-
Notifications
You must be signed in to change notification settings - Fork 19
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
refactor: use getsubids to check subuid and subgid #86
Conversation
[citest] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
I did not know this command before
[citest] |
OK, I've been able to do some testing with this. It works fine on the happy path (i.e. on a RHEL/Fedora host with the shadow-utils-subid package available AND nsswitch.conf configured to use it properly). On the less-than-happy path:
This creates some rather unfortunate edge cases with the uidmap or shadow package as appropriate in hopes that it contains getsubids, or doesn't, and that situation may change over time. Maybe rather than trying to handle all the getsubids edge cases we could conditionalize the installation of shadow-utils-subid to Fedora/RHEL and allow the logic for other Linux distros to proceed as before? (I think it would be equivalent experience for where they are now.) That is - we know that Fedora/RHEL use shadow-utils-subid to provide getsubids, so we try to install that package where know it will be, but the role allows other distros to "fall through" at this point. PRs welcome but this seems like a thorny thing (getsubids in uidmap for Bookworm/Trixie, but not for Jammy); if I were an operator in such an environment I would not think it would be a huge deal to include the necessary package in a separate role if I knew I needed it and I don't know how many of these kinds of environments will). What do you think? |
The role as it currently stands does not support any platform other than os_family RedHat (other than "accidentally") - are you willing to contribute |
I could do that. Would you agree it would be reasonable to skip the package installation task for unknown distro combinations? (That is, we populate where to get setsubids from for releases we know, and the task skips for, say, really old Debian/Ubuntu/Suse/etc). In that case, maybe we should split the tasks for podman and shadow-utils? |
Use the command `getsubids` to check the subuid and subgid if available. This allows the use of identity management to provide the subuid and subgid. Signed-off-by: Rich Megginson <[email protected]>
@mhjacks how's the latest commit? |
[citest] |
Looks good to me. It does reasonable things for non redhat systems. I can subsequently PR in vars for os's that provide getsubids. Thanks! This will be an enormous help; I really dig the quadlet support features too |
Thanks for your help! |
Use the command
getsubids
to check the subuid and subgid ifavailable. This allows the use of identity management to provide
the subuid and subgid.
Signed-off-by: Rich Megginson [email protected]