On Wed, Oct 09, 2019 at 02:47:19PM -0500, Valeri Galtsev wrote:
> Could someone enlighten me about the following file:
>
> /etc/subuid
>
> ? This file appears to be owned by "setup" package. This is CentOS 7 system,
> and until now these files if existed were never changed. Today I have added
> user quite routine way, by doing
>
> /usr/sbin/groupadd -g 4500 [username]
> /usr/sbin/useradd -g [username] -u 4500 -c "User Name, email@domain"
> [username]
>
> And the file /etc/subuid changed and user was added into it:
>
> [username]:100000:65536
I'm not sure what else it's used for, but /etc/subuid and /etc/subgid
are used by podman for rootless containers (i.e. you can run a
container without any root permissions). subuid/subgid is used to map
a range of UID/GIDs to the process namespace inside the kernel.
Some details here:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux_atomic_host/7/html-single/managing_containers/index#set_up_for_rootless_containers
It's actually pretty cool.
So, now when accounts are created with useradd, subuids are assigned
to that new user.
Unfortunately, this doesn't really work in an enterprise environment
when users are defined via LDAP, since no subuid/subgid entries are
created, but I've heard that there's an effort to make that happen in
the NSS layer in the future.
--
Jonathan Billings <billings@xxxxxxxxxx>
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos
