Add troubleshooting information about running a rootless containers.

Add a problem statement about shadow-utils and missing entries from
/etc/subuid and /etc/subgid.

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
This commit is contained in:
Daniel J Walsh 2019-02-07 05:59:52 -07:00
parent c86e8f180c
commit 62c8ba527e
No known key found for this signature in database
GPG Key ID: A2DF901DABE2C028
3 changed files with 121 additions and 13 deletions

View File

@ -657,18 +657,21 @@ The followings examples are all valid:
Without this argument the command will be run as root in the container.
**--userns**=""
**--userns**=host
**--userns**=ns:my_namespace
Set the usernamespace mode for the container. The use of userns is disabled by default.
Set the user namespace mode for the container. The use of userns is disabled by default.
**host**: use the host usernamespace and enable all privileged options (e.g., `pid=host` or `--privileged`).
**ns**: specify the usernamespace to use.
- `host`: run in the user namespace of the caller. This is the default if no user namespace options are set. The processes running in the container will have the same privileges on the host as any other process launched by the calling user.
- `ns`: run the container in the given existing user namespace.
This option is incompatible with --gidmap, --uidmap, --subuid and --subgid
**--uts**=*host*
Set the UTS mode for the container
**host**: use the host's UTS namespace inside the container.
**ns**: specify the usernamespace to use.
**ns**: specify the user namespace to use.
Note: the host mode gives the container access to changing the host's hostname and is therefore considered insecure.
**--volume**, **-v**[=*[HOST-DIR:CONTAINER-DIR[:OPTIONS]]*]
@ -782,8 +785,8 @@ can override the working directory by using the **-w** option.
### Set UID/GID mapping in a new user namespace
If you want to run the container in a new user namespace and define the mapping of
the uid and gid from the host.
Running a container in a new user namespace requires a mapping of
the uids and gids from the host.
```
$ podman create --uidmap 0:30000:7000 --gidmap 0:30000:7000 fedora echo hello
@ -804,13 +807,27 @@ KillMode=process
WantedBy=multi-user.target
```
### Rootless Containers
Podman runs as a non root user on most systems. This feature requires that a new enough version of shadow-utils
be installed. The shadow-utils package must include the newuidmap and newgidmap executables.
Note: RHEL7 and Centos 7 will not have this feature until RHEL7.7 is released.
In order for users to run rootless, there must be an entry for their username in /etc/subuid and /etc/subgid which lists the UIDs for their user namespace.
Rootless podman works better if the fuse-overlayfs and slirp4netns packages are installed.
The fuse-overlay package provides a userspace overlay storage driver, otherwise users need to use
the vfs storage driver, which is diskspace expensive and does not perform well. slirp4netns is
required for VPN, without it containers need to be run with the --net=host flag.
## FILES
**/etc/subuid**
**/etc/subgid**
## SEE ALSO
subgid(5), subuid(5), libpod.conf(5), systemd.unit(5), setsebool(8)
subgid(5), subuid(5), libpod.conf(5), systemd.unit(5), setsebool(8), slirp4netns(1), fuse-overlayfs(1)
## HISTORY
October 2017, converted from Docker documentation to podman by Dan Walsh for podman <dwalsh@redhat.com>

