Hi, Quoting Dima Kogan (2023-03-15 07:49:51) > Hi Josch. Thanks for replying. Notes inline
thank you! > - My laptop (amd64, sid, mmdebstrap=1.3.3-6.1; same as the workstation). > Does NOT work fine: > > dima@shorty:~$ mmdebstrap bookworm /tmp/tst.tar.gz > http://deb.debian.org/debian > > I: automatically chosen mode: unshare > I: chroot architecture amd64 is equal to the host's architecture > I: finding correct signed-by value... > done > I: automatically chosen format: tar > I: using /tmp/mmdebstrap.VLwVKQsx19 as tempdir > W: no entry in /etc/subuid for dima > E: invalid idmap > > The user id situation is different: > > dima@shorty:~$ id > uid=1000(dima) gid=1000(dima) > groups=1000(dima),4(adm),5(tty),6(disk),7(lp),12(man),20(dialout),24(cdrom),25(floppy),27(sudo),29(audio),44(video),50(staff),100(users),107(netdev),111(nvram),112(fuse),120(stapdev),125(postgres),129(davfs2),132(motion),137(systemd-journal),140(sbuild),145(input) > > dima@shorty:~$ cat /etc/subuid > bitlbee:100000:65536 > stunnel4:165536:65536 > sbuild:231072:65536 > iodine:296608:65536 > systemd-timesync:362144:65536 > systemd-network:427680:65536 > systemd-resolve:493216:65536 > pulse:624288:65536 > AAA:689824:65536 > debian-tor:755360:65536 > _apt:820896:65536 > pub:886432:65536 > BBB:558752:65536 As the warning in the mmdebstrap output points out, there is no entry for your user in /etc/subid. The bug here is, that even though that it the case, mmdebstrap still chooses the unshare mode. > - The server (amd64, Ubuntu 20.04, mmdebstrap=0.4.1-6). Also does not > work fine: > > kogan@cadredev:~$ mmdebstrap bookworm /tmp/tst.tar.gz > http://deb.debian.org/debian > > I: automatically chosen mode: unshare > I: chroot architecture amd64 is equal to the host's architecture > I: using /tmp/mmdebstrap.42KXYMZJtF as tempdir > newuidmap: uid range [1-2) -> [100000-100001) not allowed > E: newuidmap 2086656 0 60017 1 1 100000 1 failed: > E: child had a non-zero exit status: 1 > E: chown failed > > kogan@cadredev:~$ id > uid=60017(kogan) gid=1000(AAA) groups=1000(AAA),10773(perf),22373(BBB) > > kogan@cadredev:~$ cat /etc/subuid > ssa:100000:65536 Same as above. > In all cases the "unshare" mode was selected. I'm guessing I need to add > an entry for my user to /etc/subuid? How is this managed? I've never > heard of this file before today, and I've certainly never added anything > to it. Why am I listed in it on one machine, but not on the other two? If you are not using LDAP or similar mechanisms to manage your users, then adduser and useradd are used on Debian. Those tools automatically add an entry for you to /etc/subuid and /etc/subgid. I recently (with version 1.3.2) extended the documentation for unshare mode in the mmdebstrap manual page to also cover these two files: https://gitlab.mister-muffin.de/josch/mmdebstrap/commit/46fc269b549abe89d99e63addba0813bcbc938ac Does this answer some of the questions you had or do you think I should add more? > > This is not a problem of mmdebstrap but a problem with unsharing the user > > namespace and the involved permissions. Try running this on both machines > > with > > and without "strace -f" in front (the -f is very important): > > > > unshare --user --map-auto whoami > > > > It should print "nobody" without "strace -f" in front. > > Sorta. > > On the workstation (sid; mmdebstrap works): > > dima@fatty:~$ unshare --user --map-auto whoami > nobody > > dima@fatty:~$ strace -f -o /dev/null unshare --user --map-auto whoami > newuidmap: write to uid_map failed: Operation not permitted > > On the laptop (sid; mmdebstrap doesn't work): > > dima@shorty:~$ unshare --user --map-auto whoami > unshare: no line matching user "dima" in /etc/subuid: Success > > dima@shorty:~$ strace -f -o /dev/null unshare --user --map-auto whoami > unshare: no line matching user "dima" in /etc/subuid: Success > > On the old Ubuntu LDAP-enabled server it doesn't work at all: > > unshare: unrecognized option '--map-auto' > > > This suggests once again that I should add an entry to /etc/subuid for > my user. Yes? Yes, that is correct. There are two problems: 1) mmdebstrap chooses unshare mode even though your user doesn't have an entry in /etc/subuid and /etc/subgid (I can fix this) 2) whatever method you use to create new users does not create these entries > > Now the problem is twofold: > > > > 1) improve the check that mmdebstrap does to make sure that unshare > > mode works before automatically choosing it > > > > 2) figure out why the newuidmap call fails on your machine > > > > Figuring out 2) will produce a better solution for 1). > > > > As explained above, you can run "unshare --user --map-auto" to test this > > issue > > without mmdebstrap in the loop. The unshare command will also run newuidmap > > and > > should fail in the same way as when newuidmap is called by mmdebstrap. > > > > If you don't mind installing or already have lxc installed, there is a bit > > more > > sophisticated lxc-usernsexec command in the mmdebstrap man page that you > > could > > also try because it also calls newuidmap and should fail in the same way. > > Tell me what specific experiments to run, and I'll run them. I have a patch for you that should fix this problem in the sense that mmdebstrap should not choose the unshare mode anymore. If you like, apply the following to mmdebstrap from unstable: https://mister-muffin.de/p/ZwXV.diff Thanks! cheers, josch
