Some CI jobs on Fedora Rawhide fail with Podman rootless builds due to
missing subuid/subgid ranges for the zuul-worker user:

    Error: cannot find mappings for user zuul-worker in /etc/subuid

Fedora 42 and other distros already ship default ranges
(e.g., zuul-worker:524288:65536), but Rawhide seems to lack them.

Add pre-tasks to setup-env.yaml to:

- Dump current /etc/subuid and /etc/subgid contents for debug
- Ensure the required ranges exist without overwriting existing configs

Once the Rawhide base image is fixed, this can be reverted.

containers#1688

Some CI jobs on Fedora Rawhide still failed after adding the missing
subuid/subgid ranges for zuul-worker, showing:

potentially insufficient UIDs or GIDs available in user namespace
(requested 0:42 for /etc/shadow): Check /etc/subuid and /etc/subgid
if configured locally and run "podman system migrate"

Add a podman system migrate step right after updating the mappings to
ensure Podman refreshes its user namespace configuration.

This can be reverted once the Rawhide base image ships proper defaults.

containers#1688

The fix was first added to setup-env.yaml but ran too late in the CI job.
Since Podman is invoked early in dependencies-fedora.yaml, the workaround
now runs right after installing shadow-utils-subid-devel.

containers#1688

Some CI jobs on Fedora Rawhide fail with Podman rootless builds due to
missing subuid/subgid ranges for the zuul-worker user:

    Error: cannot find mappings for user zuul-worker in /etc/subuid

Fedora 42 and other distros already ship default ranges
(e.g., zuul-worker:524288:65536), but Rawhide seems to lack them.

Add pre-tasks to setup-env.yaml to:

- Dump current /etc/subuid and /etc/subgid contents for debug
- Ensure the required ranges exist without overwriting existing configs

Once the Rawhide base image is fixed, this can be reverted.

containers#1688

Some CI jobs on Fedora Rawhide still failed after adding the missing
subuid/subgid ranges for zuul-worker, showing:

potentially insufficient UIDs or GIDs available in user namespace
(requested 0:42 for /etc/shadow): Check /etc/subuid and /etc/subgid
if configured locally and run "podman system migrate"

Add a podman system migrate step right after updating the mappings to
ensure Podman refreshes its user namespace configuration.

This can be reverted once the Rawhide base image ships proper defaults.

containers#1688

The fix was first added to setup-env.yaml but ran too late in the CI job.
Since Podman is invoked early in dependencies-fedora.yaml, the workaround
now runs right after installing shadow-utils-subid-devel.

containers#1688

Some CI jobs on Fedora Rawhide fail with Podman rootless builds due to
missing subuid/subgid ranges for the zuul-worker user:

    Error: cannot find mappings for user zuul-worker in /etc/subuid

Fedora 42 and other distros already ship default ranges
(e.g., zuul-worker:524288:65536), but Rawhide seems to lack them.

Add pre-tasks to dependencies-fedora.yaml to ensure the required ranges
exist without overwriting existing configs, and run `podman system migrate`
to refresh user namespace mappings.

Once the Rawhide base image is fixed, this can be reverted.

containers#1688

On Fedora 42 onwards, useradd(8) stopped automatically assigning
subordinate user and group ID ranges [1,2] to address a security concern
marked as CVE-2024-56433 [3].  This breaks rootless Podman and Skopeo,
and therefore Toolbx [4].

Restore the subordinate user and group ID ranges until a different
solution emerges.

[1] Fedora shadow-utils commit e1cfa31731cd68aa
    https://src.fedoraproject.org/rpms/shadow-utils/c/e1cfa31731cd68aa
    https://bugzilla.redhat.com/show_bug.cgi?id=2334168

[2] Fedora shadow-utils commit 4929903292e027ca
    https://src.fedoraproject.org/rpms/shadow-utils/c/4929903292e027ca
    https://bugzilla.redhat.com/show_bug.cgi?id=2334169

[3] shadow-maint/shadow#1157

[4] https://bugzilla.redhat.com/show_bug.cgi?id=2382662

containers#1688