Use getsubids tool for subid validation if possible

[stevapple]

- What I did
Use getsubids tool instead of parsing /etc/subuid and /etc/subgid for subid ownership validation.

- How I did it
getsubids tool is includes within uidmap package that is required for running rootless Docker. It supports NSS module in addition to /etc/subuid and /etc/subgid files. As the latter is a default, existing users that pass the test shouldn't be affected.

- How to verify it
Use an NSS-based or traditional file-based subid backend and run dockerd-rootless-setuptools.sh install. It would no longer fail for the NSS case.

- Description for the changelog

Fix rootless Docker setup with `subid` backed by NSS modules

- A picture of a cute animal (not mandatory but encouraged)

[stevapple]

@AkihiroSuda I would like to hear your point about the change? 👀 If you have time)

[stevapple]

@AkihiroSuda Can you provide any insight on the CI failure? I feel like it was some random network issue that is unrelated to the PR.

[thaJeztah]

I restarted CI; I suspect it may have been an issue on GitHub's side (either rate limiting, or some temporary outage of their caching service)

[stevapple]

@thaJeztah Thanks for the help! Do you think there's anything left to make this merged?

[stevapple]

Ping for review/merge……?

[thaJeztah]

Left some suggestions (not blocking, really nits)

I'm slightly wondering now though;

It supports NSS module in addition to /etc/subuid and /etc/subgid files. As the latter is a default, existing users that pass the test shouldn't be affected.

So this PR introduces a utility to read the existing mappings, but our instructions still use manual modifying / creating /etc/subuid and /etc/subgid;

# Add subuid entry for ${USERNAME}
echo "${USERNAME}:100000:65536" >> /etc/subuid

And now I wonder if that's correct - would that mean we'd be mixing/mashing different ways to configure this? Should the instructions also use the same (e.g. usermod --add-subuids)?

However, I know that the daemon code itself does not use those, as it unconditionally looks for /etc/subuid and /etc/subgid to parse;

moby/pkg/idtools/idtools.go

Lines 31 to 34 in a72026a

	const (
	subuidFileName = "/etc/subuid"
	subgidFileName = "/etc/subgid"
	)

Not sure if that's relevant to this situation, but wondering if there's s potentially other cases where those mappings are defined through other ways than those files (i.e., getsubids is aware of existing mapping not handled through those files, but dockerd is not)?

@AkihiroSuda any ideas?

[thaJeztah]

This would be really a nit, but wondering if it's clearer to swap the condition; i.e., "if getsubids is available , then we use it, otherwise we fall back to parsing it ourselves manually with grep"

i.e. (not tested);

# instructions: validate subuid for current user
if command -v "getsubids" > /dev/null 2>&1; then
	getsubids "$USERNAME" > /dev/null 2>&1 || getsubids "$(id -u)" > /dev/null 2>&1
else
	grep -q "^$USERNAME_ESCAPED:\|^$(id -u):" /etc/subuid 2> /dev/null
fi

[thaJeztah]

Same here;

# instructions: validate subgid for current user
if command -v "getsubids" > /dev/null 2>&1; then
	getsubids -g "$USERNAME" > /dev/null 2>&1 || getsubids -g "$(id -u)" > /dev/null 2>&1
else
	grep -q "^$USERNAME_ESCAPED:\|^$(id -u):" /etc/subgid 2> /dev/null
fi

[AkihiroSuda]

pkg/idtools

This is for userns-remap, not for rootless

[thaJeztah]

Oh! You're right; I guess I was wondering if any of that code would still be using these in rootless, but I guess not

[thaJeztah]

Or; more to the point; wondering if for userns mode it should be aware of other ways to configure these besides those files, but I guess that would be a separate "enhancement" to make?

[thaJeztah]

Did a quick rebase to get a fresh run of CI, and applied my suggestions from #49036 (comment)

[thaJeztah]

Thanks for review, and sorry for the delay

let me add my LGTM as well; we can merge once CI finishes 🎉