-
Notifications
You must be signed in to change notification settings - Fork 238
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
subid ranges sourced from the network store #154
Comments
I think there should be a way where we split the 32 bits uid/gid, so that a UID gets the additional UIDs/GIDs where the high 16 bits are equal the the UID itself. i.e. |
shadow shouldn't enforce any such policy decision like that when it comes to id space segmentation. it can make best practice recommendations, but that's it. i'm not sure we can utilize nsswitch w/out coordinating with glibc. but if glibc did add support for new keywords (like "subuid" and "subgid"), then that seems like a design that would work. |
The broader question is one about APIs. The existing glibc APIs that manage UIDs/GIDs trigger the NSS infrastructure to load and parse /etc/nsswitch.conf, this in turn loads plugins to respond to service requests in an authoritative fashion e.g. LDAP NSS module. There are no APIs that deal with subuid, subgid, or the concept of newuidmap and newgidmap setup for the guest namespace. The existing infrastructure would require changes like this:
Is that what everyone is thinking about? |
Yes this is exactly what I was thinking. |
I should note that when I said "new API for managing" I meant only that we provide functions that allow you to query the existing data, but not modify that data. We don't need dyanmic assignment to be baked into glibc, that has deeper policy implications, and shadow-utils and admins can do that themselves. Likewise the LDAP admin can setup the ranges as they wish without any need to have an API that does the assignment. |
this is very interesting to academic environments as well, which use RH-based distros (CERN Scientific Linux 6 / CERN Centos 7) and have shared clusters to which users can login |
I have been talking about something like this with @poettering just a short while ago. On the @lxc side we allow for isolated idmaps, i.e. we have a way to give each container an idmap that is isolated from all other containers. For LXD it's easy to keep track what maps it has given away and how many it has left but it obviously becomes a problem when another container manager is using the same map. Having a central registry where we can - in a race free manner - record something along the lines of:
would be quite helpful. I actually think we'd want something even better such that we can query:
|
This should see input from all active people who co-maintain @shadow-maint with @hallyn and myself. Would also good to hear what @stgraber thinks. |
Lets not confuse two different things though. We have the UID's allocated to users to for their user namespace. Then we have UID Ranges allocated for root running services that want to use User Namespace for separation. This Issue is more about the UID's allocated for Users. |
The two are conceptually identical only their permissions differ. If you use new{g,u}idmap for both user and root services than sub{g,i}id decides what you are allowed to map independent of whether you're root or not |
Well I am not suggesting we use newuidmap for both. No reason to use this for a root running container engine. |
We should have a central way for all container engines to register their id allocations. If it works for unpriv users it works for root as well so there's no additional work associated with this. |
I must say I am not particularly convinced that /etc/subuid and /etc/subgid is such a great idea in the first place. Storing these registrations in /etc as if they were system configuration sounds wrong to me, we shouldn't do that anymore. Unless something is being reconfigured /etc should really be considered read-only, and range registration in /etc is something diametrically opposed to that, as it stores runtime information among the configuration in /etc. In systemd we allocate user IDs dynamically at various places, including in nspawn's userns support and for DynamicUser=1 support for system services. But we never ever write this to /etc, as that's really not suitable for dynamically changing registrations. However, we do supply glibc NSS modules that make sure that whatever we register (regardless if individual uids or ranges of uids) shows up in the system's user database. And I think that's a general approach to follow when allocating user ranges: use NSS as registration database: make sure that the user and all other apps see that you own a range by making sure your users show up in NSS. This reuses existing concepts for maintaining registered ranges (as libc getpwuid() and getpwnam() will just report our entries), and is also friendly towards users, as for example "ps" will show all processes of a userns-using container as owned by your package. It also makes sure that classic user mgmt tools such as "adduser" automatically respect your uid range registrations, since they already check NSS before picking a UID anyway. hence, from the systemd PoV: I am very sure we'll never begin using /etc/subuid and /etc/subgid, I think at this time we really shouldn't add any more static databases in /etc that need to be dynamically managed. Instead, we just pick a UID we consider suitable, check