Hello everyone,
today we have a short but hopefully useful post.
I am using a Lenovo L15 with Fedora Workstation 44 currently at work. The system is a part of the local Active Directory which means, I have a domain user which I use to log into my laptop.
Very straight forward so far. Why am I mentioning it? Well, I am trying to use podman for several different containers, since I don’t want to install potentially useless applications on my system. Using podman, would allow me to sandbox the application and test it at the same time. Keeping my system clean and somewhat safe.
The issue is, that the AD user is not included in the ‘/etc/subuid’ and ‘/etc/subgid’ files, which define (if I understand it correctly) subordinate UID/GID ranges used for user namespace mapping in rootless containers.
Which means, I cannot use podman with my current work user. I get the following error message when executing a ‘podman pull’ or ‘podman build’ command.
ERRO[0000] cannot find UID/GID for user username@domain.local: no subuid ranges found for user "username@domain.local" in /etc/subuid - check rootless mode in man pages.
WARN[0000] Using rootless single mapping into the namespace. This might break some images. Check /etc/subuid and /etc/subgid for adding sub*ids if not using a network user
Alright. Let’s solve this issue.
Getting User ID
First things first. We need the AD user ID. This is simple enough, just execute the following to get the ID. I did try to use the username for the ID mapping, but it did not work.
$ id -u
304430964
You could also use the following command, to figure out what ID podman is seeing as a user ID.
Look for the path. That should give you the ID. 304430964 in my case.
$ podman system info | grep user
userPercent: 6.3
rundir: /run/user/304430964/crun
path: /run/user/304430964/podman/podman.sock
configFile: /home/user/.config/containers/storage.conf
graphRoot: /home/user/.local/share/containers/storage
runRoot: /run/user/304430964/containers
volumePath: /home/user/.local/share/containers/storage/volumes
Add user ID to subuid and subgid
Manuel way
Alright. Now that we have the ID, we can insert it into the ‘/etc/subuid’ and ‘/etc/subgid’ files or use the usermod command.
Here the manual way. Add the following to the files, replace the ID with the one you have on your system.
$ sudo vim /etc/subuid
...
<your-user-id>:100000:165536
...
Same for the subgid.
$ sudo vim /etc/subgid
...
<your-user-id>:100000:165536
...
If you check the file and have a user with an ID mapping that would overlap with 100000:165536, use a higher number (something over 165536).
Usermod way
Here the usermod way. This should handle the potential uid conflict automatically.
sudo usermod --add-subuids 100000-165535 --add-subgids 100000-165535 $(id -u)
Migrate podman
Once thats done, execute the podman system migration. This updates the containers to use the new user namespace mapping.
$ podman system migrate
(Update) The authselect way
I just figured out, that there is an SSSD option to handle this issue. I could not test it yet (will try tomorrow), but apparely we can also use the following command to set the IDs.
Keep in mind that you need to have a valid SSSD configuration and the
sssd-admodule installed on your system. If you joined your system using realmd, than this should already be the case. Also, if the current profile is notsssdthan do not use this, since it could break your configuration if you are using a different profile.
# First. Get the current profile.
$ sudo authselect current
Profile ID: sssd
Enabled features:
- with-silent-lastlog
- with-fingerprint
- with-mdns4
# If its sssd, enable the subid feature.
$ sudo authselect enable-feature with-subid
# Now check the config again
$ sudo authselect current
Profile ID: sssd
Enabled features:
- with-silent-lastlog
- with-fingerprint
- with-mdns4
- with-subid
After this, run the podman system migrate command again.
That’s it. Now you should be able to execute podman commands with your AD user.
Till next time.
Comments