[pkg-go] Bug#1032990: podman: user containers are completely broken with sssd: insufficient UIDs or GIDs available in user namespace

Martin Pitt mpitt at debian.org
Tue Apr 4 19:55:55 BST 2023 

Control: reassign -1 sssd-common 2.8.2-3
Control: affects -1 podman
Control: retitle -1 sssd-common" subids nsswitch.conf entry breaks user sub[ug]ids
Control: severity -1 serious

Matej Marusak [2023-04-03 14:00 +0000]:
> This is easily reproducible by:
> - Download newest image, e.g. https://cloud.debian.org/images/cloud/bullseye/daily/20230403-1339/debian-11-genericcloud-amd64-daily-20230403-1339.qcow2
> - Install podman and sssd-tools and sssd-dbus. It works fine without sssd
> - Login as 'admin' user
> - podman pull debian
>
> This command fails with:
> ERRO[0004] While applying layer: ApplyLayer stdout:  stderr: potentially insufficient UIDs or GIDs available in user namespace (requested 0:42 for /etc/gshadow): Check /etc/subuid and /etc/subgid if configured locally and run podman-system-migrate: lchown /etc/gshadow: invalid argument exit status 1
> Error: copying system image from manifest list: writing blob: adding layer with blob "sha256:3e440a7045683e27f8e2fa04000e0e078d8dfac0c971358ae0f8c65c13321c8e": ApplyLayer stdout:  stderr: potentially insufficient UIDs or GIDs available in user namespace (requested 0:42 for /etc/gshadow): Check /etc/subuid and /etc/subgid if configured locally and run podman-system-migrate: lchown /etc/gshadow: invalid argument exit status 1

Indeed this is a regression in sssd-common. Its postinst now does

| # Automatically added by dh_installnss/1.7
| if [ "$1" = "configure" ] && [ -f "${DPKG_ROOT}/etc/nsswitch.conf.nss.${DPKG_MAINTSCRIPT_PACKAGE}-will-install" ] && [ -e "${DPKG_ROOT}/etc/nsswitch.conf" ] ; then
|         if ! grep -q -E  -e '^subid:[^#]*\s(sss)(\s|#|$)' "${DPKG_ROOT}/etc/nsswitch.conf" ; then
|                 # Installing subid/sss from sssd-common in position last
|                 sed -E -i "${DPKG_ROOT}/etc/nsswitch.conf" -e '/^subid:\s[^#]*$/ s/$/ sss/' -e '/^subid:\s.*#/ s/#/ sss #/'
|         fi
|         rm "${DPKG_ROOT}/etc/nsswitch.conf.nss.${DPKG_MAINTSCRIPT_PACKAGE}-will-install"
| fi

Which the previous version didn't do. This causes this entry in
/etc/nsswitch.conf:

   subid:  sss

... which is broken:

   # getsubids admin
   Error fetching ranges

It works with "subuid: files sss" or with dropping that line altogether, so
that it goes back to reading /etc/sub[ug]id:

   # getsubids admin
   0: admin 100000 65536

Either this postinst snippet forgets to add "files" or it forgets to systemctl
enable whichever service is supposed to respond to the "sss" service for
"subid".

Raising to RC, as this breaks unrelated software, and this change happened
during freeze already.

Thanks,

Martin

More information about the Pkg-go-maintainers mailing list