Bug 1498628 (rhel77-crypto-shadow-utils) - shadow-utils: Update to get newuidmap and newgidmap binaries
Summary: shadow-utils: Update to get newuidmap and newgidmap binaries
Keywords:
Status: CLOSED ERRATA
Alias: rhel77-crypto-shadow-utils
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: shadow-utils
Version: 7.5
Hardware: Unspecified
OS: Unspecified
high
medium
Target Milestone: rc
: ---
Assignee: Tomas Mraz
QA Contact: Dalibor Pospíšil
Mirek Jahoda
URL:
Whiteboard:
: 1610211 1657167 (view as bug list)
Depends On:
Blocks: 1186913 1594286 1648377 1688348 1718378 1640527 1654329 1657167
TreeView+ depends on / blocked
 
Reported: 2017-10-04 19:41 UTC by Vivek Goyal
Modified: 2020-02-14 07:21 UTC (History)
50 users (show)

Fixed In Version: shadow-utils-4.6-1.el7
Doc Type: Enhancement
Doc Text:
.`shadow-utils` rebased to version 4.6 The `shadow-utils` packages have been upgraded to upstream version 4.6, which provides a number of bug fixes and enhancements over the previous version, most notably the `newuidmap` and `newgidmap` commands for manipulating the UID and GID namespace mapping.
Clone Of:
Environment:
Last Closed: 2019-08-06 12:47:34 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Knowledge Base (Solution) 4159321 Configure None Are non-root users unable to use podman in Red Hat Enterprise Linux 7.6 or lower? 2019-05-21 22:45:09 UTC
Red Hat Product Errata RHBA-2019:2102 None None None 2019-08-06 12:47:46 UTC

Description Vivek Goyal 2017-10-04 19:41:31 UTC
Description of problem:

I need to make use of newuidmap and newgidmap to make use of user namespaces in rhel. I have shadow-utils-4.1.5.1-24.el7.x86_64 and it does not ship newuidmap and newgidmap.

I am assuming, it is old that's why. Please update it to newer version.

Version-Release number of selected component (if applicable):

shadow-utils-4.1.5.1-24.el7.x86_64

How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:

Comment 8 Daniel Walsh 2018-03-13 19:45:03 UTC
Yes we are having issues with this now.  Could we just back port these tools to the current shadow-utils, and update useradd and groupadd to do the /etc/subgid and /etc/subuid editing?

Comment 9 Ed Santiago 2018-03-14 03:11:38 UTC
The exact issue is in usermod. dockerd, in usergroupadd_linux.go, is exec'ing usermod with -v and -w options to create subuid and subgid entries respectively. These options seem to be new in shadowutils-2.4.2. See bug 1546870. HTH.

Comment 19 Giuseppe Scrivano 2018-07-07 10:45:59 UTC
latest versions of runc also use newuidmap/newgidmap to setup additional mappings for unprivileged userNS.  This is required for unprivileged userNS support in Buildah/podman.

Comment 23 Daniel Walsh 2018-08-14 11:10:42 UTC
We are seeing a lot of interest in using buildah and podman as non root, withougt the newgimap and newuidmap on RHEL, those users will not be able use this feature.  I think we should reconsider not at least adding these two executables.

Comment 60 Daniel Walsh 2018-12-07 14:36:32 UTC
*** Bug 1657167 has been marked as a duplicate of this bug. ***

Comment 64 Tomas Mraz 2019-01-22 10:56:25 UTC
*** Bug 1651450 has been marked as a duplicate of this bug. ***

Comment 73 Tomas Mraz 2019-02-11 16:42:09 UTC
*** Bug 1610211 has been marked as a duplicate of this bug. ***

Comment 74 Dominik Mierzejewski 2019-02-26 16:15:34 UTC
Tomas Mraz 2019-01-22 10:56:25 UTC
> External Bug ID: Red Hat Knowledge Base (Solution) 3732441

What does that article have to do with missing newuidmap/newgidmap binaries?

Comment 75 Tomas Mraz 2019-02-26 16:26:16 UTC
Nothing.

Comment 76 Jeremy Christian 2019-03-20 20:22:15 UTC
What is the status of this bug? Red Hat advertises Buildah as a way to do rootless container builds but yet it isn't even supported on RHEL 7 because of this issue. What gives?

Comment 80 Remus Buzatu 2019-03-23 21:12:29 UTC
I was also asked by customer regarding this. I guess running containers without root is pretty appealing.

Comment 85 Daniel Walsh 2019-03-26 11:59:43 UTC
Steffen can you just pull this package and let your customer test with it?  I know Vincent Batts has a shadow-utils package that was built externally for RHEL7 users to play with.

Comment 86 Steffen Froemer 2019-03-27 15:00:57 UTC
(In reply to Daniel Walsh from comment #85)
> Steffen can you just pull this package and let your customer test with it? 
> I know Vincent Batts has a shadow-utils package that was built externally
> for RHEL7 users to play with.

I just followed [1] and run into two issues:
  1) unable to pull image due to no access to registry.key 
     (fixed with chmod 644 /etc/docker/certs.d/registry.access.redhat.com/*.key)
  2) unable to perform yum-action inside non-root container

What issue do we have here?

Comment 91 Sorin Sbarnea 2019-05-29 15:51:46 UTC
I followed the instructions and I was able to pull and image as non-root. But when trying to run a container I faced:

Error: error checking slirp4netns binary /usr/bin/slirp4netns: exit status 1

No other output. Any ideas?

Comment 92 Daniel Walsh 2019-05-29 18:02:11 UTC
Do you have slirp4netns installed?

If you run with --net=host does the container work?

Comment 94 Daniel Walsh 2019-05-29 20:59:13 UTC
Well slirp4netns is supposed to allow us to setup a different network from the --net=host.

Comment 95 Scott McCarty 2019-05-30 17:16:04 UTC
This blog outlines the steps necessary to get rootless working on RHEL 7.6

https://www.redhat.com/en/blog/preview-running-containers-without-root-rhel-76

When we get the slirp4netns and newuidmap stuff into RHEL 7.7, this should work out of the box similar to RHEL 8.X.

Comment 98 errata-xmlrpc 2019-08-06 12:47:34 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:2102


Note You need to log in before you can comment on or make changes to this bug.