Bug 1212118

Summary: [crun] "run.oci.keep_original_groups=1" causes "cannot find name for group ID" error
Product: [openSUSE] openSUSE Tumbleweed Reporter: Grabben D <grabbend>
Component: ContainersAssignee: Containers Team <containers-bugowner>
Status: NEW --- QA Contact: E-mail List <qa-bugs>
Severity: Normal    
Priority: P5 - None    
Version: Current   
Target Milestone: ---   
Hardware: All   
OS: All   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Grabben D 2023-06-07 20:43:47 UTC 
User-Agent:       Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36
Build Identifier: 

Podman's `--group-add keep-groups` flag (`run.oci.keep_original_groups=1`) is useful for inheriting $USER's groups inside the container (see https://www.redhat.com/sysadmin/files-devices-podman). This feature requires `crun` instead of `runc` runtime and it works as expected with Tumbleweed when accessing files. However, since the inherited groups don't actually exist in the container, they're mapped to `nobody` in Fedora while Tumbleweed throws this error:

> $ podman run --group-add keep-groups fedora groups
> root nobody
> 
> $ podman run --group-add keep-groups tumbleweed groups
> root 65534
> groups: cannot find name for group ID 65534

I'm not sure if this behavior is designed this way or if we can improve it somehow :)

Reproducible: Always

Steps to Reproduce:
1. $ zypper install crun podman
2. $ podman run --group-add keep-groups tumbleweed groups
Actual Results:  
root nobody

Expected Results:  
root 65534
groups: cannot find name for group ID 65534

N/A
Comment 1 Grabben D 2023-06-07 20:45:33 UTC 
(FIY: mixed up Actual Results with Expected Results)