Bug 1498628 (rhel77-crypto-shadow-utils)
Summary: | shadow-utils: Update to get newuidmap and newgidmap binaries | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Vivek Goyal <vgoyal> |
Component: | shadow-utils | Assignee: | Tomas Mraz <tmraz> |
Status: | CLOSED ERRATA | QA Contact: | Dalibor Pospíšil <dapospis> |
Severity: | medium | Docs Contact: | Mirek Jahoda <mjahoda> |
Priority: | high | ||
Version: | 7.5 | CC: | afox, ajia, aparsons, baptiste.agasse, bbreard, bene, christoffer.sawicki, cmilsted, cww, dapospis, dominik.mierzejewski, dornelas, dwalsh, ebiederm, fedoraproject, gscrivan, jaster, jchristi, jcoscia, johannespfau, jowood, junw99, kwalker, mharri, mhernon, mschwabe, mthacker, ngompa13, nmavrogi, pasik, pvrabec, rbeyel, rbuzatu, rcernich, rob.verduijn, santiago, sauchter, sfroemer, sjayapra, smarland, smccarty, spanjikk, ssbarnea, steve.traylen, subhat, thomas.oulevey, tmraz, vbatts, vgoyal, zkosic |
Target Milestone: | rc | Keywords: | FutureFeature, Rebase |
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | shadow-utils-4.6-1.el7 | Doc Type: | Enhancement |
Doc Text: |
.`shadow-utils` rebased to version 4.6
The `shadow-utils` packages have been upgraded to upstream version 4.6, which provides a number of bug fixes and enhancements over the previous version, most notably the `newuidmap` and `newgidmap` commands for manipulating the UID and GID namespace mapping.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2019-08-06 12:47:34 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 1186913, 1594286, 1640527, 1648377, 1654329, 1657167, 1688348, 1718378 |
Description
Vivek Goyal
2017-10-04 19:41:31 UTC
Yes we are having issues with this now. Could we just back port these tools to the current shadow-utils, and update useradd and groupadd to do the /etc/subgid and /etc/subuid editing? The exact issue is in usermod. dockerd, in usergroupadd_linux.go, is exec'ing usermod with -v and -w options to create subuid and subgid entries respectively. These options seem to be new in shadowutils-2.4.2. See bug 1546870. HTH. latest versions of runc also use newuidmap/newgidmap to setup additional mappings for unprivileged userNS. This is required for unprivileged userNS support in Buildah/podman. We are seeing a lot of interest in using buildah and podman as non root, withougt the newgimap and newuidmap on RHEL, those users will not be able use this feature. I think we should reconsider not at least adding these two executables. *** Bug 1657167 has been marked as a duplicate of this bug. *** *** Bug 1651450 has been marked as a duplicate of this bug. *** *** Bug 1610211 has been marked as a duplicate of this bug. *** Tomas Mraz 2019-01-22 10:56:25 UTC
> External Bug ID: Red Hat Knowledge Base (Solution) 3732441
What does that article have to do with missing newuidmap/newgidmap binaries?
Nothing. What is the status of this bug? Red Hat advertises Buildah as a way to do rootless container builds but yet it isn't even supported on RHEL 7 because of this issue. What gives? I was also asked by customer regarding this. I guess running containers without root is pretty appealing. Steffen can you just pull this package and let your customer test with it? I know Vincent Batts has a shadow-utils package that was built externally for RHEL7 users to play with. (In reply to Daniel Walsh from comment #85) > Steffen can you just pull this package and let your customer test with it? > I know Vincent Batts has a shadow-utils package that was built externally > for RHEL7 users to play with. I just followed [1] and run into two issues: 1) unable to pull image due to no access to registry.key (fixed with chmod 644 /etc/docker/certs.d/registry.access.redhat.com/*.key) 2) unable to perform yum-action inside non-root container What issue do we have here? I followed the instructions and I was able to pull and image as non-root. But when trying to run a container I faced: Error: error checking slirp4netns binary /usr/bin/slirp4netns: exit status 1 No other output. Any ideas? Do you have slirp4netns installed? If you run with --net=host does the container work? Well slirp4netns is supposed to allow us to setup a different network from the --net=host. This blog outlines the steps necessary to get rootless working on RHEL 7.6 https://www.redhat.com/en/blog/preview-running-containers-without-root-rhel-76 When we get the slirp4netns and newuidmap stuff into RHEL 7.7, this should work out of the box similar to RHEL 8.X. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2019:2102 |