fail to start on openshift

[shakenfr]

hello, I try dind-rootless because I have openshift security contains

the result is fail 👍
last log file is

Signature ok
subject=CN = docker:dind client

Getting CA Private Key
/certs/client/cert.pem: OK
find: /run/secrets/rhsm: Permission denied
error: attempting to run rootless dockerd but missing necessary entries in /etc/subuid and/or /etc/subgid for 1000690000

Any idea ?

regards
bruno

[wglambert]

OpenShift runs as a random non-root UID https://cookbook.openshift.org/users-and-role-based-access-control/why-do-my-applications-run-as-a-random-user-id.html

For Debian based Docker images nss_wrapper can be used to "fake" /etc/passwd contents, see docker-library/postgres#448 docker-library/postgres#359

But the Docker-in-Docker container images are exclusively Alpine Linux which doesn't have the nss_wrapper package https://gitlab.alpinelinux.org/alpine/aports/-/issues/6710

[yosifkit]

I don't think an /etc/passwd entry is necessary, but when running as a random user, entries in /etc/subuid and /etc/subgid are necessary for the user (by ID or name).

Also note that --privileged is still necessary for rootless dind.

[wglambert]

Because you're getting errors about /etc/subuid and /etc/subgid I think this is Podman-specific. I came cross this blogpost that goes into some nuance about how Podman does user mappings and those files https://www.redhat.com/en/blog/understanding-root-inside-and-outside-container

The /etc/subuid file is what’s used to map the user inside the container to a user outside of the container, but the user must be defined in the container image or Podman can’t start the container: