Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

subid: test with podman #6095

Closed
wants to merge 5 commits into from
Closed

subid: test with podman #6095

wants to merge 5 commits into from

Conversation

fcami
Copy link
Contributor

@fcami fcami commented Nov 18, 2021

podman can leverage FreeIPA-managed subids provided:

  • nsswitch.conf contains "subid: sss"
  • a real session is opened for that user (not su)

podman provides also a way to test whether subids can be retrieved:
$ podman unshare cat /proc/self/uid_map
$ podman unshare cat /proc/self/gid_map

Fixes: TBD
Signed-off-by: François Cami fcami@redhat.com

@fcami fcami added WIP Work in progress - not ready yet for review ipa-4-9 Mark for backport to ipa 4.9 labels Nov 18, 2021
@freeipa-pr-ci freeipa-pr-ci added the needs rebase Pull Request cannot be automatically merged - needs to be rebased label Nov 20, 2021
@fcami fcami added the re-run Trigger a new run of PR-CI label Nov 20, 2021
@freeipa-pr-ci freeipa-pr-ci removed the re-run Trigger a new run of PR-CI label Nov 20, 2021
@fcami
subid: test with podman
f239c34 
podman can leverage FreeIPA-managed subids provided:
- nsswitch.conf contains "subid: sss"
- a real session is opened for that user (not su)

podman provides also a way to test whether subids can be retrieved:
$ podman unshare cat /proc/self/uid_map
$ podman unshare cat /proc/self/gid_map

Fixes: TBD
Signed-off-by: François Cami <fcami@redhat.com>
@fcami
mark f35+
ea20c1e
@fcami
add debug
e833cc4
@fcami
temp commit
c75190b
@fcami
temp commit: rawhide
6270df0
@fcami fcami added the re-run Trigger a new run of PR-CI label Nov 23, 2021
@freeipa-pr-ci freeipa-pr-ci removed the re-run Trigger a new run of PR-CI label Nov 23, 2021
@stale
Copy link

stale bot commented Jan 22, 2022

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@stale stale bot added the stale Stale PR [Bot] label Jan 22, 2022
@stale
Copy link

stale bot commented Feb 6, 2022

This issue has been automatically closed as stale it has not had recent activity.

@stale stale bot closed this Feb 6, 2022
@StarkZarn
Copy link

It looks like this functionality still doesn't exist for podman in a FreeIPA managed environment. Is that correct? I opened an issue in Silverblue a while back with this same problem. See: fedora-silverblue/issue-tracker#263

Now, I'm attempting the same thing on an AlmaLinux client that's joined to my FreeIPA domain, and has the subid: sss in /etc/authselect/user-nsswitch.conf.

See below output:

[poddy@almact ~]$ podman run -it alpine sh
WARN[0000] The cgroupv2 manager is set to systemd but there is no systemd user session available 
WARN[0000] For using systemd, you may need to login using an user session 
WARN[0000] Alternatively, you can enable lingering with: `loginctl enable-linger 845500501` (possibly as root) 
WARN[0000] Falling back to --cgroup-manager=cgroupfs    
WARN[0000] The cgroupv2 manager is set to systemd but there is no systemd user session available 
WARN[0000] For using systemd, you may need to login using an user session 
WARN[0000] Alternatively, you can enable lingering with: `loginctl enable-linger 845500501` (possibly as root) 
WARN[0000] Falling back to --cgroup-manager=cgroupfs    
Resolved "alpine" as an alias (/etc/containers/registries.conf.d/000-shortnames.conf)
Trying to pull docker.io/library/alpine:latest...
Getting image source signatures
Copying blob c158987b0551 done  
Error: copying system image from manifest list: writing blob: adding layer with blob "sha256:c158987b05517b6f2c5913f3acef1f2182a32345a304fe357e3ace5fadcad715": processing tar file(potentially insufficient UIDs or GIDs available in user namespace (requested 0:42 for /etc/shadow): Check /etc/subuid and /etc/subgid if configured locally and run podman-system-migrate: lchown /etc/shadow: invalid argument): exit status 1

@abbra
Copy link
Contributor

abbra commented Dec 23, 2022

Can you explain what did you do to enable use of subids in FreeIPA?

