Issue

What were you trying to do that didn't work? Using rootless buildah as a user from a FreeIPA directory, with subuids/subgids allocated to the user in the directory. It appears buildah is only consulting /etc/subuid//etc/subgid rather than looking up subuid/subgid information via sssd. ldd /usr/bin/buildah indicates that buildah is not linked with libsubid. On Fedora, where buildah works, it is linked with libsubid. Please provide the package NVR for which bug is seen: buildah-1.33.5-1.module_el8+885+7da147f3.x86_64 buildah-1.31.3-3.module+el8.9.0+21243+a586538b.x86_64 buildah-1.33.5-1.el9.x86_64 How reproducible: Very Steps to reproduce Create a FreeIPA user Assign a subid range to the user: ipa subid-generate --owner=$USER Join the FreeIPA domain using ipa-client-install --subid (/etc/nsswitch.conf should have a line subid: sss) Confirm that libsubid consults sssd when fetching subuid/subgid information (getsubid $USER should return a subuid range) As the user, run buildah from registry.access.redhat.com/ubi9/ubi Expected results buildah container should be created Actual results buildah can't pull the image: $ buildah from registry.access.redhat.com/ubi9/ubi:latest WARN[0000] Reading allowed ID mappings: reading subuid mappings for user "sam" and subgid mappings for group "sam": no subuid ranges found for user "sam" in /etc/subuid WARN[0000] Found no UID ranges set aside for user "sam" in /etc/subuid. WARN[0000] Found no GID ranges set aside for user "sam" in /etc/subgid. Trying to pull registry.access.redhat.com/ubi9/ubi:latest... Getting image source signatures Checking if image destination supports signatures Copying blob 1bd75c368cb5 done Error: copying system image from manifest list: writing blob: adding layer with blob "sha256:1bd75c368cb585e77e0b3234a750db4235fa64ff8b5b9ca8da8bf7a34ec9ecaa": processing tar file(potentially insufficient UIDs or GIDs available in user namespace (requested 0:5 for /usr/bin/write): Check /etc/subuid and /etc/subgid if configured locally and run "podman system migrate": lchown /usr/bin/write: invalid argument): exit status 1 $ buildah unshare cat /proc/self/uid_map WARN[0000] Reading allowed ID mappings: reading subuid mappings for user "sam" and subgid mappings for group "sam": no subuid ranges found for user "sam" in /etc/subuid WARN[0000] Found no UID ranges set aside for user "sam" in /etc/subuid. WARN[0000] Found no GID ranges set aside for user "sam" in /etc/subgid. 0 1673000001 1 Compare this to podman, which is linked with libsubid and so is able to pull subuid/subgid information from the directory: sam@xoanon:~$ podman unshare cat /proc/self/uid_map 0 1673000001 1 1 2147483648 65536

Release Notes

No. of Comments

Resolution

Done-Errata