Bug 1990734

Summary: user podman does not work any more: Error: cannot setup namespace using newuidmap: exit status 1 (broken /etc/sub[ug]id)
Product: [Fedora] Fedora Reporter: Martin Pitt <mpitt>
Component: shadow-utilsAssignee: Iker Pedrosa <ipedrosa>
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: unspecified    
Version: rawhideCC: acui, bbaude, container-sig, debarshir, dwalsh, ipedrosa, jnovy, lsm5, mheon, patrick, pehunt, pvrabec, rh.container.bot, santiago, tm
Target Milestone: ---Keywords: Regression
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-08-06 13:57:00 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Martin Pitt 2021-08-06 05:42:06 UTC 
Description of problem: cockpit-podman's rawhide packit tests started to regress [1] very early in the setup when it tries to initialize user podman.

Version-Release number of selected component (if applicable):

podman-3.3.0-0.26.rc1.fc35.x86_64
crun-0.20.1.9-0.18.git60de767.fc35.x86_64
containers-common-1-24.fc35.noarch
kernel-core-5.14.0-0.rc4.20210804gitd5ad8ec3cfb5.36.fc35.x86_64
setup-2.13.9.1-2.fc35.noarch


How reproducible: Always


Steps to Reproduce:
1. Start a rawhide cloud image. E.g. like this:

IMG=$(curl -s -L https://download.fedoraproject.org/pub/fedora/linux/development/rawhide/Cloud/x86_64/images/ | grep -o 'Fedora-Cloud-Base-Rawhide[^"]*qcow2' | head -n1)
curl -L -o rawhide.qcow2 https://download.fedoraproject.org/pub/fedora/linux/development/rawhide/Cloud/x86_64/images/$IMG

# nothing fancy, just admin:foobar and root:foobar users
curl -L -O https://github.com/cockpit-project/bots/raw/main/machine/cloud-init.iso

# run VM with SSH port redirection
qemu-system-x86_64 -cpu host -enable-kvm -nographic -m 2048 -drive file=rawhide.qcow2,if=virtio -snapshot -cdrom cloud-init.iso -net nic,model=virtio -net user,hostfwd=tcp::2201-:22

# comfortable login (password "foobar")
ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -o CheckHostIP=no -p 2201 root@localhost


2. Try to use podman as "fedora" user (standard user on cloud images):

loginctl enable-linger fedora
su - -c 'podman info' fedora


Actual results:

  Error: cannot setup namespace using newuidmap: exit status 1


Expected results:

  host:
    arch: amd64
  [...]
  (succeeds)


Additional info:

This is not related to the lingering setup or using `su`. You can `passwd fedora` and log into the serial console to get a "proper" login session, and it fails the same way.

The root cause is that /etc/sub[ug]id are broken. On fedora 34:

# cat /etc/subuid
admin:100000:65536
fedora:165536:65536

On rawhide:

# cat /etc/subuid
admin:0:0
fedora:0:0

When fixing both files, user podman works fine.

I don't know what exactly creates these sub[ug]id entries on user creation, so please assign to the correct package. Thank you!

[1] http://artifacts.dev.testing-farm.io/3354ff10-0faf-4951-a3e7-5f91339b30fb/
Comment 1 Matthew Heon 2021-08-06 13:19:49 UTC 
Reassigning to shadow-utils, given Podman does not manage these files.
Comment 2 Iker Pedrosa 2021-08-06 13:57:00 UTC 
Closing it as a duplicate of #1990653

*** This bug has been marked as a duplicate of bug 1990653 ***