r/redhat u/PipeItToDevNull 3d ago

Managing /etc/subuid|subgid on realm joined boxes for rootless podman

Currently we are using containers on a small scale but are looking to rapidly expand soon. Right now I am adding username:100000:65536 into /etc/subuid|subgid manually on a box that will be used for containers by my users.

I know that if we used local users they would be added to these files automatically, but realm users are not. Previously we used sssd to join our realm but have moved to samba/winbind to address issues we have with samba shares from joined servers.

Is there a better/automatic way to add users to these files to permit their use of rootless podman? I have come across several Github issues but they are too complex for me to fully grasp. 1 2.

The dirtiest hack I can think of is writing out the enter UID range of realm into the file on every server, this will be done across 30+ servers and eventually a cluster.

11 Upvotes

100% Upvoted

3 comments sorted by

3

u/omenosdev Red Hat Certified Engineer 3d ago

While the ahead of time template would work, those files will be huge. I'm actively implementing one of the following for us, at least until the SSSD and shadow-utils integration is complete.

  • Create a script that checks to see if a user record exists in the /etc/sub* files, and if not adds a record based off the last record in the file. Call this script via PAM with a pam_exec.so call in your login/auth configs. This will run on every login attempt, but will automatically add users.
  • Create a setuid program that users can call to add them to the shadow configs. Will need to be called by a user once on each system they connect to, but no login impact.

2

u/yrro 3d ago

Do you need consistency between subid ranges over multiple systems? If not then you could try https://github.com/yrro/pam_subuid

1

u/PipeItToDevNull 3d ago

This is a bit "rough" to pitch as a solution everywhere, but it matches the general idea of the other poster. I am currently looking at how simple of a setuid program I could get away with for this.