Newuidmap / Newgidmap binary disadvantageous?

We also have the known warnings in the log

newuidmap binary is missing
newgidmap binary is missing

After googling I found some replies, that if they exist, they are used, and that they are purposefully not included so the setup is more compatible with more distros.

If I got this right, it would be disadvantageous to install these binaries, because then they are used and incus might be less compatible with our distro?

If that is the case and I understood everything correctly, can we silence this warning?

If your distro doesn’t ship them, then yeah, no real need to install them.

Basically what those two binaries do is they enforce the uid/gid delegations set out in /etc/subuid and /etc/subgid. This mechanism was designed to have multiple container managers, even fully unprivileged ones be able to run on the same system and not step on each other’s feet or accidentally use user-owned uids/gids for their own containers.

When that mechanism isn’t configured, then unprivileged users can’t access additional uids/gids and container managers running as root (like Incus or LXC running as root) can use anything they want on the system.

Thank you for the detailed explanation, that makes a lot of sense!

Can we silence the warning so the log stays clean for real warnings?

I’ve sent Reduce logging for newuidmap/newgidmap by stgraber · Pull Request #4463 · lxc/lxc · GitHub to have those be moved to INFO where they make more sense I think.

1 Like

That’s great, thank you very much!