-
Notifications
You must be signed in to change notification settings - Fork 2.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Check if uid is not higher than maxuid and gid is not higher than maxgid, otherwise exit with message. #4838
Comments
userns=keep-id |
Fails when uid = maxUID. |
This sounds a bit like #4047 I see that your UID is 70000. What does your |
My subordinate user ID count is 65536 (the default.) When a user with a uid or gid >= max subordinate user or group id (65536 by default) try to run toolbox, they receive an error which is very difficult to fault find. |
Could you please give an example |
Currently not at my fedora box. WIll provide examples and the output of the following.
|
Easy to make a mistake with enterprise logins.
This leaves the user with the difficult job of resolving:
Run my prevous script as the user you will get:
Using this infomation we can fix the problem:
Toolbox now has enough uid's and gid's in the container to run as the user. Helpful to message the user with a description of the problem. |
In the meantime toolbox could tell the user if his or her subuid/uid is not in the proper range, one user spent months trying to figure out why toolbox was not working with an obscure error message. |
I had the same problem on plain Fedora 31 (not Silverblue) and a simple "podman pull centos:8" using an enterprise login with a high uid (ADS w/ sssd, uid and gid both > 22201000). |
Let's fix this in Podman itself. |
when creating a keep-id namespace, we split the original user namespace in: inner ns | outer ns | size: 0 | 1 | ID ID | 0 | 1 ID+1 | ID+1 | availableIds - ID When the user ID is bigger than the number of available subuids/subgids we fail to create the user namespace because the first slice is bigger than the available number of IDs and the third one has a negative size. Fix it by not using more than the available number of IDs in the first slice and creating the third one only if there are other IDs left. When the user ID is bigger than the number of additional IDs, there will be a gap between the two mappings so the IDs between the maximum additional ID and the user ID won't be present inside of the namespace. Closes: containers#4838 Signed-off-by: Giuseppe Scrivano <[email protected]>
Error is non descriptive
My guess this is caused by:
--userns=keep-id
Which requires uid not to be greater than maxUID and gid not to be greater than maxGID.
With maxUID being the third field in subuid and maxGID being the third field in subgid.
The text was updated successfully, but these errors were encountered: