Fix: Rootless Podman-in-Podman on WSL

closes: #27411

Adjust SUB_UID and SUB_GID ranges to support running rootless Podman inside a rootless run Podman container.
Also add a test to verify the change and prevent regression.

By default, a new user is assigned the following sub-ID ranges:
  SUB_UID_MIN=100000, SUB_GID_MIN=100000, SUB_UID_COUNT=65536, SUB_GID_COUNT=65536
This means the user’s sub-UID and sub-GID ranges are 100000–165535.

When the container is run rootless with the user defined below, ID mappings occur as follows:
- Container ID 0 (root) maps to user ID 1000 on the host (which is the user created below).
- Container IDs 1–65536 map to IDs 100000–165535 on host (the subid range previously mentioned).

If a new user is created inside this container (to build containers for example), it will
attempt to use the default sub-ID range (100000–165535). However, this exceeds the container’s
available ID mapping, since only IDs up to 65536 are mapped. This causes nested rootless Podman
to fail.

To enable container-in-container builds, the sub-ID ranges for the user must be large enough
to provide at least 65536 usable IDs. A minimum SUB_UID_COUNT and SUB_GID_COUNT of 165536 is
required, but 1,000,000 is used here to provide additional margin.

1,000,000 matches the subid range other machines are using, defined in [ignition.go](https://github.com/containers/podman/blob/69b397af49acd595b8d5b36971988d49951c043a/pkg/machine/ignition/ignition.go#L284-L289).
The script of other machines modify the subid files directly for 1 user, the `sed` command used in
this fix mimics that.

The test is added as en extension to the 'simple init with username' test case, to prevent having
to create a new VM.

Signed-off-by: dvorst <[email protected]>

Author: dvorst

pkg/machine/e2e/init_test.go

@@ -257,6 +257,30 @@ var _ = Describe("podman machine init", func() {
 		Expect(err).ToNot(HaveOccurred())
 		Expect(sshSession).To(Exit(0))
 		Expect(sshSession.outputToString()).To(ContainSubstring("yes"))
+
+		/* Validate that subid count is sufficiently large.
+		 * The subid and subgid files contain a line for each user with subid start and count,
+		 * separated by a double colon, for example: 'user:100000:65536'. Only the count is of
+		 * interest here, it should be sufficiently large to accommodate nested namespaces which is
+		 * required to run rootless Podman in Podman. The check assumes there is only 1 user.
+		 */
+		count_min := 1000000
+		for _, file := range []string{"/etc/subuid", "/etc/subgid"} {
+			cmd := fmt.Sprintf(`awk -F: 'NR==1 {print $NF}' %s`, file)
+			sshSession, err := mb.setName(mb.name).setCmd(ssh.withSSHCommand([]string{cmd})).run()
+			Expect(err).ToNot(HaveOccurred())
+			Expect(sshSession).To(Exit(0))
+
+			subid_count_str := sshSession.outputToString()
+			Expect(subid_count_str).ToNot(BeEmpty(), "No subid count found in %s", file)
+
+			subid_count, err := strconv.Atoi(subid_count_str)
+			Expect(err).ToNot(HaveOccurred())
+			Expect(subid_count).To(BeNumerically(">=", count_min),
+				"Expected subid count %d to be >= %d in %s",
+				subid_count, count_min, file,
+			)
+		}
 	})
 
 	It("machine init with cpus, disk size, memory, timezone", func() {

pkg/machine/wsl/declares.go

@@ -34,6 +34,8 @@ ln -fs /dev/null /etc/systemd/system/systemd-oomd.socket
 mkdir -p /etc/systemd/system/systemd-sysusers.service.d/
 echo CREATE_MAIL_SPOOL=no >> /etc/default/useradd
 adduser -m [USER] -G wheel
+sed -ir 's/65536/1000000/' /etc/subuid
+sed -ir 's/65536/1000000/' /etc/subgid
 mkdir -p /home/[USER]/.config/systemd/[USER]/
 chown [USER]:[USER] /home/[USER]/.config
 `