Hide Forgot
Description of problem: I need to make use of newuidmap and newgidmap to make use of user namespaces in rhel. I have shadow-utils-4.1.5.1-24.el7.x86_64 and it does not ship newuidmap and newgidmap. I am assuming, it is old that's why. Please update it to newer version. Version-Release number of selected component (if applicable): shadow-utils-4.1.5.1-24.el7.x86_64 How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
Yes we are having issues with this now. Could we just back port these tools to the current shadow-utils, and update useradd and groupadd to do the /etc/subgid and /etc/subuid editing?
The exact issue is in usermod. dockerd, in usergroupadd_linux.go, is exec'ing usermod with -v and -w options to create subuid and subgid entries respectively. These options seem to be new in shadowutils-2.4.2. See bug 1546870. HTH.
latest versions of runc also use newuidmap/newgidmap to setup additional mappings for unprivileged userNS. This is required for unprivileged userNS support in Buildah/podman.
We are seeing a lot of interest in using buildah and podman as non root, withougt the newgimap and newuidmap on RHEL, those users will not be able use this feature. I think we should reconsider not at least adding these two executables.
*** Bug 1657167 has been marked as a duplicate of this bug. ***
*** Bug 1651450 has been marked as a duplicate of this bug. ***
*** Bug 1610211 has been marked as a duplicate of this bug. ***
Tomas Mraz 2019-01-22 10:56:25 UTC > External Bug ID: Red Hat Knowledge Base (Solution) 3732441 What does that article have to do with missing newuidmap/newgidmap binaries?
Nothing.
What is the status of this bug? Red Hat advertises Buildah as a way to do rootless container builds but yet it isn't even supported on RHEL 7 because of this issue. What gives?
I was also asked by customer regarding this. I guess running containers without root is pretty appealing.
Steffen can you just pull this package and let your customer test with it? I know Vincent Batts has a shadow-utils package that was built externally for RHEL7 users to play with.
(In reply to Daniel Walsh from comment #85) > Steffen can you just pull this package and let your customer test with it? > I know Vincent Batts has a shadow-utils package that was built externally > for RHEL7 users to play with. I just followed [1] and run into two issues: 1) unable to pull image due to no access to registry.key (fixed with chmod 644 /etc/docker/certs.d/registry.access.redhat.com/*.key) 2) unable to perform yum-action inside non-root container What issue do we have here?
I followed the instructions and I was able to pull and image as non-root. But when trying to run a container I faced: Error: error checking slirp4netns binary /usr/bin/slirp4netns: exit status 1 No other output. Any ideas?
Do you have slirp4netns installed? If you run with --net=host does the container work?
Well slirp4netns is supposed to allow us to setup a different network from the --net=host.
This blog outlines the steps necessary to get rootless working on RHEL 7.6 https://www.redhat.com/en/blog/preview-running-containers-without-root-rhel-76 When we get the slirp4netns and newuidmap stuff into RHEL 7.7, this should work out of the box similar to RHEL 8.X.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2019:2102