subid nss provider breaks mock about mock HOT 8 CLOSED

Awesome! I'm glad that fixed it for you.

The current dance with shadow-utils and subids is the gnarly thing I referred to before. I've long been a fan of IPA, and I was really excited when they decided they would start providing subid support in it. But quite a lot of userland utilities assume that the only way that can be implemented is through /etc/sub{g,u}id files. I've spent a lot of my "spare" time in software development trying to help patch that kind of thing out.

Unfortunately, some of the "normal" benefits of nss* utilities are not available with subids, for reasons that I don't fully understand (libc internals?). This makes it (as I understand) currently impossible to do "switch" subid providers - it either must be files or it must be sss.

It gets a little sticky to start parsing the host files, and there may come a point at which some of this stuff isn't as...icky...as it is right now.

FWIW, we are working upstream on better solutions in shadow-utils. Progress is not as rapid on all fronts as one might wish for, though.

from mock.

Thank you for the report. Is this related to https://bugzilla.redhat.com/show_bug.cgi?id=2242018 ?
If yes, please consider using the use_host_shadow_utils contributed by @mhjacks in #1283.

from mock.

It seems like it might be related, but after setting use_host_shadow_utils to True in /etc/mock/site-defaults.cfg the userdel command still fails with the same message (userdel: cannot remove entry 1673000001 from /var/lib/mock/rhel-8-x86_64/root//etc/subuid) which causes the subsequent groupdel and groupadd commands to fail.

Full output of mock -v -r rhel-8-x86_64 --shell:

mock-shell-with-host-shadow-utils-2.txt

from mock.

What do your root/etc/sub{u,g}id files have (inside the mock chroot)?

from mock.

They're both empty:

$ ls -l /var/lib/mock/rhel-8-x86_64/root/etc/sub*
-rw-r--r--. 1 root root 0 Sep 10  2018 /var/lib/mock/rhel-8-x86_64/root/etc/subgid
-rw-r--r--. 1 root root 0 Sep 10  2018 /var/lib/mock/rhel-8-x86_64/root/etc/subuid

from mock.

Thanks for the further clarification.

I ran into something very much like your initial reporting of the case that led to me contributing the feature Pavel referenced. (It's the groupadd mock call failing). What's not clear here (to me at least) is why userdel is looking for a 1673000001 entry at all in the chroot. I was thinking one might have snuck into the sub* files somehow.

Now, to be clear, on my IPA-joined systems that I run mock on, I have this in /etc/mock/site-defaults.cfg:

config_opts['use_host_shadow_utils'] = False

If you have that, the other thing I might check would be root/etc/nsswitch.conf, to see if the subid: line snuck in there.

It might also matter that I my sudo builds via sudo mock .... I also have not used mock to build RHEL-8 packages, though I have used my config to build other EL8 packages, so I wouldn't think it's a problem with software versions in the chroot.

There's a gnarly history of subids and shadow-utils, but the whole point of this feature is to make it so you can use them with mock.

from mock.

Aha! I just realised that I was supposed to set use_host_shadow_utils to False. And now I see you've just added a comment saying the same thing. :)

Having configured that, mock --shell works so I think that fixes my problem, thanks!

It might be worth adding some logic to try to detect a 'broken' or at least undesirable host configuration, for instance if subid in /etc/nsswitch.conf is present and set to anything other than files, and display a warning message pointing the user to the use_host_shadow_utils setting.

from mock.

What's not clear here (to me at least) is why userdel is looking for a 1673000001 entry at all in the chroot

I guess userdel uses libsubid to find out what entries my user has, which returns the values from FreeIPA. userdel then tries to remove those entries from /etc/subuid//etc/subgid.

Maybe userdel shouldn't fail if the entry it wants to remove /etc/subuid//etc/subgid is not present... or maybe there needs to be a way for userdel to find out from libsubid that the range it looked up isn't from those files, so therefore userdel shouldn't even try to remove the range from those files...

from mock.