Re: Fedora packager environment in a docker container

2017-04-24 Thread Stephen Gallagher 


On 04/24/2017 08:47 AM, Daniel Walsh wrote:
> On 04/24/2017 06:29 AM, Michal Minar wrote:
>> Did anyone successfully set up his fedora packaging environment in a
>> docker container?
>> I didn't get past `kinit mimi...@fedoraproject.org
>> ` in a container. It gives me:
>>
>> Invalid UID in persistent keyring name while getting default ccache
>>
>> I'd be very glad for any suggestion or advice. Until then, I'll stick
>> with a VM.
>>
>> Regards,
>> -- 
>>
>> MICHAL MINÁŘ
>>
>> SOFTWARE ENGINEER
>>
>> Red Hat Czech, s.r.o. 
>>
>> mimi...@redhat.com    
>>
>> 
>>
>>
>>
>> ___
>> devel mailing list -- devel@lists.fedoraproject.org
>> To unsubscribe send an email to devel-le...@lists.fedoraproject.org
>
> I think this is conflicting with the kernel keyring for the same UID. 
> Attempt to do this without using the kernel keyring.  IE Setup
> kerberos to use a file based cache.
>


FYI, there is work ongoing to resolve issues like this without using the
kernel keyring but instead using a Kerberos KCM server inside of SSSD
which should be container-aware:
https://docs.pagure.org/SSSD.sssd/design_pages/kcm.html




signature.asc
Description: OpenPGP digital signature
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org

Re: Fedora packager environment in a docker container

2017-04-24 Thread Daniel Walsh 

On 04/24/2017 08:08 AM, Patrick Uiterwijk wrote:

Hi,

On Mon, Apr 24, 2017 at 12:29 PM, Michal Minar  wrote:


Did anyone successfully set up his fedora packaging environment in a
docker container?


I didn't get past `kinit mimi...@fedoraproject.org` in a container. It

gives me:

Invalid UID in persistent keyring name while getting default ccache


This is caused because Docker installs a default seccomp policy that denies
access to the Kernel keyring because this is not namespaced.
You can work around this by "export KRB5CCNAME=/tmp/ticket".

Alternatively, you can allow the container access to your host keyring.
For this, you can start with my policy:
https://github.com/puiterwijk/development-environments/blob/master/docker/koji/policy.json


SELinux would also block this, and if you have multiple containers 
running with the same UID it will not work, even if we took down SELinux 
and SECCOMP blocks.  The bottom line is there is only one kernel keyring 
per UID.  I have asked to make keyrings namespace aware, but right now 
the kernel guys believe usernamespace is the solution to this problem.

___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org

Re: Fedora packager environment in a docker container

2017-04-24 Thread Daniel Walsh 

On 04/24/2017 06:29 AM, Michal Minar wrote:
Did anyone successfully set up his fedora packaging environment in a 
docker container?
I didn't get past `kinit mimi...@fedoraproject.org 
` in a container. It gives me:


Invalid UID in persistent keyring name while getting default ccache

I'd be very glad for any suggestion or advice. Until then, I'll stick 
with a VM.


Regards,
--

MICHAL MINÁŘ

SOFTWARE ENGINEER

Red Hat Czech, s.r.o. 

mimi...@redhat.com 





___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org


I think this is conflicting with the kernel keyring for the same UID.  
Attempt to do this without using the kernel keyring.  IE Setup kerberos 
to use a file based cache.


___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org

Re: Fedora packager environment in a docker container

2017-04-24 Thread Patrick Uiterwijk 
Hi,

On Mon, Apr 24, 2017 at 12:29 PM, Michal Minar  wrote:

> Did anyone successfully set up his fedora packaging environment in a
> docker container?
>
I didn't get past `kinit mimi...@fedoraproject.org` in a container. It
> gives me:
>
> Invalid UID in persistent keyring name while getting default ccache
>

This is caused because Docker installs a default seccomp policy that denies
access to the Kernel keyring because this is not namespaced.
You can work around this by "export KRB5CCNAME=/tmp/ticket".

Alternatively, you can allow the container access to your host keyring.
For this, you can start with my policy:
https://github.com/puiterwijk/development-environments/blob/master/docker/koji/policy.json
.
This is based on Docker 1.13.
For the 1.12 and earlier version, grab:
https://github.com/puiterwijk/development-environments/blob/ed497fbbd56432eca1b27ce41903ed2c33aaa051/docker/koji/policy.json
.

Then on the docker run command, add: --security-opt
seccomp=$HOME/Documents/Development/Environments/docker/koji/policy.json

Do note that if you want to do kinit, you will want to add the add_key call
as well (I just do kinit on my workstation, and use the seccomp policy to
allow my koji container access to it).


>
> I'd be very glad for any suggestion or advice. Until then, I'll stick with
> a VM.
>
> Regards,
> --
>
> MICHAL MINÁŘ
>
> SOFTWARE ENGINEER
>
> Red Hat Czech, s.r.o. 
>
> mimi...@redhat.com
>
>
Regards,
Patrick
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org

Fedora packager environment in a docker container

2017-04-24 Thread Michal Minar 
Did anyone successfully set up his fedora packaging environment in a docker
container?
I didn't get past `kinit mimi...@fedoraproject.org` in a container. It
gives me:

Invalid UID in persistent keyring name while getting default ccache

I'd be very glad for any suggestion or advice. Until then, I'll stick with
a VM.

Regards,
-- 

MICHAL MINÁŘ

SOFTWARE ENGINEER

Red Hat Czech, s.r.o. 

mimi...@redhat.com

___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org