Subordinate IDs
Manage subordinate UID and GID ranges for user namespaces in containers. Subordinate IDs enable unprivileged container usage by providing non-overlapping UID/GID ranges for container processes. Features include automatic range assignment, range generation, range statistics, and integration with container runtimes for secure, isolated container deployments without requiring privileged operations.
Manage subordinate user and group ids for users
EXAMPLES
Auto-assign a subordinate id range to current user
ipa subid-generateAuto-assign a subordinate id range to user alice:
ipa subid-generate --owner=aliceFind subordinate ids for user alice:
ipa subid-find --owner=aliceMatch entry by any subordinate uid in range:
ipa subid-match --subuid=2147483649
Commands
Command Description
subid-find Search for subordinate id.
subid-generate Generate and auto-assign subuid and subgid range to user entry
subid-match Match users by any subordinate uid in their range
subid-mod Modify a subordinate id.
subid-show Display information about a subordinate id.
subid-stats Subordinate id statistics
subid-find
Usage: ipa [global-options] subid-find [CRITERIA] [options]
Search for subordinate id.
Arguments
Argument Required Description
CRITERIA no A string searched in all relevant object
attributes
Options
Option Description
--id ID Unique ID
--desc DESC Subordinate id description
--owner OWNER Owning user of subordinate id entry
--subuid SUBUID Start value for subordinate user ID (subuid)
range
--subgid SUBGID Start value for subordinate group ID (subgid)
range
--timelimit TIMELIMIT Time limit of search in seconds (0 is unlimited)
--sizelimit SIZELIMIT Maximum number of entries returned (0 is
unlimited)
--all Retrieve and print all attributes from the
server. Affects command output.
--raw Print entries as stored on the server. Only
affects output format.
--pkey-only Results should contain primary key attribute only
(“id”)
subid-generate
Usage: ipa [global-options] subid-generate [options]
Generate and auto-assign subuid and subgid range to user entry
Options
Option Description
--owner OWNER Owning user of subordinate id entry
--all Retrieve and print all attributes from the
server. Affects command output.
--raw Print entries as stored on the server. Only
affects output format.
subid-match
Usage: ipa [global-options] subid-match [CRITERIA] [options]
Match users by any subordinate uid in their range
Arguments
Argument Required Description
CRITERIA no A string searched in all relevant object
attributes
Options
Option Description
--subuid SUBUID Match value for subordinate user ID
--timelimit TIMELIMIT Time limit of search in seconds (0 is unlimited)
--sizelimit SIZELIMIT Maximum number of entries returned (0 is
unlimited)
--all Retrieve and print all attributes from the
server. Affects command output.
--raw Print entries as stored on the server. Only
affects output format.
--pkey-only Results should contain primary key attribute only
(“id”)
subid-mod
Usage: ipa [global-options] subid-mod ID [options]
Modify a subordinate id.
Arguments
Argument Required Description
ID yes Unique ID
Options
Option Description
--desc DESC Subordinate id description
--setattr SETATTR Set an attribute to a name/value pair. Format is
attr=value.
--addattr ADDATTR Add an attribute/value pair. Format is
attr=value. The attribute
--delattr DELATTR Delete an attribute/value pair. The option will
be evaluated
--rights Display the access rights of this entry (requires
—all). See ipa man page for details.
--all Retrieve and print all attributes from the
server. Affects command output.
--raw Print entries as stored on the server. Only
affects output format.
subid-show
Usage: ipa [global-options] subid-show ID [options]
Display information about a subordinate id.
Arguments
Argument Required Description
ID yes Unique ID
Options
Option Description
--rights Display the access rights of this entry (requires
—all). See ipa man page for details.
--all Retrieve and print all attributes from the
server. Affects command output.
--raw Print entries as stored on the server. Only
affects output format.
subid-stats
Usage: ipa [global-options] subid-stats [options]
Subordinate id statistics
Options
Option Description
--all Retrieve and print all attributes from the
server. Affects command output.