Open paolope opened 4 years ago
/cc @bgilbert
I'm honestly not exactly sure whether this way of renumbering OS-provided users is expected to work, or if it just happens to be almost working by chance for the core
user specifically.
if it is using useradd
, then the subids are not automatically generated for IDs < 1000 or > 60000.
if it is using
useradd
,
Yes it looks like Ignition is using useradd
.
then the subids are not automatically generated for IDs < 1000 or > 60000.
I see. useradd
assumes anything < 1000 is a system user.
@paolope maybe you can modify this with a later run usermod --add-subuids
and usermod --add-subgids
invocation.
I saw similar things. I wanted to create a non root
/ non core
user for running containers via podman. If you create a user with system: true
set it would not add the correct entries to /etc/subuid
or /etc/subgid
and the user cannot be used with rootless podman. If you set system: false
it creates the entries for the user just fine.
$ ssh core@192.168.122.246
Warning: Permanently added '192.168.122.246' (ECDSA) to the list of known hosts.
Fedora CoreOS 32.20200601.1.1
Tracker: https://github.com/coreos/fedora-coreos-tracker
Discuss: https://discussion.fedoraproject.org/c/server/coreos/
[core@localhost ~]$ sudo cat /etc/subuid
core:100000:65536
[core@localhost ~]$ sudo cat /etc/subgid
core:100000:65536
[core@localhost ~]$ systemctl status mycoolpod.service
● mycoolpod.service - Podman mycoolpod.service
Loaded: loaded (/etc/systemd/system/mycoolpod.service; enabled; vendor preset: enabled)
Active: active (running) since Wed 2020-06-10 16:45:17 UTC; 3min 25s ago
Process: 1148 ExecStartPre=/usr/bin/podman pod create --name mycoolpod -p 443:443 -p 80:80 (code=exited, status=0/SUCCESS)
Process: 1833 ExecStart=/usr/bin/podman pod start mycoolpod (code=exited, status=0/SUCCESS)
Tasks: 22 (limit: 9458)
Memory: 135.4M
CGroup: /system.slice/mycoolpod.service
├─1240 /usr/bin/podman
├─1887 /usr/bin/fuse-overlayfs -o lowerdir=/var/home/mycooluser/.local/share/containers/storage/overlay/l/VJZ4FD4YOVDG427VPAQQQ7HAZ7,upperdir=/var/home/mycooluser/.local/share/contain>
├─1892 /usr/bin/slirp4netns --disable-host-loopback --mtu 65520 --enable-sandbox --enable-seccomp -c -e 3 -r 4 --netns-type=path /tmp/run-992/netns/cni-d5725ee3-0c64-f4db-0ea1-d74005e>
├─1904 containers-rootlessport
├─1930 containers-rootlessport-child
├─1975 /usr/bin/conmon --api-version 1 -c 54008b65921badacead68f1e0aa4af12397fd7ec1d935c1d20d2baf178f7fc80 -u 54008b65921badacead68f1e0aa4af12397fd7ec1d935c1d20d2baf178f7fc80 -r /usr/>
└─1994 /pause
Jun 10 16:45:15 localhost systemd[1]: Starting Podman mycoolpod.service...
Jun 10 16:45:15 localhost podman[1148]: time="2020-06-10T16:45:15Z" level=error msg="cannot find mappings for user mycooluser: No subuid ranges found for user \"mycooluser\" in /etc/subuid"
Jun 10 16:45:15 localhost podman[1238]: time="2020-06-10T16:45:15Z" level=error msg="cannot find mappings for user mycooluser: No subuid ranges found for user \"mycooluser\" in /etc/subuid"
Jun 10 16:45:16 localhost podman[1238]: c96dc3f45fa3c9432126c3c91efad1e8c3edd1fc79d1394a41d0ce5b178f39ec
Jun 10 16:45:16 localhost systemd[1]: mycoolpod.service: Found left-over process 1240 (podman pause) in control group while starting unit. Ignoring.
Jun 10 16:45:16 localhost systemd[1]: This usually indicates unclean termination of a previous run, or service implementation deficiencies.
Jun 10 16:45:16 localhost podman[1854]: time="2020-06-10T16:45:16Z" level=error msg="cannot find mappings for user mycooluser: No subuid ranges found for user \"mycooluser\" in /etc/subuid"
Jun 10 16:45:17 localhost podman[1854]: c96dc3f45fa3c9432126c3c91efad1e8c3edd1fc79d1394a41d0ce5b178f39ec
Jun 10 16:45:17 localhost systemd[1]: Started Podman mycoolpod.service.
variant: fcos
version: 1.0.0
passwd:
users:
- name: core
ssh_authorized_keys:
- ssh-ed25519 ...