against NSS, and only use it if its not listed there yet (if it is, we pick a different UID). At the same time we make the UID we now took possession show up in NSS so that everybody else knows. Or in other words: instead of trying to get everybody on board with sharing a new set of database files in /etc/, and then extending it for the network, just make everybody use the same (already existing) API instead (i.e. glibc NSS), and leave it up to the packages to register their ranges with it. Standardize on existing APIs rather than new files. The packages can then decide on their own how they manage their assignments and replicate them across the network. (In case you wonder: yes, it's very easy to write an NSS module that returns for a UID x from some range a fixed user name "foobar-x", and vice versa) |
Well that is exactly what this issue is about. Adding NSS support to newuidmap and newgidmap. |
I think you misunderstand these files. No one intends to use them as databases and they aren't used as such now. They are config files that statically tell you what ids a user can use. |
No. I say: don't bother with uidmap/gidmap. Just use the regular NSS user/group db, and fill it through your own NSS module. I would advise podman to simply not bother with uidmap/gidmap, but just provide an NSS module that exposes the ranges it took possession of. |
so they are an extension of the usual user database. And I argue that the usual user database should not be considered configuration. I mean, there's a good reason while all those new OS approaches (such as Atomic and stuff) try hard to find alternatives to having to write every user into /etc. |
That's not orthogonal though, as you suggest. The idea is that you would want a way to allow a specific set of ids to be delegated to an unpriv user and these delegatable ranges are recorded in a central place: subid files. That's not opposing the db. |
That's not possible without regressing the ability of unprivileged users to create complex id mappings that have been delegated to them by the system administrator. This has also worked independently of systemd and on other systems so I wouldn't want to make this systemd's job too. |
Well, i mean, you can always keep the db if you really really like to, but what I am saying is: the db that everybody should check is the existing NSS user/group database, and not subuid/subgid. I mean, if you want to use newuidmap/newgidmap as your SUID binary of choice to configure your /proc/$PID/uid_map then by all means, go ahead, but also: everything else is fine too, and I'd not bother with telling people the they have to reg there ranges there. Instead, just let people use any tool they want, as long as they reg the ranges in the NSS user/group databases. or in other words, I'd suggest buildah/podman to just ship their own tool to acquire a uid range (possibly with a suid binary of their own, or through ipc-based privileged separation), and make sure to register what they acquire in NSS, instead of pushing everything down to /etc/subuid + /etc/subgid, which means you can never use buildah/podman in an environment with read-only /etc... |
I think I am repeating myself here: I am proposing to use the glibc NSS user/group db as place to make registrations show up, and as place to guarantee that every package uses its own range. Nothing systemd specific in that at all. glibc is not a systemd project, and by doing that you create a solution working on all general purpose Linux systems that support NSS, and there's nothing systemd-specific about that. |
You're not really suggesting that we start shipping custom |
Now you're dancing around the problem: We currently have a mechanism to delegate id ranges to unpriv users. The db registration is about registering ranges and that proposal is fine. But we still need a way to delegate ranges. |
Well, if you use a suid binary that's up to you. Major distros have the goal to minimize the number of suid binaries, and in that context it might be a much better idea to use something that uses some ipc priv separation instead. But the point I am making is this: secondary databases that noone but the tool owning it check are excercises in making UID collisions happen. The problem of dynamic UID registration is not specific to userns, and the tool newuidmap with another db in /etc might not be the ultimate solution to even the userns case. |
do we though? why do you want static delegation of ranges at all? i mean, podman could have a tiny ipc service (or suid binary if you want) that has one operation: "pick a free uid range that is currently not defined in the NSS user database, register it there, then chown these files with them and initialize uid_map of that process with them". and there you go: everything is properly registered, fully dynamic, without collisions, without maintaining a static database, without writing to /etc... Why maintain a static database (and propagate them through the network) when you don't have to? |
I'm not opposing switching to something better. If we have a decent proposal I'm not nacking it but we need to make sure to not regress current use cases. So the subid stuff in /etc will need to stick around anyway.
