Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

refactor: use getsubids to check subuid and subgid #86

Merged
merged 1 commit into from
Jul 27, 2023

Conversation

richm
Copy link
Contributor

@richm richm commented Jul 26, 2023

Use the command getsubids to check the subuid and subgid if
available. This allows the use of identity management to provide
the subuid and subgid.

Signed-off-by: Rich Megginson [email protected]

@richm
Copy link
Contributor Author

richm commented Jul 26, 2023

[citest]

Copy link
Member

@vrothberg vrothberg left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

I did not know this command before

@richm
Copy link
Contributor Author

richm commented Jul 26, 2023

[citest]

@mhjacks
Copy link

mhjacks commented Jul 26, 2023

OK, I've been able to do some testing with this. It works fine on the happy path (i.e. on a RHEL/Fedora host with the shadow-utils-subid package available AND nsswitch.conf configured to use it properly).

On the less-than-happy path:

  • Debian (bookworm; just released, and trixie, which just started as "testing", at least put getsubids in the "uidmap" package.
  • Ubuntu 22.04 has a uidmap package, but it does not contain getsubids
  • OpenSUSE 15.5 has shadow 4.8 and includes podman 4.4 but does not ship a getsubids binary

This creates some rather unfortunate edge cases with the uidmap or shadow package as appropriate in hopes that it contains getsubids, or doesn't, and that situation may change over time.

Maybe rather than trying to handle all the getsubids edge cases we could conditionalize the installation of shadow-utils-subid to Fedora/RHEL and allow the logic for other Linux distros to proceed as before? (I think it would be equivalent experience for where they are now.) That is - we know that Fedora/RHEL use shadow-utils-subid to provide getsubids, so we try to install that package where know it will be, but the role allows other distros to "fall through" at this point. PRs welcome but this seems like a thorny thing (getsubids in uidmap for Bookworm/Trixie, but not for Jammy); if I were an operator in such an environment I would not think it would be a huge deal to include the necessary package in a separate role if I knew I needed it and I don't know how many of these kinds of environments will).

What do you think?

@richm
Copy link
Contributor Author

richm commented Jul 26, 2023

The role as it currently stands does not support any platform other than os_family RedHat (other than "accidentally") - are you willing to contribute vars/Ubuntu*, vars/Debian*, vars/OpenSUSE* etc. as necessary? If so, I'll provide the necessary vars files for RedHat support.

@mhjacks
Copy link

mhjacks commented Jul 26, 2023

I could do that. Would you agree it would be reasonable to skip the package installation task for unknown distro combinations? (That is, we populate where to get setsubids from for releases we know, and the task skips for, say, really old Debian/Ubuntu/Suse/etc). In that case, maybe we should split the tasks for podman and shadow-utils?

Use the command `getsubids` to check the subuid and subgid if
available.  This allows the use of identity management to provide
the subuid and subgid.

Signed-off-by: Rich Megginson <[email protected]>
@richm
Copy link
Contributor Author

richm commented Jul 26, 2023

@mhjacks how's the latest commit?

@richm
Copy link
Contributor Author

richm commented Jul 26, 2023

[citest]

@mhjacks
Copy link

mhjacks commented Jul 27, 2023

Looks good to me. It does reasonable things for non redhat systems. I can subsequently PR in vars for os's that provide getsubids. Thanks! This will be an enormous help; I really dig the quadlet support features too

@richm
Copy link
Contributor Author

richm commented Jul 27, 2023

Looks good to me. It does reasonable things for non redhat systems. I can subsequently PR in vars for os's that provide getsubids. Thanks! This will be an enormous help; I really dig the quadlet support features too

Thanks for your help!

@richm richm merged commit ee039f9 into linux-system-roles:main Jul 27, 2023
6 checks passed
@richm richm deleted the getsubids branch July 27, 2023 12:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants