CentOS - Oct 2019 - What is /etc/subuid ?

On 2019-10-09 14:58, Jonathan Billings wrote:
> On Wed, Oct 09, 2019 at 02:47:19PM -0500, Valeri Galtsev wrote:
>> Could someone enlighten me about the following file:
>>
>> /etc/subuid
>>
>> ? This file appears to be owned by "setup" package. This is
CentOS 7 system,
>> and until now these files if existed were never changed. Today I have
added
>> user quite routine way, by doing
>>
>> /usr/sbin/groupadd -g 4500 [username]
>> /usr/sbin/useradd -g [username] -u 4500 -c "User Name, email at
domain"
>> [username]
>>
>> And the file /etc/subuid changed and user was added into it:
>>
>> [username]:100000:65536
> 
> I'm not sure what else it's used for, but /etc/subuid and
/etc/subgid
> are used by podman for rootless containers (i.e. you can run a
> container without any root permissions).  subuid/subgid is used to map
> a range of UID/GIDs to the process namespace inside the kernel.
> 
> Some details here:
> 
>
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux_atomic_host/7/html-single/managing_containers/index#set_up_for_rootless_containers
> 
> It's actually pretty cool.
> 
> So, now when accounts are created with useradd, subuids are assigned
> to that new user.
> 
> Unfortunately, this doesn't really work in an enterprise environment
> when users are defined via LDAP, since no subuid/subgid entries are
> created, but I've heard that there's an effort to make that happen
in
> the NSS layer in the future.
> 
Thank you, Michael and Jonathan for your answers.

I have one more question (which I probably will just answer myself by 
kickstart installing fresh new system...):

Did something changed and now by default useradd command adds user in 
that file (by default without me using extra flag etc)? In other words 
is it just me or indeed the command we used since forever suddenly 
changed its behavior?

Thanks again for your insights everybody.

Valeri
> 
-- 
++++++++++++++++++++++++++++++++++++++++
Valeri Galtsev
Sr System Administrator
Department of Astronomy and Astrophysics
Kavli Institute for Cosmological Physics
University of Chicago
Phone: 773-702-4247
++++++++++++++++++++++++++++++++++++++++

On Wed, 9 Oct 2019 at 16:34, Valeri Galtsev <galtsev at kicp.uchicago.edu>
wrote:
>
>
>
> On 2019-10-09 14:58, Jonathan Billings wrote:
> > On Wed, Oct 09, 2019 at 02:47:19PM -0500, Valeri Galtsev wrote:
> >> Could someone enlighten me about the following file:
> >>
> >> /etc/subuid
> >>
> >> ? This file appears to be owned by "setup" package. This
is CentOS 7 system,
> >> and until now these files if existed were never changed. Today I
have added
> >> user quite routine way, by doing
> >>
> >> /usr/sbin/groupadd -g 4500 [username]
> >> /usr/sbin/useradd -g [username] -u 4500 -c "User Name, email
at domain"
> >> [username]
> >>
> >> And the file /etc/subuid changed and user was added into it:
> >>
> >> [username]:100000:65536
> >
> > I'm not sure what else it's used for, but /etc/subuid and
/etc/subgid
> > are used by podman for rootless containers (i.e. you can run a
> > container without any root permissions).  subuid/subgid is used to map
> > a range of UID/GIDs to the process namespace inside the kernel.
> >
> > Some details here:
> >
> >
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux_atomic_host/7/html-single/managing_containers/index#set_up_for_rootless_containers
> >
> > It's actually pretty cool.
> >
> > So, now when accounts are created with useradd, subuids are assigned
> > to that new user.
> >
> > Unfortunately, this doesn't really work in an enterprise
environment
> > when users are defined via LDAP, since no subuid/subgid entries are
> > created, but I've heard that there's an effort to make that
happen in
> > the NSS layer in the future.
> >
>
> Thank you, Michael and Jonathan for your answers.
>
> I have one more question (which I probably will just answer myself by
> kickstart installing fresh new system...):
>
> Did something changed and now by default useradd command adds user in
> that file (by default without me using extra flag etc)? In other words
> is it just me or indeed the command we used since forever suddenly
> changed its behavior?
>
I believe it is a new behavior (by about a year). This file was not in
earlier versions of RHEL because my systems only seem to have it
showing up after 2018-10
> Thanks again for your insights everybody.
>
> Valeri
>
> >
>
> --
> ++++++++++++++++++++++++++++++++++++++++
> Valeri Galtsev
> Sr System Administrator
> Department of Astronomy and Astrophysics
> Kavli Institute for Cosmological Physics
> University of Chicago
> Phone: 773-702-4247
> ++++++++++++++++++++++++++++++++++++++++
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> https://lists.centos.org/mailman/listinfo/centos


-- 
Stephen J Smoogen.