…On February 22, 2019 4:39:52 PM GMT+01:00, Lennart Poettering ***@***.***> wrote:
> You're not really suggesting that we start shipping custom `suid`
idmap binaries alongside every runtime when we have `newidmap` to avoid
just that?
Well, if you use a suid binary that's up to you. Major distros have the
goal to minimize the number of suid binaries, and in that context it
might be a much better idea to use something that uses some ipc priv
separation instead. But the point I am making is this: secondary
databases that noone but the tool owning it check are excercises in
making UID collisions happen. The problem of dynamic UID registration
is not specific to userns, and the tool newuidmap with another db in
/etc might not be the ultimate solution to even the userns case.
--
You are receiving this because you commented.
Reply to this email directly or view it on GitHub:
#154 (comment)
|
Yes we do. It's a use-case right now. There are tons of examples. Random one: imagine scenarios when you only want to use a use namespace and want to make sure that an unprivileged user can only request a specific mapping to make sure they can't get access to files that would be exposed as writable if they were free to request an arbitrary mapping.
You want IDs to be arbitrary and I sympatize with that but they are baked into Linux and into filesystems and so long as they are we have use cases where *what* mapping is used matters.
…On February 22, 2019 4:44:01 PM GMT+01:00, Lennart Poettering ***@***.***> wrote:
> Now you're dancing around the problem: We currently have a mechanism
to delegate id ranges to unpriv users. The db registration is about
registering ranges and that proposal is fine. But we still need a way
to delegate ranges.
do we though? why do you want static delegation of ranges at all? i
mean, podman could have a tiny ipc service (or suid binary if you want)
that has one operation: "pick a free uid range that is currently not
defined in the NSS user database, register it there, then chown these
files with them and initialize uid_map of that process with them". and
there you go: everything is properly registered, fully dynamic, without
collisions, without maintaining a static database, without writing to
/etc...
Why maintain a static database (and propagate them through the network)
when you don't have to?
--
You are receiving this because you commented.
Reply to this email directly or view it on GitHub:
#154 (comment)
--
Sent from my Android device with K-9 Mail. Please excuse my brevity.
|
So what we could do is
I'll refrain from commenting on the argument between adding functionality to existing baroque privileged programs versus adding small focused standalone privileged helpers. |
The problem with dynamic mapping is that you could end up with unowned files on disk if the mapping does not persist, but the on-disk file do persist. Is there a distinction to be made between a "dynamic" mapping and an "ephemeral" mapping? |
Don't we have this issue now? There is no tool like dwalsh:100000:65536 This should be no different if this file is distributed from LDAP or ActiveDirectory or ... |
Yeah, but
Ok I'll go ahead and separate them.
I will make those final changes, actually read the whole patch and do some more cleanups, squash the commits, and put up a new pr. |
Why not show each of the uids? If it turns out that a file belongs to a subid delegated to >1 user, it'd be good to know. |
I'm ok dropping it. @rhatdan , what do you think? |
Ok, lets keep reverse lookup in API. |
I think we should keep it. Unless there is some other way for coretutils to figure out what users own a specified file UID. |
Hi @hallyn,
Do you need any help with it? |
#321 should be ready for comments. |
Awesome job @hallyn thanks a lot. |
@hallyn any idea when you will release a new version of shadow-utils, with this feature? |
I've been meaning to do that for awhile... I'll plan on doing a release tomorrow afternoon (central time). |
@hallyn Still waiting... |
Yes, I know. There was a regression in the translations which breaks
'make dist', and I've not yet been able to fix it or find someone who could.
(I also don't have my yubikey so can't log in to reply, so hopefully
reply by email is working)
…On Tue, Jul 20, 2021 at 02:00:47AM -0700, Daniel J Walsh wrote:
@hallyn Still waiting...
