GOSU fails to switch when provided user_id is larger than 65536?!!

[Samahu]

I am using gosu within a docker container that is going to be run within a rootless docker mode. The rootless mode is required.

I am trying to use gosu when launching the container to maintain the file permissions and ownership to the host user for files generated during a docker session.

The problem is whenever I try to invoke gosu to switch to the newly added user within docker (that matches the host user), I get the following errro:

error: failed switching to "some_user": invalid argument

I looked around and found that this might the most related issue: #64 However, when I try what was the developer who asked the question struggling with, I didn't have a problem executing the command:

gosu 1000 id # or gosu 1000:1000 id 

That being the case I did several tests and found out that there seems to be an upper limit on the user id that gosu accepts:

$ gosu 65536 id
uid=65536 gid=0(root) groups=0(root)
$ gosu 65537 id
error: failed switching to "65537": invalid argument

Unfortunately, my user id has a value larger than 65536. Can some one explain why is this a problem and whether there is a way around this limitation.

$ gosu --version
gosu version: 1.10 (go1.10.4 on linux/amd64; gc)
     license: GPL-3 (full text at https://github.com/tianon/gosu)

[tianon]

I'm not able to reproduce without rootless:

/ # gosu 2147483647:2147483647 id
uid=2147483647 gid=2147483647

I'm guessing the third field in your user's /etc/subuid designation is set to 65536, which is the upper limit on the range of remapped user IDs that gets created (https://docs.docker.com/engine/security/rootless/).

[Samahu]

Indeed, the third field of /etc/subuid is set to 65536. I will check if increasing the value would fix the problem.

[Samahu]

I increased the value of third field to 15665550 but now docker won't start. I don't fully understand how to pick the range for the user name space such that it would work with rootless docker and still work gosu, does anyone have an idea?

Note that the value of :100000:65536 is not something that I came up with but rather it is what the rootless docker installation script emits: https://github.com/moby/moby/blob/master/contrib/dockerd-rootless-setuptool.sh

Thanks!

[Samahu]

I got some feedback from docker maintainers, hinting at editing /etc/logins.def. Do you know how this affects gosu? Do you think that merely increasing SUB_UID_COUNT to 15665550 would fix the issue?

I don't understand how you were able to run gosu 2147483647:2147483647 id on your end without hitting the default limit of SUB_UID_COUNT=65536. Unless you have these limits adjusted in '/etc/logins.def`?

We use strictly controlled machines and any adjustments to be made to system files require a privileged user intervention. So I'd rather understand the issue before I open a ticket. Thanks!

[Samahu]

I got some feedback from docker maintainers, hinting at editing /etc/logins.def. Do you know how this affects gosu? Do you think that merely increasing SUB_UID_COUNT to 15665550 would fix the issue?

I don't understand how you were able to run gosu 2147483647:2147483647 id on your end without hitting the default limit of SUB_UID_COUNT=65536. Unless you have these limits adjusted in '/etc/logins.def`?

We use strictly controlled machines and any adjustments to be made to system files require a privileged user intervention. So I'd rather understand the issue before I open a ticket. Thanks!

I don't think that increasing SUB_UID_COUNT to 15665550 is a good approach. If I understood correctly this controls the number of sub user ids assigned to each user on the system.

[tianon]

Yeah, that makes sense, but I'm not sure I understand how/why it's related to gosu now? For example, sudo -u '#2147483647' id would definitely suffer from the same symptoms since these are (intentional) kernel limitations, not userspace.

(In other words, I'd suggest further discussion should probably go to a dedicated support forum, such as the Docker Community Forums, the Docker Community Slack, or Stack Overflow, since there doesn't appear to be anything here gosu should or even can do differently.)

[tianon]

(I'm able to run the commands successfully because I'm not running rootless.)

[Samahu]

I don't have a working solution to this issue but going to close it anyway for now. If you or anyone got to try out gosu with rootless docker mode please update this ticket.