[Freeipa-users] FreeIPA default_ccache_name in systemd-nspawn container

Discussion:

Anthony Joseph Messina

2017-03-18 05:00:18 UTC

I've been running freeipa-server-4.x.x.fc25.x86_64 in systemd-nspawn selinux-
wrapped full OS containers for a while.

After upgrading to F25 on the host, systemd disabled access to the KEYRING
ccache type from nspawn containers since the kernel keyring isn't namespaced.
So anything that needs to get a keytab results in something like the
following.

-bash-4.3# kinit
kinit: Invalid UID in persistent keyring name while getting default ccache

dnf upgrades end up failing until I 'export KRB5CCNAME=FILE:/tmp/whatever' and
manually upgrade as if I performed an offline upgrade.

Other than that, no issues to report.

Are there any concerns if I switch the krb5.com default_ccache_name on the
freeipa systemd-nspawn servers to MEMORY or FILE? Which would be preferred?

Thanks for the advice. -A

--
Anthony - https://messinet.com/ - https://messinet.com/~amessina/gallery
F9B6 560E 68EA 037D 8C3D D1C9 FF31 3BDB D9D8 99B6
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Alexander Bokovoy

2017-03-18 06:24:13 UTC

Permalink

Post by Anthony Joseph Messina
I've been running freeipa-server-4.x.x.fc25.x86_64 in systemd-nspawn selinux-
wrapped full OS containers for a while.
After upgrading to F25 on the host, systemd disabled access to the KEYRING
ccache type from nspawn containers since the kernel keyring isn't namespaced.
So anything that needs to get a keytab results in something like the
following.
-bash-4.3# kinit
kinit: Invalid UID in persistent keyring name while getting default ccache
dnf upgrades end up failing until I 'export KRB5CCNAME=FILE:/tmp/whatever' and
manually upgrade as if I performed an offline upgrade.
Other than that, no issues to report.
Are there any concerns if I switch the krb5.com default_ccache_name on the
freeipa systemd-nspawn servers to MEMORY or FILE? Which would be preferred?

No concerns for FILE. KEYRING uses kernel keyring which is *not*
namespaced so you are seeing the same kernel keyring in the container
that a user with the same UID sees outside of it.

Don't use MEMORY ccache type, it is storing credentials in the process
address space. Its purpose is to allow applications to have temporary
ccaches they don't want to back with files.

--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Anthony Joseph Messina

2017-03-18 06:34:12 UTC

Permalink

Post by Alexander Bokovoy

Post by Anthony Joseph Messina
I've been running freeipa-server-4.x.x.fc25.x86_64 in systemd-nspawn
selinux- wrapped full OS containers for a while.
After upgrading to F25 on the host, systemd disabled access to the KEYRING
ccache type from nspawn containers since the kernel keyring isn't
namespaced. So anything that needs to get a keytab results in something
like the following.
-bash-4.3# kinit
kinit: Invalid UID in persistent keyring name while getting default ccache
dnf upgrades end up failing until I 'export KRB5CCNAME=FILE:/tmp/whatever'
and manually upgrade as if I performed an offline upgrade.
Other than that, no issues to report.
Are there any concerns if I switch the krb5.com default_ccache_name on the
freeipa systemd-nspawn servers to MEMORY or FILE? Which would be preferred?

No concerns for FILE. KEYRING uses kernel keyring which is *not*
namespaced so you are seeing the same kernel keyring in the container
that a user with the same UID sees outside of it.
Don't use MEMORY ccache type, it is storing credentials in the process
address space. Its purpose is to allow applications to have temporary
ccaches they don't want to back with files.

Thank you Alexander. -A