improve "open /etc/subuid: no such file or directory" error message

[vrothberg]

Existing openSUSE deployments will run into the issue that /etc/sub{g,u}id are not present as no (base) package added those; useradd and usermod don't create those files. I've fixed this via the shadow package now adding those files so that new installs and new users have proper entries but that doesn't solve the issue for existing users.

In other words, existing users don't have this file and will always run into Podman failing with "open /etc/subuid: no such file or directory". I think Podman should catch those errors and guide the user a bit more, maybe even printing the corresponding section from podman (1).

[rhatdan]

Yes we should give an error that tells the user that those file need to be created and then tell them to read the man page.

[giuseppe]

should we move this issue to containers/storage? The logic for handling /etc/sub{g,u}id is there

[rhatdan]

SGTM

[vrothberg]

I opened containers/storage#231. I suggest keeping the issue here open until containers/storage#231 is merged and vendored.

[rhatdan]

I don't think we should do it at that low of a level, What do you think about something like:

diff --git a/pkg/rootless/rootless_linux.go b/pkg/rootless/rootless_linux.go
index 5c45f269..e97bbf05 100644
--- a/pkg/rootless/rootless_linux.go
+++ b/pkg/rootless/rootless_linux.go
@@ -196,6 +196,9 @@ func BecomeRootInUserNS() (bool, int, error) {
        mappings, err := idtools.NewIDMappings(username, username)
        if os.Getenv("PODMAN_ALLOW_SINGLE_ID_MAPPING_IN_USERNS") == "" {
                if err != nil {
+                       if os.NotExist(err) {
+                               return false, 0, errors.Wrapf(err, "/etc/subuid or /etc/subgid does not exist, refer to subuid/subgid man pages for use of these files")
+                       }
                        return false, -1, err
                }

[giuseppe]

@rhatdan SGTM

[vrothberg]

I am okay with both solutions 👍

[afbjorklund]

This is an issue with an Busybox installation as well, I can add the newuidmap newgidmap programs (from shadow-4.6) but there's some other requirements missing that are not fulfilled for this to be fully useful:

tc@box:~$ useradd
-sh: useradd: not found
tc@box:~$ man
-sh: man: not found

So maybe I will just replace it with some text like "permission denied", rather than adding rootless support... There's some extra stuff that needs to be in place first as well, such as slirp4netns and fuse-overlayfs.

Support for "subordinate ids" needs to go here: https://git.busybox.net/busybox/tree/loginutils

Before all that is in place in boot2podman, user would just have to know to run sudo podman instead. Since everything is running inside a VM anyway, it is not a big deal. Just slightly confusing for newcomers.

i.e. maybe it's more like alias docker='sudo podman' right now ? (cf. usermod -aG docker)

[rhatdan]

I think we need more documentation, for different platforms as the evolve. RHEL and Centos also do not fully support podman as non root yet.

[rhatdan]

@vrothberg @TomSweeneyRedHat Any movement on this? Better documentation in man pages?

[vrothberg]

@rhatdan, for me #1795 solved the issue. I am not sure if we could improve the situation besides making that clear in the RHEL docs.

[rhatdan]

Ok closing.

[afbjorklund]

I didn't bother with fixing adduser in busybox, so just hacked /etc/subuid and /etc/subgid.
Only added newuidmap and newgidmap binaries (from shadow), but it seems to be enough...