How can podman build support uid > 65536 in dockerfile

Question

I have a Dockerfile and want to embed one function user (bob) which has same uid (7200720) on the working VM

FROM docker.io/ubuntu:focal

RUN groupadd -g 2000 robots 
RUN useradd -m -g 2000 -s /bin/bash -u 7200720 bob

USER bob

In docker, it works fine

$ docker build -t bob .
$ docker run bob id
uid=7200720(bob) gid=2000(robots) groups=2000(robots)

Now I try to migrate to podman env (podman v4.1.1)

$ podman build -t bob .
..
STEP 4/5: RUN useradd -m -g 2000 -s /bin/bash -u 7200720 bob
useradd: warning: chown on `/home/bob' failed: Invalid argument
..
Successfully tagged localhost/bob:latest
84e7b608fcf45ccedeb8624a88a1692013d5d41cf93954f296ce3351042e0513
..
$ podman run bob id
Error: OCI runtime error: runc: container_linux.go:380: starting container process caused: setup user: invalid argument

Are there anyway to make it working? (I do need big uid)

Answer 1

First prepare some directories

$ mkdir ~/containers
$ mkdir ~/src
$ emacs ~/src/Dockerfile
$ cat ~/src/Dockerfile
FROM docker.io/ubuntu:focal

RUN groupadd -g 2000 robots 
RUN useradd -m -g 2000 -s /bin/bash -u 7200720 bob

USER bob

Build the container image

$ podman \
   run \
    --privileged \
    --rm \
    --uidmap=0:0:10000 \
    --uidmap=65534:10000:1 \
    --uidmap=7200720:10001:1 \
    -v ~/src:/src:Z \
    -v ~/containers:/var/lib/containers:Z \
     quay.io/buildah/stable buildah bud -t img1 /src
STEP 1/4: FROM docker.io/ubuntu:focal
STEP 2/4: RUN groupadd -g 2000 robots 
STEP 3/4: RUN useradd -m -g 2000 -s /bin/bash -u 7200720 bob
STEP 4/4: USER bob
COMMIT
Getting image source signatures
Copying blob sha256:b40ed86654e59e1012e1716d5384910f8c3bb58274b7b00fca564a53e9897ba3
Copying blob sha256:aa3803b76948004897e15aa972c246f69c925a79f2e391d7bccf16be7ec1eb30
Copying config sha256:1030dd7b71bb0c678dcdbae83e26ae896ff661297a8cc8f5743e139f4dcd0a72
Writing manifest to image destination
Storing signatures
--> 1030dd7b71b
1030dd7b71bb0c678dcdbae83e26ae896ff661297a8cc8f5743e139f4dcd0a72

Test the container image

$ podman \
   run \
    --privileged \
    --rm \
    --uidmap=0:0:10000 \
    --uidmap=65534:10000:1 \
    --uidmap=7200720:10001:1 \
    -v ~/containers:/var/lib/containers:Z \
     quay.io/podman/stable \
      bash -c "podman run --rm localhost/img1 \
        bash -c 'echo hello > /home/bob/file1 \
         && id \
         && ls -l /home/bob/file1'"
uid=7200720(bob) gid=2000(robots) groups=2000(robots)
-rw-r--r--. 1 bob robots 4 Sep  3 10:38 /home/bob/file1
$

Explanation of the --uidmap options

--uidmap=0:0:10000 maps over all of smaller UIDs in the container image. The range size 10000 was chosen rather arbitrarily.

I see noticed there are also a few users with a higher UID.

$ podman run --rm -ti docker.io/library/ubuntu:focal grep 65534 /etc/passwd
sync:x:4:65534:sync:/bin:/bin/sync
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin

so I added an --uidmap for the UID 65534 too (--uidmap=65534:10000:1).

--uidmap=7200720:10001:1 maps over the UID needed for the user bob.

Reduce the size of the container image

By adding the useradd option --no-log-init, it's possible to reduce the size of the container image from 2.41 GB to 75.2 MB. (I didn't use that option in the examples above).

See also

https://github.com/containers/podman/blob/main/troubleshooting.md#6-build-hangs-when-the-dockerfile-contains-the-useradd-command