I’m trying to set up our server (which uses kerberos for user login) to be able to use docker in rootless mode. But trying to run the dockerd-rootless-setuptool.sh script gives no output and does nothing.
I tracked it down, at it fails at the lines
if command -v "getsubids" > /dev/null 2>&1; then
getsubids "$USERNAME" > /dev/null 2>&1 || getsubids "$(id -u)" > /dev/null 2>&1
else
grep -q "^$USERNAME_ESCAPED:\|^$(id -u):" /etc/subuid 2> /dev/null
fi
I’m assuming this is because /etc/subuid is essentially empty (there is just a single local user in there).
So how do I set up rootless mode for user that are logged in via kerberos?
If the subuid file is wrong, you need to correct it.
/etc/subuid and /etc/subgid should contain at least 65,536 subordinate UIDs/GIDs for the user. In the following example, the user testuser has 65,536 subordinate UIDs/GIDs (231072-296607).
The syntax is:
username:<FIRST_UID>:<NUMBER_OF_IDS>
And <FIRST_UID> will be the ID of the container’s root user on the host.
But I never tried rootless docker with kerberos, so if it is not supported, I’m not aware of it.
I tried adding the corresponding line by hand to /etc/subuid and /etc/subgid, but that does not help. I checked with a script and it turns out that the “rootlesskit” command fails (with an error newuidmap: write to uid_map failed: Invalid argument).
Based on the information I found it doesn’t seem possible to run rootlesskit with active directory/kerberos.