RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1498628 (rhel77-crypto-shadow-utils) - shadow-utils: Update to get newuidmap and newgidmap binaries
Summary: shadow-utils: Update to get newuidmap and newgidmap binaries
Keywords:
Status: CLOSED ERRATA
Alias: rhel77-crypto-shadow-utils
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: shadow-utils
Version: 7.5
Hardware: Unspecified
OS: Unspecified
high
medium
Target Milestone: rc
: ---
Assignee: Tomas Mraz
QA Contact: Dalibor Pospíšil
Mirek Jahoda
URL:
Whiteboard:
: 1610211 1657167 (view as bug list)
Depends On:
Blocks: 1186913 1594286 1640527 1648377 1654329 1657167 1688348 1718378
TreeView+ depends on / blocked
 
Reported: 2017-10-04 19:41 UTC by Vivek Goyal
Modified: 2023-03-24 13:52 UTC (History)
50 users (show)

Fixed In Version: shadow-utils-4.6-1.el7
Doc Type: Enhancement
Doc Text:
.`shadow-utils` rebased to version 4.6 The `shadow-utils` packages have been upgraded to upstream version 4.6, which provides a number of bug fixes and enhancements over the previous version, most notably the `newuidmap` and `newgidmap` commands for manipulating the UID and GID namespace mapping.
Clone Of:
Environment:
Last Closed: 2019-08-06 12:47:34 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Knowledge Base (Solution) 4159321 0 Configure None Are non-root users unable to use podman in Red Hat Enterprise Linux 7.6 or lower? 2019-05-21 22:45:09 UTC
Red Hat Product Errata RHBA-2019:2102 0 None None None 2019-08-06 12:47:46 UTC

Description Vivek Goyal 2017-10-04 19:41:31 UTC 
Description of problem:

I need to make use of newuidmap and newgidmap to make use of user namespaces in rhel. I have shadow-utils-4.1.5.1-24.el7.x86_64 and it does not ship newuidmap and newgidmap.

I am assuming, it is old that's why. Please update it to newer version.

Version-Release number of selected component (if applicable):

shadow-utils-4.1.5.1-24.el7.x86_64

How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
Comment 8 Daniel Walsh 2018-03-13 19:45:03 UTC 
Yes we are having issues with this now.  Could we just back port these tools to the current shadow-utils, and update useradd and groupadd to do the /etc/subgid and /etc/subuid editing?
Comment 9 Ed Santiago 2018-03-14 03:11:38 UTC 
The exact issue is in usermod. dockerd, in usergroupadd_linux.go, is exec'ing usermod with -v and -w options to create subuid and subgid entries respectively. These options seem to be new in shadowutils-2.4.2. See bug 1546870. HTH.
Comment 19 Giuseppe Scrivano 2018-07-07 10:45:59 UTC 
latest versions of runc also use newuidmap/newgidmap to setup additional mappings for unprivileged userNS.  This is required for unprivileged userNS support in Buildah/podman.
Comment 23 Daniel Walsh 2018-08-14 11:10:42 UTC 
We are seeing a lot of interest in using buildah and podman as non root, withougt the newgimap and newuidmap on RHEL, those users will not be able use this feature.  I think we should reconsider not at least adding these two executables.
Comment 60 Daniel Walsh 2018-12-07 14:36:32 UTC 
*** Bug 1657167 has been marked as a duplicate of this bug. ***
Comment 64 Tomas Mraz 2019-01-22 10:56:25 UTC 
*** Bug 1651450 has been marked as a duplicate of this bug. ***
Comment 73 Tomas Mraz 2019-02-11 16:42:09 UTC 
*** Bug 1610211 has been marked as a duplicate of this bug. ***
Comment 74 Dominik Mierzejewski 2019-02-26 16:15:34 UTC 
Tomas Mraz 2019-01-22 10:56:25 UTC
> External Bug ID: Red Hat Knowledge Base (Solution) 3732441

What does that article have to do with missing newuidmap/newgidmap binaries?
Comment 75 Tomas Mraz 2019-02-26 16:26:16 UTC 
Nothing.
Comment 76 Jeremy Christian 2019-03-20 20:22:15 UTC 
What is the status of this bug? Red Hat advertises Buildah as a way to do rootless container builds but yet it isn't even supported on RHEL 7 because of this issue. What gives?
Comment 80 Remus Buzatu 2019-03-23 21:12:29 UTC 
I was also asked by customer regarding this. I guess running containers without root is pretty appealing.
Comment 85 Daniel Walsh 2019-03-26 11:59:43 UTC 
Steffen can you just pull this package and let your customer test with it?  I know Vincent Batts has a shadow-utils package that was built externally for RHEL7 users to play with.
Comment 86 Steffen Froemer 2019-03-27 15:00:57 UTC 
(In reply to Daniel Walsh from comment #85)
> Steffen can you just pull this package and let your customer test with it? 
> I know Vincent Batts has a shadow-utils package that was built externally
> for RHEL7 users to play with.

I just followed [1] and run into two issues:
  1) unable to pull image due to no access to registry.key 
     (fixed with chmod 644 /etc/docker/certs.d/registry.access.redhat.com/*.key)
  2) unable to perform yum-action inside non-root container

What issue do we have here?
Comment 91 Sorin Sbarnea 2019-05-29 15:51:46 UTC 
I followed the instructions and I was able to pull and image as non-root. But when trying to run a container I faced:

Error: error checking slirp4netns binary /usr/bin/slirp4netns: exit status 1

No other output. Any ideas?
Comment 92 Daniel Walsh 2019-05-29 18:02:11 UTC 
Do you have slirp4netns installed?

If you run with --net=host does the container work?
Comment 94 Daniel Walsh 2019-05-29 20:59:13 UTC 
Well slirp4netns is supposed to allow us to setup a different network from the --net=host.
Comment 95 Scott McCarty 2019-05-30 17:16:04 UTC 
This blog outlines the steps necessary to get rootless working on RHEL 7.6

https://www.redhat.com/en/blog/preview-running-containers-without-root-rhel-76

When we get the slirp4netns and newuidmap stuff into RHEL 7.7, this should work out of the box similar to RHEL 8.X.
Comment 98 errata-xmlrpc 2019-08-06 12:47:34 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:2102
Note You need to log in before you can comment on or make changes to this bug.