[CentOS] What is /etc/subuid ?

Wed Oct 9 20:44:11 UTC 2019
Valeri Galtsev <galtsev at kicp.uchicago.edu>


On 2019-10-09 15:39, Stephen John Smoogen wrote:
> On Wed, 9 Oct 2019 at 16:34, Valeri Galtsev <galtsev at kicp.uchicago.edu> wrote:
>>
>>
>>
>> On 2019-10-09 14:58, Jonathan Billings wrote:
>>> On Wed, Oct 09, 2019 at 02:47:19PM -0500, Valeri Galtsev wrote:
>>>> Could someone enlighten me about the following file:
>>>>
>>>> /etc/subuid
>>>>
>>>> ? This file appears to be owned by "setup" package. This is CentOS 7 system,
>>>> and until now these files if existed were never changed. Today I have added
>>>> user quite routine way, by doing
>>>>
>>>> /usr/sbin/groupadd -g 4500 [username]
>>>> /usr/sbin/useradd -g [username] -u 4500 -c "User Name, email at domain"
>>>> [username]
>>>>
>>>> And the file /etc/subuid changed and user was added into it:
>>>>
>>>> [username]:100000:65536
>>>
>>> I'm not sure what else it's used for, but /etc/subuid and /etc/subgid
>>> are used by podman for rootless containers (i.e. you can run a
>>> container without any root permissions).  subuid/subgid is used to map
>>> a range of UID/GIDs to the process namespace inside the kernel.
>>>
>>> Some details here:
>>>
>>> https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux_atomic_host/7/html-single/managing_containers/index#set_up_for_rootless_containers
>>>
>>> It's actually pretty cool.
>>>
>>> So, now when accounts are created with useradd, subuids are assigned
>>> to that new user.
>>>
>>> Unfortunately, this doesn't really work in an enterprise environment
>>> when users are defined via LDAP, since no subuid/subgid entries are
>>> created, but I've heard that there's an effort to make that happen in
>>> the NSS layer in the future.
>>>
>>
>> Thank you, Michael and Jonathan for your answers.
>>
>> I have one more question (which I probably will just answer myself by
>> kickstart installing fresh new system...):
>>
>> Did something changed and now by default useradd command adds user in
>> that file (by default without me using extra flag etc)? In other words
>> is it just me or indeed the command we used since forever suddenly
>> changed its behavior?
>>
> 
> I believe it is a new behavior (by about a year). This file was not in
> earlier versions of RHEL because my systems only seem to have it
> showing up after 2018-10

Thanks, you made me feel myself better.

I create users on Linux machines routinely, I have created previous user 
two or three weeks ago, and the command useradd didn't behave like that.

Valeri

> 
>> Thanks again for your insights everybody.
>>
>> Valeri
>>
>>>
>>
>> --
>> ++++++++++++++++++++++++++++++++++++++++
>> Valeri Galtsev
>> Sr System Administrator
>> Department of Astronomy and Astrophysics
>> Kavli Institute for Cosmological Physics
>> University of Chicago
>> Phone: 773-702-4247
>> ++++++++++++++++++++++++++++++++++++++++
>> _______________________________________________
>> CentOS mailing list
>> CentOS at centos.org
>> https://lists.centos.org/mailman/listinfo/centos
> 
> 
> 

-- 
++++++++++++++++++++++++++++++++++++++++
Valeri Galtsev
Sr System Administrator
Department of Astronomy and Astrophysics
Kavli Institute for Cosmological Physics
University of Chicago
Phone: 773-702-4247
++++++++++++++++++++++++++++++++++++++++