--
You are receiving this because you were mentioned.
Reply to this email directly or view it on GitHub:
#154 (comment)
|
Thanks |
:feature: Basic support of user's 'subuid and subgid ranges' for IPA provider and corresponding plugin for shadow-utils were introduced. Limitations: - single subid interval pair (subuid+subgid) per user - idviews aren't supported - only forward lookup (user -> subid ranges) Take a note, this is MVP of experimental feature. Significant changes might be required later, after initial feedback. Corresponding support in shadow-utils was merged upstream, but since there is no upstream release available yet, SSSD feature isn't built by default. Build can be enabled with `--with-subid` configure option. Plugin's install path can be configured with `--with-subid-lib-path=` ("${libdir}" by default) For additional details about support in shadow-utils please see discussion in shadow-maint/shadow#154 and in related PRs. :config: New IPA provider's option `ipa_subid_ranges_search_base` allows configuration of search base for user's subid ranges. Default: `cn=subids,%basedn` Resolves: SSSD#5197
:feature: Basic support of user's 'subuid and subgid ranges' for IPA provider and corresponding plugin for shadow-utils were introduced. Limitations: - single subid interval pair (subuid+subgid) per user - idviews aren't supported - only forward lookup (user -> subid ranges) Take a note, this is MVP of experimental feature. Significant changes might be required later, after initial feedback. Corresponding support in shadow-utils was merged upstream, but since there is no upstream release available yet, SSSD feature isn't built by default. Build can be enabled with `--with-subid` configure option. Plugin's install path can be configured with `--with-subid-lib-path=` ("${libdir}" by default) For additional details about support in shadow-utils please see discussion in shadow-maint/shadow#154 and in related PRs. :config: New IPA provider's option `ipa_subid_ranges_search_base` allows configuration of search base for user's subid ranges. Default: `cn=subids,%basedn` Resolves: #5197 Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com>
On enterprise FreeIPA set-ups, the subordinate user and group IDs are provided by SSSD's sss plugin for the GNU Name Service Switch (or NSS) functionality of the GNU C Library. They are not listed in /etc/subuid and /etc/subgid. Therefore, its necessary to use libsubid.so to check the subordinate ID ranges. The CGO interaction with libsubid.so is loosely based on 'readSubid' in github.com/containers/storage/pkg/idtools [1]. However, unlike 'readSubid', this code considers the absence of any range (ie., nRanges == 0) to be an error as well. More importantly, this code uses dlopen(3) and friends to dynamically load the symbols from libsubid.so, instead of linking to libsubid.so at build-time and having the dependency noted in the /usr/bin/toolbox binary. This is done because libsubid.so itself depends on several other shared libraries, and indirect dependencies can't be influenced by the RUNPATH [2] embedded in the /usr/bin/toolbox binary [3]. Hence, when the binary is used inside Toolbx containers (eg., as the entry point), those indirect dependencies won't be picked from the host's runtime against which the binary was built. This can render the binary useless due to ABI compatibility issues. Using dlopen(3) avoids this problem, especially because libsubid.so is only used when running on the host. Care was taken to not load and link libsubid.so twice to separately validate the subordinate ID ranges for the user and the group. Note that libsubid_init() must be passed a FILE pointer for logging. Otherwise, it will create it's own for logging, and