This repository was archived by the owner on May 2, 2024. It is now read-only.
This repository was archived by the owner on May 2, 2024. It is now read-only.
Issue: podman with "--userns=keep-id" failes. #399
Description
Is there an existing issue for this?
- I have searched the existing issues and found none that matched mine
Describe the issue
Seems like the ownership for the filesystem get spoofed when using podman with "--userns=keep-id"
in the logfile i get
aad_auth[7954]: nss_aad: database error: invalid ownership for /var/lib/aad/cache/passwd.db, expected 0:0 but got 65534:65534
where "7954" equals the PID of podman (non-root)
I can fix this by doing the following changes to nss/src/cache/mod.rs (line 369):
// skip ownership check if detected owned by nobody.
if stat.uid() != 65534 {
// Checks ownership
if stat.uid() != file.expected_uid || stat.gid() != file.expected_gid {
return Err(CacheError::DatabaseError(format!(
"invalid ownership for {}, expected {}:{} but got {}:{}",
file.path.to_str().unwrap(),
file.expected_uid,
file.expected_gid,
stat.uid(),
stat.gid()
)));
}
}
Steps to reproduce it
- make sure you have subuid and subgid added for the entraid user in /etc/subuid and /etc/subgid.
example: [email protected]:165536:65536 - login with the entraid user.
- run example:
podman run --rm -it --userns=keep-id ubuntu:latest bash
you will get error:
Error: error creating temporary passwd file for container {CONTAINERID}: failed to get current user: user: unknown userid {USERID}
Ubuntu users: System information and logs
journalctl -f | grep "_aad"
aad_auth[7954]: nss_aad: database error: invalid ownership for /var/lib/aad/cache/passwd.db, expected 0:0 but got 65534:65534
Non Ubuntu users: System information and logs
im using ubuntu
Relevant information
No response
Double check your logs
- I have redacted any sensitive information from the logs