I've been running freeipa-server-4.x.x.fc25.x86_64 in systemd-nspawn selinux- wrapped full OS containers for a while.
After upgrading to F25 on the host, systemd disabled access to the KEYRING ccache type from nspawn containers since the kernel keyring isn't namespaced. So anything that needs to get a keytab results in something like the following. -bash-4.3# kinit kinit: Invalid UID in persistent keyring name while getting default ccache dnf upgrades end up failing until I 'export KRB5CCNAME=FILE:/tmp/whatever' and manually upgrade as if I performed an offline upgrade. Other than that, no issues to report. Are there any concerns if I switch the krb5.com default_ccache_name on the freeipa systemd-nspawn servers to MEMORY or FILE? Which would be preferred? Thanks for the advice. -A -- Anthony - https://messinet.com/ - https://messinet.com/~amessina/gallery F9B6 560E 68EA 037D 8C3D D1C9 FF31 3BDB D9D8 99B6 -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project