How Do I use LDAP / Active Directory Users with Rootless Podman, Buildah or Skopeo?

How Do I use LDAP / Active Directory Users with Rootless Podman, Buildah or Skopeo?

Environment

• Red Hat Enterprise Linux 7
• Red Hat Enterprise Linux 8
• Red Hat Enterprise Linux 9

Issue

• I have a system which uses LDAP or Active Directory for user management and authentication.
• How do we ensure users can use rootless podman and other container-tools even when they are not local users?

Resolution

• Currently, no automatic method of adding the necessary subuid or subgid ranges to allow for rootless containerisation exists.
• For each user that logs in, a separate entry to the /etc/subuid and /etc/subgid files must be added in order for rootless podman to function, in order to allocate user namespaces to the rootless user.
• For information on how to properly update the /etc/subuid and /etc/subgid ranges, please refer to the following articles:
  • Running rootless Podman as a rootless user
  • /etc/subuid and /etc/subgid configuration
  • What needs to be configured for a user to execute rootless Podman commands without using SSH?
• In the below “Root Cause” section, the current efforts to automate this process is discussed. No solution exists at the time of writing this article, but solutions are being explored.

Root Cause

• The container-tools utilities such as podman, buildah, or skopeo rely on the newuidmap and newgidmap binaries provided by the shadow-utils package in order to allocate user namespace ranges for rootless users.
• Currently, the shadow-utils package does not support automatic adding or updating sub-UID or sub-GID ranges automatically for non-local users. When creating a local user via adduser or useradd, the ranges can be automatically updated; however, no such process exists for remote users.
• A Github Request for Feature Enhancement to Podman was added discussing allowing podman to support such a system to allow remote users access to user namespaces automatically, where it was noted that first the shadow-utils package must first accommodate any utilities that desire this automation.
• A Github Issue against the shadow-maint package discusses the issue in more detail, specifically how the new addition of libsubid will allow utilities such as newuidmap and newgidmap to allow for mapping ranges of user ID’s without needing to manually configure files.
• The addition of libsubid was added to shadow-maint in this Github Commit.
• A new release of shadow-utils with the above libsubid addition is necessary upstream first, and when that is completed, the core containers/storage package that podman, skopeo, and buildah rely on can take advantage of libsubid via this Github discussion.
• Effectively, the steps to involve automatically allocated user namespace ID’s to remote users can only be added when:
  • A new version of shadow-utils is shipped upstream with libsubid support.
  • The container library containers/storage adopts the usage of libsubid.
  • Red Hat has ample time to QA and test the above additions prior to releasing them into a version of container tooling that is available to customers.

• Attempts to keep this article updated with upstream developments will be made as this feature nears closer to release.

• Product(s)

• Red Hat Enterprise Linux

• Component
• buildah
• container-tools
• podman

• skopeo

• Category

• Configure

• Tags
• active_directory
• buildah
• containers
• ldap
• podman
• skopeo