View File

@ -663,7 +663,7 @@ Without this argument the command will be run as root in the container.
**--userns**=host
**--userns**=ns:my_namespace
Set the user namespace for the container.
Set the user namespace mode for the container. The use of userns is disabled by default.
- `host`: run in the user namespace of the caller. This is the default if no user namespace options are set. The processes running in the container will have the same privileges on the host as any other process launched by the calling user.
- `ns`: run the container in the given existing user namespace.
@ -675,7 +675,7 @@ This option is incompatible with --gidmap, --uidmap, --subuid and --subgid
Set the UTS mode for the container
`host`: use the host's UTS namespace inside the container.
`ns`: specify the usernamespace to use.
`ns`: specify the user namespace to use.
**NOTE**: the host mode gives the container access to changing the host's hostname and is therefore considered insecure.
@ -709,6 +709,20 @@ Current supported mount TYPES are bind, and tmpfs.
· tmpfs-mode: File mode of the tmpfs in octal. (e.g. 700 or 0700.) Defaults to 1777 in Linux.
**--userns**=""
Set the user namespace mode for the container. The use of userns is disabled by default.
**host**: use the host user namespace and enable all privileged options (e.g., `pid=host` or `--privileged`).
**ns**: specify the user namespace to use.
**--uts**=*host*
Set the UTS mode for the container
**host**: use the host's UTS namespace inside the container.
**ns**: specify the user namespace to use.
Note: the host mode gives the container access to changing the host's hostname and is therefore considered insecure.
**--volume**, **-v**[=*[HOST-DIR:CONTAINER-DIR[:OPTIONS]]*]
Create a bind mount. If you specify, ` -v /HOST-DIR:/CONTAINER-DIR`, podman
@ -1074,8 +1088,8 @@ supported sysctls.
### Set UID/GID mapping in a new user namespace
If you want to run the container in a new user namespace and define the mapping of
the uid and gid from the host.
Running a container in a new user namespace requires a mapping of
the uids and gids from the host.
```
$ podman run --uidmap 0:30000:7000 --gidmap 0:30000:7000 fedora echo hello
@ -1096,13 +1110,27 @@ KillMode=process
WantedBy=multi-user.target
```
### Rootless Containers
Podman runs as a non root user on most systems. This feature requires that a new enough version of shadow-utils
be installed. The shadow-utils package must include the newuidmap and newgidmap executables.
Note: RHEL7 and Centos 7 will not have this feature until RHEL7.7 is released.
In order for users to run rootless, there must be an entry for their username in /etc/subuid and /etc/subgid which lists the UIDs for their user namespace.
Rootless podman works better if the fuse-overlayfs and slirp4netns packages are installed.
The fuse-overlay package provides a userspace overlay storage driver, otherwise users need to use
the vfs storage driver, which is diskspace expensive and does not perform well. slirp4netns is
required for VPN, without it containers need to be run with the --net=host flag.
## FILES
**/etc/subuid**
**/etc/subgid**
## SEE ALSO
subgid(5), subuid(5), libpod.conf(5), systemd.unit(5), setsebool(8)
subgid(5), subuid(5), libpod.conf(5), systemd.unit(5), setsebool(8), slirp4netns(1), fuse-overlayfs(1)
## HISTORY
September 2018, updated by Kunal Kushwaha <kushwaha_kunal_v7@lab.ntt.co.jp>

View File

@ -191,3 +191,66 @@ SELinux provides a boolean `container_manage_cgroup`, which allows container
processes to write to the cgroup file system. Turn on this boolean, on SELinux separated systems, to allow systemd to run properly in the container.
`setsebool -P container_manage_cgroup true`
### 9) Newuidmap missing when running rootless Podman commands
Rootless podman requires the newuidmap and newgidmap programs to be installed.
#### Symptom
If you are running podman or buildah as a not root user, you get an error complaining about
a missing newuidmap executable.
```
podman run -ti fedora sh
cannot find newuidmap: exec: "newuidmap": executable file not found in $PATH
```
#### Solution
Install a version of shadow-utils that includes these executables. Note RHEL7 and Centos 7 will not have support for this until RHEL7.7 is released.
### 10) podman fails to run in user namespace because /etc/subuid is not properly populated.
Rootless podman requires the user running it to have a range of UIDs listed in /etc/subuid and /etc/subgid.
#### Symptom
If you are running podman or buildah as a user, you get an error complaining about
a missing subuid ranges in /etc/subuid.
```
podman run -ti fedora sh
No subuid ranges found for user "johndoe" in /etc/subuid
```
#### Solution
Update the /etc/subuid and /etc/subgid with fields for users that look like:
```
cat /etc/subuid
johndoe:100000:65536
test:165536:65536
```
The format of this file is USERNAME:UID:RANGE
* username as listed in /etc/passwd or getpwent.
* The initial uid allocated for the user.
* The size of the range of UIDs allocated for the user.
This means johndoe is allocated UIDS 100000-165535 as well as his standard UID in the
/etc/passwd file.
You should ensure that each user has a unique range of uids, because overlapping UIDs,
would potentially allow one user to attack another user.
You could also use the usermod program to assign UIDs to a user.
```
usermod --add-subuids 200000-201000 --add-subgids 200000-201000 johndoe
grep johndoe /etc/subuid /etc/subgid
/etc/subuid:johndoe:200000:1001
/etc/subgid:johndoe:200000:1001
```