On 2019-10-09 15:39, Stephen John Smoogen wrote:
> On Wed, 9 Oct 2019 at 16:34, Valeri Galtsev <galtsev at
kicp.uchicago.edu> wrote:
>>
>>
>>
>> On 2019-10-09 14:58, Jonathan Billings wrote:
>>> On Wed, Oct 09, 2019 at 02:47:19PM -0500, Valeri Galtsev wrote:
>>>> Could someone enlighten me about the following file:
>>>>
>>>> /etc/subuid
>>>>
>>>> ? This file appears to be owned by "setup" package.
This is CentOS 7 system,
>>>> and until now these files if existed were never changed. Today
I have added
>>>> user quite routine way, by doing
>>>>
>>>> /usr/sbin/groupadd -g 4500 [username]
>>>> /usr/sbin/useradd -g [username] -u 4500 -c "User Name,
email at domain"
>>>> [username]
>>>>
>>>> And the file /etc/subuid changed and user was added into it:
>>>>
>>>> [username]:100000:65536
>>>
>>> I'm not sure what else it's used for, but /etc/subuid and
/etc/subgid
>>> are used by podman for rootless containers (i.e. you can run a
>>> container without any root permissions).  subuid/subgid is used to
map
>>> a range of UID/GIDs to the process namespace inside the kernel.
>>>
>>> Some details here:
>>>
>>>
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux_atomic_host/7/html-single/managing_containers/index#set_up_for_rootless_containers
>>>
>>> It's actually pretty cool.
>>>
>>> So, now when accounts are created with useradd, subuids are
assigned
>>> to that new user.
>>>
>>> Unfortunately, this doesn't really work in an enterprise
environment
>>> when users are defined via LDAP, since no subuid/subgid entries are
>>> created, but I've heard that there's an effort to make that
happen in
>>> the NSS layer in the future.
>>>
>>
>> Thank you, Michael and Jonathan for your answers.
>>
>> I have one more question (which I probably will just answer myself by
>> kickstart installing fresh new system...):
>>
>> Did something changed and now by default useradd command adds user in
>> that file (by default without me using extra flag etc)? In other words
>> is it just me or indeed the command we used since forever suddenly
>> changed its behavior?
>>
> 
> I believe it is a new behavior (by about a year). This file was not in
> earlier versions of RHEL because my systems only seem to have it
> showing up after 2018-10
Thanks, you made me feel myself better.

I create users on Linux machines routinely, I have created previous user 
two or three weeks ago, and the command useradd didn't behave like that.

Valeri
> 
>> Thanks again for your insights everybody.
>>
>> Valeri
>>
>>>
>>
>> --
>> ++++++++++++++++++++++++++++++++++++++++
>> Valeri Galtsev
>> Sr System Administrator
>> Department of Astronomy and Astrophysics
>> Kavli Institute for Cosmological Physics
>> University of Chicago
>> Phone: 773-702-4247
>> ++++++++++++++++++++++++++++++++++++++++
>> _______________________________________________
>> CentOS mailing list
>> CentOS at centos.org
>> https://lists.centos.org/mailman/listinfo/centos
> 
> 
> 
-- 
++++++++++++++++++++++++++++++++++++++++
Valeri Galtsev
Sr System Administrator
Department of Astronomy and Astrophysics
Kavli Institute for Cosmological Physics
University of Chicago
Phone: 773-702-4247
++++++++++++++++++++++++++++++++++++++++

Am 09.10.19 um 22:39 schrieb Stephen John Smoogen:
> On Wed, 9 Oct 2019 at 16:34, Valeri Galtsev <galtsev at
kicp.uchicago.edu> wrote:
>>
>>
>>
>> On 2019-10-09 14:58, Jonathan Billings wrote:
>>> On Wed, Oct 09, 2019 at 02:47:19PM -0500, Valeri Galtsev wrote:
>>>> Could someone enlighten me about the following file:
>>>>
>>>> /etc/subuid
>>>>
>>>> ? This file appears to be owned by "setup" package.
This is CentOS 7 system,
>>>> and until now these files if existed were never changed. Today
I have added
>>>> user quite routine way, by doing
>>>>
>>>> /usr/sbin/groupadd -g 4500 [username]
>>>> /usr/sbin/useradd -g [username] -u 4500 -c "User Name,
email at domain"
>>>> [username]
>>>>
>>>> And the file /etc/subuid changed and user was added into it:
>>>>
>>>> [username]:100000:65536
>>>
>>> I'm not sure what else it's used for, but /etc/subuid and
/etc/subgid
>>> are used by podman for rootless containers (i.e. you can run a
>>> container without any root permissions).  subuid/subgid is used to
map
>>> a range of UID/GIDs to the process namespace inside the kernel.
>>>
>>> Some details here:
>>>
>>>
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux_atomic_host/7/html-single/managing_containers/index#set_up_for_rootless_containers
>>>
>>> It's actually pretty cool.
>>>
>>> So, now when accounts are created with useradd, subuids are
assigned
>>> to that new user.
>>>
>>> Unfortunately, this doesn't really work in an enterprise
environment
>>> when users are defined via LDAP, since no subuid/subgid entries are
>>> created, but I've heard that there's an effort to make that
happen in
>>> the NSS layer in the future.
>>>
>>
>> Thank you, Michael and Jonathan for your answers.
>>
>> I have one more question (which I probably will just answer myself by
>> kickstart installing fresh new system...):
>>
>> Did something changed and now by default useradd command adds user in
>> that file (by default without me using extra flag etc)? In other words
>> is it just me or indeed the command we used since forever suddenly
>> changed its behavior?
>>
> 
> I believe it is a new behavior (by about a year). This file was not in
> earlier versions of RHEL because my systems only seem to have it
> showing up after 2018-10
> 
Seems C7 has no changelog entry but C8 gives:

$ rpm -q --changelog shadow-utils |grep -C 1 subo
* Mi Nov 26 2014 Tom?? Mr?z <tmraz at redhat.com> - 2:4.2.1-1
- new upstream release with support for subordinate uids and gids

--
Leon