Bug 1990653

Summary: new shadow-utils 4.9 breaks rootless podman containers
Product: [Fedora] Fedora Reporter: Dusty Mabe <dustymabe>
Component: shadow-utilsAssignee: Iker Pedrosa <ipedrosa>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 35CC: atikhono, ipedrosa, mpitt, pvrabec, santiago, tm
Target Milestone: ---Keywords: Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: sync-to-jira review
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-08-12 14:19:59 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1989556    

Description Dusty Mabe 2021-08-05 20:41:16 UTC 
Description of problem:

disclaimer: I don't know if the bug is in shadow-utils or podman. If it's podman simply re-assign the bug

With the new version of shadow-utils we can no longer start rootless podman containers in Fedora rawhide.

```
[core@cosa-devsh ~]$ toolbox create --assumeyes
Error: failed to get the Podman version
```

```
[core@cosa-devsh ~]$ podman info
Error: cannot setup namespace using newuidmap: exit status 1
```


Version-Release number of selected component (if applicable):

```
[core@cosa-devsh ~]$ rpm -q shadow-utils podman kernel
shadow-utils-4.9-1.fc35.x86_64
podman-3.3.0-0.26.rc1.fc35.x86_64
kernel-5.14.0-0.rc4.20210804gitd5ad8ec3cfb5.36.fc35.x86_64

```

How reproducible:

Always


Steps to Reproduce:
1. Boot system, run podman info as normal user.

Actual results:

Error


Expected results:

No error


Additional info:

This was found in the Fedora CoreOS CI system. Fedora CoreOS is rpm-ostree based (not dnf) so there may be complications because of that.
Comment 1 Ed Santiago 2021-08-05 21:01:28 UTC 
FWIW I've just spun up a rawhide VM, installed podman (3.3.0-0.26.rc1.fc35), dnf-upgraded to shadow-utils-4.9-1.fc35, and:

    # loginctl enable-linger fedora
    # su - fedora
    $ podman info
    [works fine]
    $ podman run alpine date
    [also works fine]

There is a long history of rootless podman problems that are caused by a broken shadow-utils install. Is it possible to respin the rpm-ostree?
Comment 2 Ed Santiago 2021-08-05 21:12:16 UTC 
Uh, then again:

    # adduser testuser2
    # loginctl enable-linger testuser2
    # su - testuser2
    $ podman info
    Error: cannot setup namespace using newuidmap: exit status 1

    # cat /etc/subuid
    fedora:100000:65536
    testuser2:0:0
Comment 3 Iker Pedrosa 2021-08-06 08:38:49 UTC 
This is also happening with Fedora rawhide so I think we can rule out rpm-ostree.

Can you try removing "testuser2:0:0" or the equivalent from /etc/subuid? I don't know why this line is there and when I removed it "podman info" was working.
Comment 4 Dusty Mabe 2021-08-06 13:05:21 UTC 
For me (Fedora CoreOS) here are the contents of /etc/subuid:

```
[core@cosa-devsh ~]$ cat /etc/subuid
core:0:0
```
Comment 5 Dusty Mabe 2021-08-06 13:08:57 UTC 
If I replace /etc/subuid and /etc/subgid with `core:100000:65536` instead of what is in there (`core:0:0`) then things start working.
Comment 6 Dusty Mabe 2021-08-06 13:09:39 UTC 
For context, `core` is the default username on Fedora CoreOS.
Comment 7 Dusty Mabe 2021-08-06 13:14:14 UTC 
(In reply to Iker Pedrosa from comment #3)
> This is also happening with Fedora rawhide so I think we can rule out
> rpm-ostree.
> 
> Can you try removing "testuser2:0:0" or the equivalent from /etc/subuid? I
> don't know why this line is there and when I removed it "podman info" was
> working.

`testuser2:0:0` in /etc/subuid was probably created when he called `adduser testuser2`
(see comment#2). Maybe a bug in `adduser`?
Comment 8 Iker Pedrosa 2021-08-06 13:57:00 UTC 
*** Bug 1990734 has been marked as a duplicate of this bug. ***
Comment 9 Iker Pedrosa 2021-08-09 13:44:56 UTC 
I think I have the solution. Can you try it? https://copr.fedorainfracloud.org/coprs/ipedrosa/useradd_breaks_podman/
Comment 10 Dusty Mabe 2021-08-09 16:04:18 UTC 
Seems to work for me:

```
[core@cosa-devsh ~]$ rpm -q shadow-utils
shadow-utils-4.9-2debug.fc35.x86_64
[core@cosa-devsh ~]$ cat /etc/subuid
core:100000:65536
```
Comment 13 Iker Pedrosa 2021-08-10 07:52:10 UTC 
Upstream PR: https://github.com/shadow-maint/shadow/pull/399
Comment 14 Ben Cotton 2021-08-10 13:35:38 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora 35 development cycle.
Changing version to 35.