Bug 2038827

Summary: should add user containers in /etc/subuid and /etc/subgid to support run pods in user namespaces
Product: OpenShift Container Platform Reporter: MinLi <minmli>
Component: NodeAssignee: Peter Hunt <pehunt>
Node sub component: CRI-O QA Contact: MinLi <minmli>
Status: CLOSED ERRATA Docs Contact:
Severity: medium    
Priority: medium CC: aos-bugs, gscrivan, pehunt
Version: 4.10Flags: pehunt: needinfo-
Target Milestone: ---   
Target Release: 4.10.0   
Hardware: All   
OS: Unspecified   
Whiteboard:
Fixed In Version: 1.23.0-105.rhaos4.10.gita975152 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-03-10 16:38:09 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description MinLi 2022-01-10 09:21:16 UTC 
Description of problem:
We should add user containers in /etc/subuid and /etc/subgid to support run pods in user namespaces.
Now /etc/subuid and /etc/subgid only show: core:100000:65536
If we want to run pod in user namespaces, we have to add user containers via a MachineConfig. We should add "containers" entry in /etc/subuid and /etc/subgid by default, for example:
containers:200000:268435456

Version-Release number of selected component (if applicable):
4.10.0-0.nightly-2022-01-05-181126

How reproducible:
always

Steps to Reproduce:
1.create a ocp cluster 

2.$ oc debug node/minmli410010601-22jvg-worker-northcentralus-trjkk

3.
sh-4.4# chroot /host 
sh-4.4# cat /etc/subgid
core:100000:65536
sh-4.4# cat /etc/subuid
core:100000:65536

Actual results:
3 /etc/sub[u,g]id file only include core:100000:65536

Expected results:
3 /etc/sub[u,g]id file should include entry "containers"

Additional info:
please refer to the comment in https://issues.redhat.com/browse/OCPNODE-683
Comment 1 Peter Hunt 2022-01-10 20:26:45 UTC 
great point! I opened a PR to fix
Comment 9 MinLi 2022-02-08 05:17:25 UTC 
not fixed, there are duplicate lines including "containers"

$ oc get clusterversion 
NAME      VERSION                              AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.10.0-0.nightly-2022-02-07-162517   True        False         9m25s   Cluster version is 4.10.0-0.nightly-2022-02-07-162517

$ oc debug node/ip-10-0-145-70.us-east-2.compute.internal
Starting pod/ip-10-0-145-70us-east-2computeinternal-debug ...
To use host binaries, run `chroot /host`
Pod IP: 10.0.145.70
If you don't see a command prompt, try pressing enter.
sh-4.4# chroot /host 
sh-4.4# cat /etc/subuid 
core:100000:65536
containers:165536:65536
containers:200000:16000000
sh-4.4#   
sh-4.4# cat /etc/subgid
core:100000:65536
containers:165536:65536
containers:200000:16000000
Comment 10 Peter Hunt 2022-02-08 14:35:26 UTC 
that is expected, the key is that at least the line containers:200000:16000000 is present. any extra are a bonus
Comment 11 MinLi 2022-02-09 02:15:38 UTC 
Hi, Peter
Can you confirm the crio will pick the line containers:200000:16000000 but not the line containers:165536:65536 when running pods in usernamespace? 
And the duplicate line won't lead to any conflict or consistency issue in some scenario? (Though I'm not sure the specific scenario)
Comment 12 Giuseppe Scrivano 2022-02-09 14:52:30 UTC 
when multiple lines are found, they are merged.

So the additional IDs assigned to "containers" should be 165536:65536 and 200000:16000000
Comment 13 MinLi 2022-02-10 03:29:18 UTC 
according to  Comment 12 , the bug is fixed!
Comment 15 errata-xmlrpc 2022-03-10 16:38:09 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.10.3 security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:0056