Closed Samahu closed 3 years ago
I'm not able to reproduce without rootless:
/ # gosu 2147483647:2147483647 id
uid=2147483647 gid=2147483647
I'm guessing the third field in your user's /etc/subuid
designation is set to 65536
, which is the upper limit on the range of remapped user IDs that gets created (https://docs.docker.com/engine/security/rootless/).
Indeed, the third field of /etc/subuid
is set to 65536. I will check if increasing the value would fix the problem.
I increased the value of third field to 15665550 but now docker won't start. I don't fully understand how to pick the range for the user name space such that it would work with rootless docker and still work gosu, does anyone have an idea?
Note that the value of
Thanks!
I got some feedback from docker maintainers, hinting at editing /etc/logins.def
. Do you know how this affects gosu
?
Do you think that merely increasing SUB_UID_COUNT to 15665550 would fix the issue?
I don't understand how you were able to run gosu 2147483647:2147483647 id
on your end without hitting the default limit of SUB_UID_COUNT=65536. Unless you have these limits adjusted in '/etc/logins.def`?
We use strictly controlled machines and any adjustments to be made to system files require a privileged user intervention. So I'd rather understand the issue before I open a ticket. Thanks!
I got some feedback from docker maintainers, hinting at editing
/etc/logins.def
. Do you know how this affectsgosu
? Do you think that merely increasing SUB_UID_COUNT to 15665550 would fix the issue?I don't understand how you were able to run
gosu 2147483647:2147483647 id
on your end without hitting the default limit of SUB_UID_COUNT=65536. Unless you have these limits adjusted in '/etc/logins.def`?We use strictly controlled machines and any adjustments to be made to system files require a privileged user intervention. So I'd rather understand the issue before I open a ticket. Thanks!
I don't think that increasing SUB_UID_COUNT to 15665550 is a good approach. If I understood correctly this controls the number of sub user ids assigned to each user on the system.
Yeah, that makes sense, but I'm not sure I understand how/why it's related to gosu
now? For example, sudo -u '#2147483647' id
would definitely suffer from the same symptoms since these are (intentional) kernel limitations, not userspace.
(In other words, I'd suggest further discussion should probably go to a dedicated support forum, such as the Docker Community Forums, the Docker Community Slack, or Stack Overflow, since there doesn't appear to be anything here gosu
should or even can do differently.)
(I'm able to run the commands successfully because I'm not running rootless.)
I don't have a working solution to this issue but going to close it anyway for now. If you or anyone got to try out gosu with rootless docker mode please update this ticket.
I am using gosu within a docker container that is going to be run within a rootless docker mode. The rootless mode is required.
I am trying to use
gosu
when launching the container to maintain the file permissions and ownership to the host user for files generated during a docker session.The problem is whenever I try to invoke gosu to switch to the newly added user within docker (that matches the host user), I get the following errro:
I looked around and found that this might the most related issue: #64 However, when I try what was the developer who asked the question struggling with, I didn't have a problem executing the command:
That being the case I did several tests and found out that there seems to be an upper limit on the user id that
gosu
accepts:Unfortunately, my user id has a value larger than 65536. Can some one explain why is this a problem and whether there is a way around this limitation.