Description of problem: We should add user containers in /etc/subuid and /etc/subgid to support run pods in user namespaces. Now /etc/subuid and /etc/subgid only show: core:100000:65536 If we want to run pod in user namespaces, we have to add user containers via a MachineConfig. We should add "containers" entry in /etc/subuid and /etc/subgid by default, for example: containers:200000:268435456 Version-Release number of selected component (if applicable): 4.10.0-0.nightly-2022-01-05-181126 How reproducible: always Steps to Reproduce: 1.create a ocp cluster 2.$ oc debug node/minmli410010601-22jvg-worker-northcentralus-trjkk 3. sh-4.4# chroot /host sh-4.4# cat /etc/subgid core:100000:65536 sh-4.4# cat /etc/subuid core:100000:65536 Actual results: 3 /etc/sub[u,g]id file only include core:100000:65536 Expected results: 3 /etc/sub[u,g]id file should include entry "containers" Additional info: please refer to the comment in https://issues.redhat.com/browse/OCPNODE-683
great point! I opened a PR to fix
not fixed, there are duplicate lines including "containers" $ oc get clusterversion NAME VERSION AVAILABLE PROGRESSING SINCE STATUS version 4.10.0-0.nightly-2022-02-07-162517 True False 9m25s Cluster version is 4.10.0-0.nightly-2022-02-07-162517 $ oc debug node/ip-10-0-145-70.us-east-2.compute.internal Starting pod/ip-10-0-145-70us-east-2computeinternal-debug ... To use host binaries, run `chroot /host` Pod IP: 10.0.145.70 If you don't see a command prompt, try pressing enter. sh-4.4# chroot /host sh-4.4# cat /etc/subuid core:100000:65536 containers:165536:65536 containers:200000:16000000 sh-4.4# sh-4.4# cat /etc/subgid core:100000:65536 containers:165536:65536 containers:200000:16000000
that is expected, the key is that at least the line containers:200000:16000000 is present. any extra are a bonus
Hi, Peter Can you confirm the crio will pick the line containers:200000:16000000 but not the line containers:165536:65536 when running pods in usernamespace? And the duplicate line won't lead to any conflict or consistency issue in some scenario? (Though I'm not sure the specific scenario)
when multiple lines are found, they are merged. So the additional IDs assigned to "containers" should be 165536:65536 and 200000:16000000
according to Comment 12 , the bug is fixed!
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Container Platform 4.10.3 security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2022:0056