DevHeads.net

What is /etc/subuid ?

Dear Experts,

Could someone enlighten me about the following file:

/etc/subuid

? This file appears to be owned by "setup" package. This is CentOS 7
system, and until now these files if existed were never changed. Today I
have added user quite routine way, by doing

/usr/sbin/groupadd -g 4500 [username]
/usr/sbin/useradd -g [username] -u 4500 -c "User Name, email@domain"
[username]

And the file /etc/subuid changed and user was added into it:

[username]:100000:65536

Nothing like that was happening before. This is first time I create
account after update done on Oct 3, 2019. I checked several CentOS 7
machines, basically doing this:

# grep subuid /usr/sbin/useradd
Binary file /usr/sbin/useradd matches

And CentOS 7 machines indeed may have that file name in the useradd
binary. None of CentOS 6 machines has that.

I tried to do FreeBSD-ism:

man /etc/subuid

came empty, and realized that I'm doing FreeBSD-ism.

I tried to do search on the web (did not "google", I use duckduckgo...
so I "did search"), and came pretty much empty.

Is it just me, or indeed something in CentOS 7 indeed changed? And what
is it?

Another question on the same note: how do we find out what the file is
about and is used for in Linux, apart from searching on the web. (When
there are surprises like the one I had today, one does like to know what
this particular file is used for).

Thanks in advance for your answers.

Valeri

++++++++++++++++++++++++++++++++++++++++
Valeri Galtsev
Sr System Administrator
Department of Astronomy and Astrophysics
Kavli Institute for Cosmological Physics
University of Chicago
Phone: 773-702-4247
++++++++++++++++++++++++++++++++++++++++

Comments

Re: What is /etc/subuid ?

By Jonathan Billings at 10/09/2019 - 15:58

On Wed, Oct 09, 2019 at 02:47:19PM -0500, Valeri Galtsev wrote:
I'm not sure what else it's used for, but /etc/subuid and /etc/subgid
are used by podman for rootless containers (i.e. you can run a
container without any root permissions). subuid/subgid is used to map
a range of UID/GIDs to the process namespace inside the kernel.

Some details here:

<a href="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux_atomic_host/7/html-single/managing_containers/index#set_up_for_rootless_containers" title="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux_atomic_host/7/html-single/managing_containers/index#set_up_for_rootless_containers">https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux_a...</a>

It's actually pretty cool.

So, now when accounts are created with useradd, subuids are assigned
to that new user.

Unfortunately, this doesn't really work in an enterprise environment
when users are defined via LDAP, since no subuid/subgid entries are
created, but I've heard that there's an effort to make that happen in
the NSS layer in the future.

Re: What is /etc/subuid ?

By Valeri Galtsev at 10/09/2019 - 16:33

On 2019-10-09 14:58, Jonathan Billings wrote:
Thank you, Michael and Jonathan for your answers.

I have one more question (which I probably will just answer myself by
kickstart installing fresh new system...):

Did something changed and now by default useradd command adds user in
that file (by default without me using extra flag etc)? In other words
is it just me or indeed the command we used since forever suddenly
changed its behavior?

Thanks again for your insights everybody.

Valeri

Re: What is /etc/subuid ?

By Stephen John Smoogen at 10/09/2019 - 16:39

On Wed, 9 Oct 2019 at 16:34, Valeri Galtsev < ... at kicp dot uchicago.edu> wrote:
I believe it is a new behavior (by about a year). This file was not in
earlier versions of RHEL because my systems only seem to have it
showing up after 2018-10

Re: What is /etc/subuid ?

By Mike Burger at 10/09/2019 - 15:56

On 2019-10-09 15:47, Valeri Galtsev wrote:
A quick google search:

<a href="https://lmgtfy.com/?qtype=search&amp;q=%2Fetc%2Fsubuid" title="https://lmgtfy.com/?qtype=search&amp;q=%2Fetc%2Fsubuid">https://lmgtfy.com/?qtype=search&amp;q=%2Fetc%2Fsubuid</a>

yielded this as the first link:

<a href="http://man7.org/linux/man-pages/man5/subuid.5.html" title="http://man7.org/linux/man-pages/man5/subuid.5.html">http://man7.org/linux/man-pages/man5/subuid.5.html</a>