podman - pull

potentially insufficient UIDs or GIDs available in user namespace

December 12, 2024

The error

$ podman pull docker.io/library/postgres:14
Error: writing blob: adding layer with blob "sha256:2d429b9e73a6cf90a5bb85105c8118b30a1b2deedeae3ea9587055ffcb80eb45": Error processing tar file(exit status 1):
potentially insufficient UIDs or GIDs available in user namespace (requested 0:42 for /etc/gshadow):
Check /etc/subuid and /etc/subgid: lchown /etc/gshadow: invalid argument

The podman configuration (shortened - only relevant parts):

$ podman info

idMappings:
    gidmap:
    - container_id: 0
      host_id: 1691400513
      size: 1
    uidmap:
    - container_id: 0
      host_id: 1691408836
      size: 1

About remapping and subordinate user and group IDs:

Taken from docker:
- https://docs.docker.com/engine/security/userns-remap/
Handled by two files: /etc/subuid and /etc/subgid.

$ cat /etc/subuid
linuxadministrator:100000:65536
$ cat /etc/subgid
linuxadministrator:100000:65536

This is a corporate laptop and it came pre-configured that way.

linuxadministrator is an admin user.
My user is user (in this example) and is configured by Active Directory as far as I know.
- This user has a strangely high ID: bash $ id -u 1691408836
- Note: I can only guess that user's ID is related to what podman info displays for host_id after the first call - see above.

The point is, user is missing in /etc/subuid and /etc/subgid.

The solution

usermod can directly interact with /etc/subuid and /etc/subgid.

$ sudo usermod --add-subuids 200000-265536 --add-subgids 200000-265536 $(whoami)

$ cat /etc/subuid
linuxadministrator:100000:65536
user:200000:65537
$ cat /etc/subgid
linuxadministrator:100000:65536
user:200000:65537

Make podman aware of the changes:

$ podman system reset
$ podman info

idMappings:
    gidmap:
    - container_id: 0
      host_id: 1691400513
      size: 1
    - container_id: 1
      host_id: 200000
      size: 65537
    uidmap:
    - container_id: 0
      host_id: 1691408836
      size: 1
    - container_id: 1
      host_id: 200000
      size: 65537

Now the podman command works:

$ podman pull docker.io/library/postgres:14