- name: mycooluser
system: true
storage:
files:
- path: /etc/sysctl.d/90-ip-unprivileged-port-start.conf
mode: 0644
contents:
inline: |
net.ipv4.ip_unprivileged_port_start = 0
systemd:
units:
- name: mycoolpod.service
enabled: true
contents: |
[Unit]
Description=Podman mycoolpod.service
Wants=network.target
After=network-online.target
[Service]
User=mycooluser
Group=mycooluser
Environment=PODMAN_SYSTEMD_UNIT=%n
Restart=on-failure
ExecStartPre=-/usr/bin/podman pod create --name mycoolpod -p 443:443 -p 80:80
ExecStart=/usr/bin/podman pod start mycoolpod
ExecStop=/usr/bin/podman pod stop -t 10 mycoolpod
KillMode=none
Type=forking
[Install]
WantedBy=multi-user.target default.target
I used Fedora CoreOS Config Transpiler v0.6.0-2-g6e27296
to create my IGN file from the yaml above.
I also set the UID to something below 1000 and the result was the same as the @paolope
variant: fcos
version: 1.0.0
passwd:
users:
- name: core
ssh_authorized_keys:
- ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPekWj19MJiQ0iZLS9ed6Fq7TI52FcNWmmdP3fHgf679 joe@solidadmin.com
- name: mycooluser
uid: 500
system: false
$ ssh core@192.168.122.141
Warning: Permanently added '192.168.122.141' (ECDSA) to the list of known hosts.
Fedora CoreOS 32.20200601.1.1
Tracker: https://github.com/coreos/fedora-coreos-tracker
Discuss: https://discussion.fedoraproject.org/c/server/coreos/
[core@localhost ~]$ cat /etc/subuid
core:100000:65536
[core@localhost ~]$ cat /etc/subgid
core:100000:65536
[core@localhost ~]$ id mycooluser
uid=500(mycooluser) gid=1001(mycooluser) groups=1001(mycooluser)
I noticed that the GID for this user was 1001 so I tried to add the group for mycooluser
with the 501 gid
variant: fcos
version: 1.0.0
passwd:
groups:
- name: mycooluser
gid: 501
users:
- name: core
ssh_authorized_keys:
- ssh-ed25519 snip joe@mycooluser.com
- name: mycooluser
uid: 501
groups: ["mycooluser"]
system: false
and fedora-coreos-32.20200601.1.1-qemu-next refuses to boot.
I also set the UID to something below 1000 and the result was the same as the @paolope
right. so I think we're back to usermod --add-subuids and usermod --add-subgids
or simply appending the appropriate values to a file using an ignition snippet would work.
I haven't gotten to change subuid/subgid manually yet. Assuming it works, would it be worth writing up some docs for the benefit of users trying to transition from CL and (like me) happened to rely on user numbering?
On Wed, 10 Jun 2020, 19:47 Dusty Mabe, notifications@github.com wrote:
I also set the UID to something below 1000 and the result was the same as the @paolope https://github.com/paolope
right. so I think we're back to usermod --add-subuids and usermod --add-subgids or simply appending the appropriate values to a file using an ignition snippet would work.
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/coreos/fedora-coreos-tracker/issues/472#issuecomment-642191954, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAJPF6SU6C47HA65VLW74IDRV7ILPANCNFSM4MW7WVXA .
I haven't gotten to change subuid/subgid manually yet. Assuming it works, would it be worth writing up some docs for the benefit of users trying to transition from CL and (like me) happened to rely on user numbering?
I think that could be worthwhile, thanks! Our docs repo is here: https://github.com/coreos/fedora-coreos-docs
As a side note I would be interested to know why this is a difference between CL and FCOS since they're both using Ignition. Maybe useradd behaves differently in gentoo vs Fedora?
The core
user in CL pre-existed and was uid 500, gid 500
Using the following ignition configuration to replicate CL's default of having core with UID/GID 500:
/etc/subgid and /etc/subuid are empty. I'm not sure what's the best way to add
core
to them. Immediate effect of this is I can't runtoolbox
as core.EDIT: doesn't change if
system
is set tofalse
. Using FCOS 31.20200407.3.0 .