github.com/rootless-containers/rootlesskit/v2@v2.3.4/docs/subid.md

github.com/rootless-containers/rootlesskit/v2@v2.3.4/docs/subid.md (about)

     1  # subid sources
     2  
     3  The subid sources can be specified via the `--subid-source=(auto|dynamic|static)` flag.
     4  
     5  The `auto` source is the default since RootlessKit v1.1.0.
     6  Prior to v1.1.0, only the `static` source was supported.
     7  
     8  ## Auto
     9  The `auto` source (`--subid-source=auto`) tries the `dynamic` source and fall backs to the `static` source on an error.
    10  
    11  ## Dynamic
    12  The `dynamic` source (`--subid-source=dynamic`) executes the `/usr/bin/getsubids` binary to get the subids.
    13  
    14  The `getsubids` binary is known to be available for the following distributions:
    15  - Fedora, since 35 (`dnf install shadow-utils-subid`)
    16  - Alpine, since 3.16 (`apkg install shadow-subids`)
    17  - Ubuntu, since 22.10 (`apt-get install uidmap`)
    18  
    19  The `getsubids` binary typically reads subids from `/etc/subuid` and `/etc/subgid` as in the static mode,
    20  but it can be also configured to use SSSD by specifying `subid: sss` in `/etc/nsswitch.conf`.
    21  
    22  See also https://manpages.debian.org/testing/uidmap/getsubids.1.en.html .
    23  
    24  ## Static
    25  The `static` source (`--subid-source=static`) reads subids from `/etc/subuid` and `/etc/subgid`.
    26  
    27  `/etc/subuid` and `/etc/subgid` should contain more than 65536 sub-IDs. e.g. `penguin:231072:65536`. These files are automatically configured on most distributions.
    28  
    29  ```console
    30  $ id -u
    31  1001
    32  $ whoami
    33  penguin
    34  $ grep "^$(whoami):" /etc/subuid
    35  penguin:231072:65536
    36  $ grep "^$(whoami):" /etc/subgid
    37  penguin:231072:65536
    38  ```
    39  
    40  See also https://rootlesscontaine.rs/getting-started/common/subuid/