Bug 1990653 - new shadow-utils 4.9 breaks rootless podman containers
Summary: new shadow-utils 4.9 breaks rootless podman containers
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: shadow-utils
Version: 35
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Iker Pedrosa
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: sync-to-jira review
: 1990734 (view as bug list)
Depends On:
Blocks: 1989556
TreeView+ depends on / blocked
 
Reported: 2021-08-05 20:41 UTC by Dusty Mabe
Modified: 2021-08-12 14:19 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-08-12 14:19:59 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)

Description Dusty Mabe 2021-08-05 20:41:16 UTC
Description of problem:

disclaimer: I don't know if the bug is in shadow-utils or podman. If it's podman simply re-assign the bug

With the new version of shadow-utils we can no longer start rootless podman containers in Fedora rawhide.

```
[core@cosa-devsh ~]$ toolbox create --assumeyes
Error: failed to get the Podman version
```

```
[core@cosa-devsh ~]$ podman info
Error: cannot setup namespace using newuidmap: exit status 1
```


Version-Release number of selected component (if applicable):

```
[core@cosa-devsh ~]$ rpm -q shadow-utils podman kernel
shadow-utils-4.9-1.fc35.x86_64
podman-3.3.0-0.26.rc1.fc35.x86_64
kernel-5.14.0-0.rc4.20210804gitd5ad8ec3cfb5.36.fc35.x86_64

```

How reproducible:

Always


Steps to Reproduce:
1. Boot system, run podman info as normal user.

Actual results:

Error


Expected results:

No error


Additional info:

This was found in the Fedora CoreOS CI system. Fedora CoreOS is rpm-ostree based (not dnf) so there may be complications because of that.

Comment 1 Ed Santiago 2021-08-05 21:01:28 UTC
FWIW I've just spun up a rawhide VM, installed podman (3.3.0-0.26.rc1.fc35), dnf-upgraded to shadow-utils-4.9-1.fc35, and:

    # loginctl enable-linger fedora
    # su - fedora
    $ podman info
    [works fine]
    $ podman run alpine date
    [also works fine]

There is a long history of rootless podman problems that are caused by a broken shadow-utils install. Is it possible to respin the rpm-ostree?

Comment 2 Ed Santiago 2021-08-05 21:12:16 UTC
Uh, then again:

    # adduser testuser2
    # loginctl enable-linger testuser2
    # su - testuser2
    $ podman info
    Error: cannot setup namespace using newuidmap: exit status 1

    # cat /etc/subuid
    fedora:100000:65536
    testuser2:0:0

Comment 3 Iker Pedrosa 2021-08-06 08:38:49 UTC
This is also happening with Fedora rawhide so I think we can rule out rpm-ostree.

Can you try removing "testuser2:0:0" or the equivalent from /etc/subuid? I don't know why this line is there and when I removed it "podman info" was working.

Comment 4 Dusty Mabe 2021-08-06 13:05:21 UTC
For me (Fedora CoreOS) here are the contents of /etc/subuid:

```
[core@cosa-devsh ~]$ cat /etc/subuid
core:0:0
```

Comment 5 Dusty Mabe 2021-08-06 13:08:57 UTC
If I replace /etc/subuid and /etc/subgid with `core:100000:65536` instead of what is in there (`core:0:0`) then things start working.

Comment 6 Dusty Mabe 2021-08-06 13:09:39 UTC
For context, `core` is the default username on Fedora CoreOS.

Comment 7 Dusty Mabe 2021-08-06 13:14:14 UTC
(In reply to Iker Pedrosa from comment #3)
> This is also happening with Fedora rawhide so I think we can rule out
> rpm-ostree.
> 
> Can you try removing "testuser2:0:0" or the equivalent from /etc/subuid? I
> don't know why this line is there and when I removed it "podman info" was
> working.

`testuser2:0:0` in /etc/subuid was probably created when he called `adduser testuser2`
(see comment#2). Maybe a bug in `adduser`?

Comment 8 Iker Pedrosa 2021-08-06 13:57:00 UTC
*** Bug 1990734 has been marked as a duplicate of this bug. ***

Comment 9 Iker Pedrosa 2021-08-09 13:44:56 UTC
I think I have the solution. Can you try it? https://copr.fedorainfracloud.org/coprs/ipedrosa/useradd_breaks_podman/

Comment 10 Dusty Mabe 2021-08-09 16:04:18 UTC
Seems to work for me:

```
[core@cosa-devsh ~]$ rpm -q shadow-utils
shadow-utils-4.9-2debug.fc35.x86_64
[core@cosa-devsh ~]$ cat /etc/subuid
core:100000:65536
```

Comment 13 Iker Pedrosa 2021-08-10 07:52:10 UTC
Upstream PR: https://github.com/shadow-maint/shadow/pull/399

Comment 14 Ben Cotton 2021-08-10 13:35:38 UTC
This bug appears to have been reported against 'rawhide' during the Fedora 35 development cycle.
Changing version to 35.


Note You need to log in before you can comment on or make changes to this bug.