The error
$ podman pull docker.io/library/postgres:14
Error: writing blob: adding layer with blob "sha256:2d429b9e73a6cf90a5bb85105c8118b30a1b2deedeae3ea9587055ffcb80eb45": Error processing tar file(exit status 1):
potentially insufficient UIDs or GIDs available in user namespace (requested 0:42 for /etc/gshadow):
Check /etc/subuid and /etc/subgid: lchown /etc/gshadow: invalid argument
The podman configuration (shortened - only relevant parts):
$ podman info
idMappings:
gidmap:
- container_id: 0
host_id: 1691400513
size: 1
uidmap:
- container_id: 0
host_id: 1691408836
size: 1
About remapping and subordinate user and group IDs:
- Taken from
docker:- https://docs.docker.com/engine/security/userns-remap/
- Handled by two files:
/etc/subuidand/etc/subgid.
$ cat /etc/subuid
linuxadministrator:100000:65536
$ cat /etc/subgid
linuxadministrator:100000:65536
This is a corporate laptop and it came pre-configured that way.
linuxadministratoris an admin user.- My user is
user(in this example) and is configured by Active Directory as far as I know.- This user has a strangely high ID:
bash $ id -u 1691408836 - Note: I can only guess that
user's ID is related to whatpodman infodisplays forhost_idafter the first call - see above.
- This user has a strangely high ID:
The point is, user is missing in /etc/subuid and /etc/subgid.
The solution
usermodcan directly interact with/etc/subuidand/etc/subgid.
$ sudo usermod --add-subuids 200000-265536 --add-subgids 200000-265536 $(whoami)
$ cat /etc/subuid
linuxadministrator:100000:65536
user:200000:65537
$ cat /etc/subgid
linuxadministrator:100000:65536
user:200000:65537
Make podman aware of the changes:
$ podman system reset
$ podman info
idMappings:
gidmap:
- container_id: 0
host_id: 1691400513
size: 1
- container_id: 1
host_id: 200000
size: 65537
uidmap:
- container_id: 0
host_id: 1691408836
size: 1
- container_id: 1
host_id: 200000
size: 65537
Now the podman command works:
$ podman pull docker.io/library/postgres:14