these files are installed as part of the shadow-utils package. Newer versions are not installed as setuid programs but using file capabilities. WIthout these capabilities, it won't be possible to configure an unprivileged user namespace inside of a container based on the Fedora image.
The current workaround is to reinstall the package: "dnf reinstall shadow-utils"
I can reproduce, this is the image:
$ podman inspect fedora:29 [ { "Id": "d7372e6c93c6c7b925600981b655c94829515a37cf876ff9e6d0287ff2b739d9", "Digest": "sha256:fd9495d446af9a5a6f97a7a575c5266ec54c1f5df5a9cf8e571ec4418659fc9b", "RepoTags": [ "docker.io/library/fedora:29" ], "RepoDigests": [ "docker.io/library/fedora@sha256:fd9495d446af9a5a6f97a7a575c5266ec54c1f5df5a9cf8e571ec4418659fc9b" ], "Parent": "", "Comment": "", "Created": "2019-02-19T22:22:01.743148613Z",
More dates:
"History": [ { "created": "2019-01-16T21:21:55.569693599Z", "created_by": "/bin/sh -c #(nop) LABEL maintainer=Clement Verna <cverna@fedoraproject.org>", "empty_layer": true }, { "created": "2019-01-16T21:24:29.77301892Z", "created_by": "/bin/sh -c #(nop) ENV DISTTAG=f29container FGC=f29 FBR=f29", "empty_layer": true }, { "created": "2019-02-19T22:22:01.113967122Z", "created_by": "/bin/sh -c #(nop) ADD file:d90cbf2d94552fb4eb599ba59ef36399b626bd23da60944e75ac1cee6bb9c9a6 in / " }, { "created": "2019-02-19T22:22:01.743148613Z", "created_by": "/bin/sh -c #(nop) CMD [\"/bin/bash\"]", "empty_layer": true } ]
The caps are indeed not present:
$ podman run --rm -ti fedora:29 bash [root@c7e54f9f18a0 /]# getcap /usr/bin/newuidmap [root@c7e54f9f18a0 /]# exit
My laptop:
$ getcap /usr/bin/newuidmap /usr/bin/newuidmap = cap_setuid+ep
The image in our registry is even older:
"History": [ { "created": "2019-01-09T06:48:29Z", "comment": "Created by Image Factory" } ]
Sadly, can't update it since registry seems to be down:
dial tcp: lookup registry.fedoproject.org on 10.38.5.26:53: no such host
Without digging into this I suspect this is something in the process where we extract a tarball from Anaconda in ImageFactory - xattrs aren't really standardized and those programs are Python, different from the golang in other parts of the ecosystem.
https://bugzilla.redhat.com/show_bug.cgi?id=1665043
This is fixed now
Metadata Update from @cverna: - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.