Issue
What were you trying to do that didn't work?
Using rootless buildah as a user from a FreeIPA directory, with subuids/subgids allocated to the user in the directory.
It appears buildah is only consulting /etc/subuid//etc/subgid rather than looking up subuid/subgid information via sssd. ldd /usr/bin/buildah indicates that buildah is not linked with libsubid.
On Fedora, where buildah works, it is linked with libsubid.
Please provide the package NVR for which bug is seen:
buildah-1.33.5-1.module_el8+885+7da147f3.x86_64
buildah-1.31.3-3.module+el8.9.0+21243+a586538b.x86_64
buildah-1.33.5-1.el9.x86_64
How reproducible:
Very
Steps to reproduce
Create a FreeIPA user
Assign a subid range to the user: ipa subid-generate --owner=$USER
Join the FreeIPA domain using ipa-client-install --subid (/etc/nsswitch.conf should have a line subid: sss)
Confirm that libsubid consults sssd when fetching subuid/subgid information (getsubid $USER should return a subuid range)
As the user, run buildah from registry.access.redhat.com/ubi9/ubi
Expected results
buildah container should be created
Actual results
buildah can't pull the image:
$ buildah from registry.access.redhat.com/ubi9/ubi:latest
WARN[0000] Reading allowed ID mappings: reading subuid mappings for user "sam" and subgid mappings for group "sam": no subuid ranges found for user "sam" in /etc/subuid
WARN[0000] Found no UID ranges set aside for user "sam" in /etc/subuid.
WARN[0000] Found no GID ranges set aside for user "sam" in /etc/subgid.
Trying to pull registry.access.redhat.com/ubi9/ubi:latest...
Getting image source signatures
Checking if image destination supports signatures
Copying blob 1bd75c368cb5 done
Error: copying system image from manifest list: writing blob: adding layer with blob "sha256:1bd75c368cb585e77e0b3234a750db4235fa64ff8b5b9ca8da8bf7a34ec9ecaa": processing tar file(potentially insufficient UIDs or GIDs available in user namespace (requested 0:5 for /usr/bin/write): Check /etc/subuid and /etc/subgid if configured locally and run "podman system migrate": lchown /usr/bin/write: invalid argument): exit status 1
$ buildah unshare cat /proc/self/uid_map
WARN[0000] Reading allowed ID mappings: reading subuid mappings for user "sam" and subgid mappings for group "sam": no subuid ranges found for user "sam" in /etc/subuid
WARN[0000] Found no UID ranges set aside for user "sam" in /etc/subuid.
WARN[0000] Found no GID ranges set aside for user "sam" in /etc/subgid.
0 1673000001
1
Compare this to podman, which is linked with libsubid and so is able to pull subuid/subgid information from the directory:
sam@xoanon:~$ podman unshare cat /proc/self/uid_map
0 1673000001
1
1 2147483648
65536