there's no way to close it during dlclose(3). Version 4 of the libsubid.so API/ABI [4] was released in Shadow 4.10, which is newer than the versions shipped on RHEL 8 and Debian 10 [5], and even that newer version had some problems [6]. Therefore, support for older versions, with the relevant workarounds, is necessary. Fortunately, the oldest that needs to be support is Shadow 4.9 because that's when libsubid.so was introduced [7]. Note that SUBID_ABI_VERSION was only introduced with version 4 of the libsubid.so API/ABI released in Shadow 4.10 [8]. The first release of libsubid.so in Shadow 4.9 already had an ABI version of 3.0.0 [9], since it was bumped a few times during development, so that's what's assumed when SUBID_ABI_VERSION is absent. This code doesn't set the public variables Prog and shadow_logfd that older Shadow versions used to expect for logging, because from Shadow 4.9 onwards there's a separate function [4,10] to specify these. This can be changed if there are libsubid.so versions in the wild that really do need those public variables to be set. Finally, ISO C99 is required because of the use of <stdbool.h> in the libsubid.so API. Some changes by Debarshi Ray. [1] https://github.com/containers/storage/blob/main/pkg/idtools/idtools_supported.go [2] https://man7.org/linux/man-pages/man8/ld.so.8.html [3] Commit 6063eb2 containers#821 [4] Shadow commit 32f641b207f6ddff shadow-maint/shadow@32f641b207f6ddff shadow-maint/shadow#443 [5] https://packages.debian.org/source/buster/shadow [6] Shadow commit 79157cbad87f42cd shadow-maint/shadow@79157cbad87f42cd shadow-maint/shadow#465 [7] Shadow commit 0a7888b1fad613a0 shadow-maint/shadow@0a7888b1fad613a0 shadow-maint/shadow#154 [8] Shadow commit 0c9f64140852e8d5 shadow-maint/shadow@0c9f64140852e8d5 shadow-maint/shadow#449 [9] Shadow commit 3d670ba7ed58f910 shadow-maint/shadow@3d670ba7ed58f910 shadow-maint/shadow#339 [10] Shadow commit 2b22a6909dba60d shadow-maint/shadow@2b22a6909dba60d shadow-maint/shadow#325 containers#1074 Signed-off-by: Martin Jackson <martjack@redhat.com>
The previous commit broke the golangci-lint test [1] because the GitHub Action runs on Ubuntu 22.04, which only has Shadow 4.8 [2], whereas libsubid.so was introduced in Shadow 4.9 [3]. However, that's not a big deal because 'go vet' was earlier added to the set of tests run by 'meson test' [4], and 'go vet' is one of the linters run by golangci-lint [5]. So, while it's not a proper replacement, it's good enough. [1] Commit ca8007c containers#1180 [2] https://packages.ubuntu.com/source/jammy/shadow https://packages.ubuntu.com/source/jammy-updates/shadow [3] Shadow commit 0a7888b1fad613a0 shadow-maint/shadow@0a7888b1fad613a0 shadow-maint/shadow#154 [4] Commit f695012 containers#1186 [5] https://golangci-lint.run/usage/linters/ https://golangci-lint.run/usage/linters/#govet This reverts commit 7c86f30.
The previous commit broke the golangci-lint test [1] because the GitHub Action runs on Ubuntu 22.04, which only has Shadow 4.8 [2], whereas libsubid.so was introduced in Shadow 4.9 [3]. However, that's not a big deal because 'go vet' was earlier added to the set of tests run by 'meson test' [4], and 'go vet' is one of the linters run by golangci-lint [5]. So, while it's not a proper replacement, it's good enough. [1] Commit ca8007c containers#1180 [2] https://packages.ubuntu.com/source/jammy/shadow https://packages.ubuntu.com/source/jammy-updates/shadow [3] Shadow commit 0a7888b1fad613a0 shadow-maint/shadow@0a7888b1fad613a0 shadow-maint/shadow#154 [4] Commit f695012 containers#1186 [5] https://golangci-lint.run/usage/linters/ https://golangci-lint.run/usage/linters/#govet This reverts commit 7c86f30. containers#1221
Now that Toolbx offers built-in support for Ubuntu containers [1], it makes sense to test that it works well on Ubuntu hosts. Ubuntu 22.04 is the latest long term support (or LTS) release [2] from Ubuntu, and GitHub provides runners for GitHub workflows [3]. Ubuntu 22.04 only has Bats 1.2.1 [4], while Toolbx requires 1.7.0 [5]; and Shadow 4.8 [6], while libsubid.so was introduced in Shadow 4.9 [7]. Hence, newer versions of these dependencies need to be built to run the tests. Note that a separate sub-directory inside $GITHUB_WORKSPACE [8] is used for Toolbx itself to prevent codespell from getting triggered by problems in the dependencies themselves [9]. [1] Commit a84a358 containers#483 containers#1284 [2] https://wiki.ubuntu.com/Releases [3] https://docs.github.com/en/actions/using-github-hosted-runners/about-github-hosted-runners [4] https://packages.ubuntu.com/jammy/bats [5] Commit e22a82f containers#1273 [6] https://packages.ubuntu.com/source/jammy/shadow https://packages.ubuntu.com/source/jammy-updates/shadow [7] Shadow commit 0a7888b1fad613a0 shadow-maint/shadow@0a7888b1fad613a0 shadow-maint/shadow#154 [8] https://docs.github.com/en/actions/learn-github-actions/variables [9] bats-core/bats-core#743 containers#1319
Now that Toolbx offers built-in support for Ubuntu containers [1], adding an Ubuntu host to the upstream CI will help ensure that Toolbx continues to work well on Ubuntu. Ubuntu 22.04 is the latest long term support (or LTS) release [2] from Ubuntu, and GitHub provides runners for GitHub workflows [3]. Ubuntu 22.04 only has Bats 1.2.1 [4], while Toolbx requires 1.7.0 [5]; and Shadow 4.8 [6], while libsubid.so was introduced in Shadow 4.9 [7]. Hence, newer versions of these dependencies need to be built to run the tests. Note that a separate sub-directory inside $GITHUB_WORKSPACE [8] is used for Toolbx itself to prevent codespell from getting triggered by problems in the dependencies themselves [9]. [1] Commit a84a358 containers#483 containers#1284 [2] https://wiki.ubuntu.com/Releases [3] https://docs.github.com/en/actions/using-github-hosted-runners/about-github-hosted-runners [4] https://packages.ubuntu.com/jammy/bats [5] Commit e22a82f containers#1273 [6] https://packages.ubuntu.com/source/jammy/shadow https://packages.ubuntu.com/source/jammy-updates/shadow [7] Shadow commit 0a7888b1fad613a0 shadow-maint/shadow@0a7888b1fad613a0 shadow-maint/shadow#154 [8] https://docs.github.com/en/actions/learn-github-actions/variables [9] bats-core/bats-core#743 containers#1319
Now that Toolbx offers built-in support for Ubuntu containers [1], adding an Ubuntu host to the upstream CI will help ensure that Toolbx continues to work well on Ubuntu. Ubuntu 22.04 is the latest long term support (or LTS) release [2] from Ubuntu, and GitHub provides runners for GitHub workflows [3]. Ubuntu 22.04 only has Bats 1.2.1 [4], while Toolbx requires 1.7.0 [5]; and Shadow 4.8 [6], while libsubid.so was introduced in Shadow 4.9 [7]. Hence, newer versions of these dependencies need to be built to run the tests. Note that a separate sub-directory inside $GITHUB_WORKSPACE [8] is used for Toolbx itself to prevent codespell from getting triggered by problems in the dependencies themselves [9]. [1] Commit a84a358 containers#483 containers#1284 [2] https://wiki.ubuntu.com/Releases [3] https://docs.github.com/en/actions/using-github-hosted-runners/about-github-hosted-runners [4] https://packages.ubuntu.com/jammy/bats [5] Commit e22a82f containers#1273 [6] https://packages.ubuntu.com/source/jammy/shadow https://packages.ubuntu.com/source/jammy-updates/shadow [7] Shadow commit 0a7888b1fad613a0 shadow-maint/shadow@0a7888b1fad613a0 shadow-maint/shadow#154 [8] https://docs.github.com/en/actions/learn-github-actions/variables [9] bats-core/bats-core#743 containers#1319
