group with getsubids] ************ fatal: [hostname]: FAILED! => {"changed": false, "cmd": ["getsubids", "-g", "gplnx"], "delta": "0:00:00.005115", "end": "2024-08-27 13:24:54.995264", "msg": "non-zero return code", "rc": 1, "start": "2024-08-27 13:24:54.990149", "stderr": "Error fetching ranges", "stderr_lines": ["Error fetching ranges"], "stdout": "", "stdout_lines": []}

       

      WORKAROUND:

      • Customer mentioned that manually specifying the groupname in /etc/subgid helps to overcome above error.
      # echo "gplnx:296608:65536" >> /etc/subgid
# getsubids -g gplnx
0: gplnx 296608 65536

              rmeggins@redhat.com Richard Megginson
              rhn-support-yyadav Yogendra Yadav (Inactive)
              Richard Megginson Richard Megginson
              David Jez David Jez
              Jaroslav Klech Jaroslav Klech
              Votes:
              0 Vote for this issue
              Watchers:
              11 Start watching this issue

                Created:
                Updated:
                Resolved: