On la, 18 maalis 2017, Anthony Joseph Messina wrote:
I've been running freeipa-server-4.x.x.fc25.x86_64 in systemd-nspawn selinux-
wrapped full OS containers for a while.

After upgrading to F25 on the host, systemd disabled access to the KEYRING
ccache type from nspawn containers since the kernel keyring isn't namespaced.
So anything that needs to get a keytab results in something like the
following.

-bash-4.3# kinit
kinit: Invalid UID in persistent keyring name while getting default ccache

dnf upgrades end up failing until I 'export KRB5CCNAME=FILE:/tmp/whatever' and
manually upgrade as if I performed an offline upgrade.

Other than that, no issues to report.

Are there any concerns if I switch the krb5.com default_ccache_name on the
freeipa systemd-nspawn servers to MEMORY or FILE?  Which would be preferred?
No concerns for FILE. KEYRING uses kernel keyring which is *not*
namespaced so you are seeing the same kernel keyring in the container
that a user with the same UID sees outside of it.

Don't use MEMORY ccache type, it is storing credentials in the process
address space. Its purpose is to allow applications to have temporary
ccaches they don't want to back with files.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to