Now that Toolbx offers built-in support for Ubuntu containers [1], adding an Ubuntu host to the upstream CI will help ensure that Toolbx continues to work well on Ubuntu. Ubuntu 22.04 is the latest long term support (or LTS) release [2] from Ubuntu, and GitHub provides runners for GitHub workflows [3]. Ubuntu 22.04 only has Bats 1.2.1 [4], while Toolbx requires 1.7.0 [5]; and Shadow 4.8 [6], while libsubid.so was introduced in Shadow 4.9 [7]. Hence, newer versions of these dependencies need to be built to run the tests. Note that a separate sub-directory inside $GITHUB_WORKSPACE [8] is used for Toolbx itself to prevent codespell from getting triggered by problems in the dependencies themselves [9]. [1] Commit a84a358 containers#483 containers#1284 [2] https://wiki.ubuntu.com/Releases [3] https://docs.github.com/en/actions/using-github-hosted-runners/about-github-hosted-runners [4] https://packages.ubuntu.com/jammy/bats [5] Commit e22a82f containers#1273 [6] https://packages.ubuntu.com/source/jammy/shadow https://packages.ubuntu.com/source/jammy-updates/shadow [7] Shadow commit 0a7888b1fad613a0 shadow-maint/shadow@0a7888b1fad613a0 shadow-maint/shadow#154 [8] https://docs.github.com/en/actions/learn-github-actions/variables [9] bats-core/bats-core#743 containers#1319
Now that Toolbx offers built-in support for Ubuntu containers [1], adding an Ubuntu host to the upstream CI will help ensure that Toolbx continues to work well on Ubuntu. Ubuntu 22.04 is the latest long term support (or LTS) release [2] from Ubuntu, and is the latest Ubuntu version that GitHub provides runners for [3]. Ubuntu 22.04 only has Bats 1.2.1 [4], while Toolbx requires 1.7.0 [5]; and Shadow 4.8 [6], while Toolbx requires 4.9 because it needs libsubid.so [7,8]. Hence, newer versions of these dependencies need to be built to run the tests. The build flags for Shadow were taken from the Debian package [9]. A separate sub-directory inside $GITHUB_WORKSPACE [10] is used for Toolbx itself to prevent codespell from getting triggered by spelling mistakes in these dependencies themselves [11]. Unfortunately, the SHELL environment variable goes mysteriously missing from the runtime environment of the GitHub Actions workflow [12]. This breaks the 'create' and 'enter' commands, and therefore tests involving them can't be run until this is resolved. Meanwhile, running the CI on Ubuntu with a subset of the tests, is still better than not running the CI on Ubuntu at all. [1] Commit a84a358 containers#483 containers#1284 [2] https://wiki.ubuntu.com/Releases [3] https://docs.github.com/en/actions/using-github-hosted-runners/about-github-hosted-runners [4] https://packages.ubuntu.com/jammy/bats [5] Commit e22a82f containers#1273 [6] https://packages.ubuntu.com/source/jammy/shadow https://packages.ubuntu.com/source/jammy-updates/shadow [7] Shadow commit 0a7888b1fad613a0 shadow-maint/shadow@0a7888b1fad613a0 shadow-maint/shadow#154 [8] Commit ca8007c containers#1074 [9] https://salsa.debian.org/debian/shadow/ [10] https://docs.github.com/en/actions/learn-github-actions/variables [11] bats-core/bats-core#743 [12] https://github.com/orgs/community/discussions/59413 containers#1319
We are seeing a lot of excitement on the podman front running containers as not root.
We are taking advantage of User Namespace and specifically shadow-utils with /etc/subuid, /etc/subgid nad newuidmap and newgidmap.
But we are now being contacted by "enterprise" customers who use large databases of users and they want these files and UIDMap information to be handled via ldap or FreeIPA.
Has there been any thought into making this info available via nsswitch?
The text was updated successfully, but these errors were encountered: