linux-announce AT lists.psi.ch
Subject: Linux Mailing List
List archive
- From: "Konrad Bucheli (PSI)" <konrad.bucheli AT psi.ch>
- To: linux-announce AT lists.psi.ch
- Subject: [[Linux-announce] ] subuid/subgid management (e.g. for Podman)
- Date: Mon, 17 Nov 2025 17:24:37 +0100
- Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=psi.ch; dmarc=pass action=none header.from=psi.ch; dkim=pass header.d=psi.ch; arc=none
- Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=gMYQXVAUZb9DIN0wT3kh4FCC+aVuuuneqXR9IrIO+jo=; b=AWRjs7laJZWdMtGCLoj29KGMsUi4qUZ10WezFNGKY5cddleDU7DIm8mPX59u3nlnwRrn3kagsIWBmoRJgDdvmbtMtJhVl/+7MkE6kIQLKpUDLEYSb9K1PvYjoudMBlvvhSp/p4tqY3R3zqIn8pMUwgS0zW3EKUVFhH6/AZz40/pUdiWsTQRJIyJxnoZnVjY/g1cJBY1+8KtCxB2pCJHbpBZORl3L6WuQE9DB8FFE66y1P9de7NTivnYnb5e28zjMV71SBWEaseQ/fyco9qpfOjnmN9ZPdPIHbqsApo0T/iqxSmAVCEXsPPM5MEvmbdqTg1gSt9kQAOgXDxI2K8xJ6A==
- Arc-seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=d+xY2rOK3roCrsiO7i9uWFcQUV8NGpSk6iwCDhnLyWK6Rn5zLQz6cS3wLh8OFos4mhnnA4gTtGn+yikBqlwIHMRMwKz8gaEd5RboHS9VFjRRFZAJAtkrZ0+ryvY4hmmEBjzPOxBraIP/8IRwQDW5B46lbBxgTtq3Tv1veiUfCvxyf5T01bm0GLE+KJIlP2jY7jAupdZwNAMEkPbxE66b4PmZ9HK3ZTaf6Z+wDtiZUnBXRjNyfSQFfPvmZxxCbdy9xKx+sbD4enqwzIpeXPa8LDQEUdq5N9kgkekcRiX7Knzqcw8JBJjFeIGWrM9G/2Zl55GojaeIHZs6sJwGWL8UNg==
- Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=psi.ch;
Dear Linux Admins
Read on if you ever had to deal with /etc/subuid, else just be assured that podman will soon (~10 days) work out of the box.
Maybe you remember we introduced some time ago a central database API where you could register your users and would get the respective entry in /etc/subuid and /etc/subgid which then would be reserved PSI wide for 2 years.
Now we would like to introduce a new tool subid-registrator[1] which will automatically manage /etc/subuid and /etc/subgid by adding all interactive users and, configurable, other required users. As this is very handy and allows an "out-of-the-box working" experience with rootless podman containers, we want to enable this everywhere on the Puppet managed RHEL systems (except RHEL7) by default.
If you currently mange your subids in another way, you should act. You can opt-out and disable this feature in Hiera with
aaa::subid::automatic: false
else your /etc/subuid and /etc/subgid will then be overwritten with what the tool thinks is right.
If you already used the central database API, e.g. with curl, then you ideally configure these users in Hiera:
aaa::subid:
- 'svcusr-lx_test'
- 'lx_test'
Note that this feature of registering a static user list is already implemented and rolled out in prod.
The subid-registrator feature is planned to be put into preprod Tue 18.11.2025 afternoon and shall reach prod a week later on Tue 25.11.2025.
If you want to test it now, please run as user root
puppet agent -t --environment automatic_subid_registration
and if that fails after tomorrow afternoon
puppet agent -t --environment preprod
For the full documentation please check out [2].
Feel free to speak up if you have questions or concerns.
[1] https://gitea.psi.ch/linux/subid-registrator
[2] https://linux.psi.ch/documentation/admin-guide/container.html#subuids-and-subgids
Kind regards
Konrad
--
Paul Scherrer Institut
Konrad Bucheli
Linux Systems Engineer
Core Linux Research Services
Science IT Infrastructure and Services department (AWI)
OBBA/230
Forschungstrasse 111
5232 Villigen PSI
Switzerland
Phone: +41 56 310 27 24
konrad.bucheli AT psi.ch
www.psi.ch
- [[Linux-announce] ] subuid/subgid management (e.g. for Podman), Konrad Bucheli (PSI), 11/17/2025
Archive powered by MHonArc 2.6.24.