The documentation is here:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/configuring_and_managing_identity_management/assembly_managing-subid-ranges-manually_configuring-and-managing-idm and upstream design page is here: https://freeipa.readthedocs.io/en/latest/designs/subordinate-ids.html

I have subid support enabled:

$ sudo authselect current
Profile ID: sssd
Enabled features:
- with-mkhomedir
- with-sudo
- with-gssapi
- with-mdns4
- with-subid

$ whoami
abokovoy

$ ipa subid-generate --owner abokovoy
-----------------------------------------------------------
Added subordinate id "ad0dad02-99bf-43ef-8594-d8cd20be882b"
-----------------------------------------------------------
[... skip output ...]

$ sudo systemctl restart sssd

$ getsubids abokovoy
0: abokovoy 2147483648 65536

$ podman run -it alpine sh
Resolved "alpine" as an alias (/etc/containers/registries.conf.d/000-shortnames.conf)
Trying to pull docker.io/library/alpine:latest...
Getting image source signatures
Copying blob c158987b0551 done  
Copying config 49176f190c done  
Writing manifest to image destination
Storing signatures
/ # ps
PID   USER     TIME  COMMAND
    1 root      0:00 sh
    2 root      0:00 ps
/ #

in a different terminal:

$ podman ps
CONTAINER ID  IMAGE                            COMMAND     CREATED        STATUS            PORTS       NAMES
bb2c728b6dc6  docker.io/library/alpine:latest  sh          3 minutes ago  Up 3 minutes ago              musing_swartz

$ podman inspect musing_swartz| jq '.[0].State.CgroupPath'
"/user.slice/user-1000.slice/user@1000.service/user.slice/libpod-bb2c728b6dc69ef6b516da13136191016d009dbf5a577a9f2d3d9e0a6d5077ff.scope"

@StarkZarn
Copy link

Hey thanks for the response!

I verified that a subID exists in the FreeIPA webUI. I didn't have to do anything to manually generate it though.
image

I do have with-subid enabled in my authselect.

sh-5.1$ sudo authselect current
Profile ID: sssd
Enabled features:
- with-mkhomedir
- with-sudo
- with-subid

sh-5.1$ getsubids poddy
0: poddy 2147614720 65536

This is no change from the setup that I had when I responded in this thread.

[poddy@almact ~]$ podman run -it alpine sh
Resolved "alpine" as an alias (/etc/containers/registries.conf.d/000-shortnames.conf)
Trying to pull docker.io/library/alpine:latest...
Getting image source signatures
Copying blob c158987b0551 done  
Error: copying system image from manifest list: writing blob: adding layer with blob "sha256:c158987b05517b6f2c5913f3acef1f2182a32345a304fe357e3ace5fadcad715": processing tar file(potentially insufficient UIDs or GIDs available in user namespace (requested 0:42 for /etc/shadow): Check /etc/subuid and /etc/subgid if configured locally and run podman-system-migrate: lchown /etc/shadow: invalid argument): exit status 1
[poddy@almact ~]$ exit

Same error.

It seems like I have everything setup properly, but I'm suspect of my configuration, as I started this FreeIPA environment prior to the support for subIDs managed centrally. Maybe something didn't get covered with the IPA upgrades. I did spin up this Alma VM today, and join it to the domain, as I thought maybe I was experiencing this issue on one of my other machines because it was old (although up to date, on Fedora). No luck though.

@StarkZarn
Copy link

Hmmm, the issue unfolds further. If I run a rootless container as my user account for maintenance and server ops, with sudo roles, etc., everything works fine...

On the poddy account, I removed it from the ipausers group and added a HBAC rule to allow login to this specific alma server. I don't see how that would affect this though.

@StarkZarn
Copy link

PEBKAC error here. I apologize. After running podman system migrate from the poddy account, everything is working.

I appreciate you hitting the think tank with me. Happy holidays!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
ipa-4-9 Mark for backport to ipa 4.9 needs rebase Pull Request cannot be automatically merged - needs to be rebased stale Stale PR [Bot] WIP Work in progress - not ready yet for review
Projects
None yet
Milestone
No milestone
4 participants
@fcami @StarkZarn @abbra @freeipa-pr-ci