Bug 1765469

Summary: rootless buildah does not work with UID in /etc/subuid
Product: Red Hat Enterprise Linux 7 Reporter: Christoph Karl <christoph.karl>
Component: buildahAssignee: Giuseppe Scrivano <gscrivan>
Status: CLOSED ERRATA QA Contact: atomic-bugs <atomic-bugs>
Severity: low Docs Contact:
Priority: medium    
Version: 7.7CC: ahogbin, ajia, ddarrah, dornelas, dwalsh, gscrivan, jnovy, lsm5, nalin, pthomas, tsweeney, umohnani, ypu
Target Milestone: rcKeywords: Extras
Target Release: 7.8   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: buildah-1.11.3-1 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-04-01 00:26:38 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1186913, 1744505    

Description Christoph Karl 2019-10-25 07:46:24 UTC 
Description of problem:
The (rootless) command buildah does not work,
if the file /etc/subuid contains the UID.
(or the file /etc/subgid)


Version-Release number of selected component (if applicable):
>buildah --version
buildah version 1.9.0 (image-spec 1.0.0, runtime-spec 1.0.0)

How reproducible:


Steps to Reproduce:
1. Standard setup RHEL 7.7 all updates till 25.10.2019 installed.
2. cat /etc/subuid
1005:100000:65536
(using UID here!)


Actual results:
>buildah from ubi8
error creating container: error creating read-write layer with ID "eededba083ceca7b37fd0ac058fd8cd2e41da81ddddabf123b0bfdd58cddfe29": there might not be enough IDs available in the namespace (requested 0:65534 for /home/karlch/.local/share/containers/storage/vfs/dir/eededba083ceca7b37fd0ac058fd8cd2e41da81ddddabf123b0bfdd58cddfe29/usr/bin/write): lchown /home/karlch/.local/share/containers/storage/vfs/dir/eededba083ceca7b37fd0ac058fd8cd2e41da81ddddabf123b0bfdd58cddfe29/usr/bin/write: 

Expected results:
>buildah from ubi8
ubi8-working-container


Additional info:
It works if:
>cat /etc/subuid
karlch:100000:65536
(login name)

Same for /etc/subgid
Comment 2 Tom Sweeney 2019-10-25 14:35:20 UTC 
Cristoph thanks for the BZ.  As you surmised we're currently only supporting a username/groupname in those files and not UID/GID.  We'll take a look at fixing that.
Comment 3 Daniel Walsh 2019-10-25 14:37:14 UTC 
Works in upstream

$ buildah version
Version:         1.11.3
Go Version:      go1.13
Image Spec:      1.0.1-dev
Runtime Spec:    1.0.1-dev
CNI Spec:        0.4.0
libcni Version:  
Git Commit:      
Built:           Wed Dec 31 19:00:00 1969
OS/Arch:         linux/amd64


cat /etc/subuid
3267:100000:65536
ashleycui:200000:65536
containers:2147483646:2147483648
test1:165536:4000

$ buildah unshare cat /proc/self/uid_map
         0       3267          1
         1     100000      65536

Fixed in Buildah 1.11.3
Comment 5 Tom Sweeney 2020-02-17 18:43:27 UTC 
Dan or Giuseppe can you handle the name space value limits?  I think those are higher than we handle, but I'm not sure.
Comment 13 Alex Jia 2020-03-03 02:33:52 UTC 
Verified in buildah-1.11.6-6.el7_8.x86_64.

[ajia@kvm-08-guest07 ~]$ id
uid=1001(ajia) gid=1001(ajia) groups=1001(ajia) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[ajia@kvm-08-guest07 ~]$ buildah unshare cat /proc/self/uid_map 
         0       1001          1
         1     165536      65536

[ajia@kvm-08-guest07 ~]$ cat /etc/subuid
test:100000:65536
ajia:165536:65536

[ajia@kvm-08-guest07 ~]$ buildah from ubi8
Getting image source signatures
Copying blob eae5d284042d done
Copying blob ff6f434a470a done
Copying config fd73e6738a done
Writing manifest to image destination
Storing signatures
ubi8-working-container

[ajia@kvm-08-guest07 ~]$ buildah images|grep ubi8
registry.access.redhat.com/ubi8   latest   fd73e6738a95   4 weeks ago    239 MB

[ajia@kvm-08-guest07 ~]$ buildah containers
CONTAINER ID  BUILDER  IMAGE ID     IMAGE NAME                       CONTAINER NAME
182b99ea0005     *     fd73e6738a95 registry.access.redhat.com/ub... ubi8-working-container

[ajia@kvm-08-guest07 ~]$ buildah run ubi8-working-container ls
bin  boot  dev	etc  home  lib	lib64  lost+found  media  mnt  opt  proc  root	run  sbin  srv	sys  tmp  usr  var

[ajia@kvm-08-guest07 ~]$ buildah version
Version:         1.11.6
Go Version:      go1.12.12
Image Spec:      1.0.1-dev
Runtime Spec:    1.0.1-dev
CNI Spec:        0.4.0
libcni Version:  
image Version:   5.0.0
Git Commit:      
Built:           Wed Dec 31 19:00:00 1969
OS/Arch:         linux/amd64

[ajia@kvm-08-guest07 ~]$ buildah info
{
    "host": {
        "CgroupVersion": "v1",
        "Distribution": {
            "distribution": "\"rhel\"",
            "version": "7.8"
        },
        "MemTotal": 3973427200,
        "MenFree": 1819844608,
        "OCIRuntime": "runc",
        "SwapFree": 4049514496,
        "SwapTotal": 4160745472,
        "arch": "amd64",
        "cpus": 2,
        "hostname": "xxx.redhat.com",
        "kernel": "3.10.0-1127.el7.x86_64",
        "os": "linux",
        "rootless": true,
        "uptime": "120h 10m 9.49s (Approximately 5.00 days)"
    },
    "store": {
        "ContainerStore": {
            "number": 1
        },
        "GraphDriverName": "overlay",
        "GraphOptions": [
            "overlay.mount_program=/usr/bin/fuse-overlayfs"
        ],
        "GraphRoot": "/home/ajia/.local/share/containers/storage",
        "GraphStatus": {
            "Backing Filesystem": "xfs",
            "Native Overlay Diff": "false",
            "Supports d_type": "true",
            "Using metacopy": "false"
        },
        "ImageStore": {
            "number": 4
        },
        "RunRoot": "/run/user/1001"
    }
}
Comment 15 errata-xmlrpc 2020-04-01 00:26:38 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:1231