[Freeipa-users] FreeIPA default_ccache_name in systemd-nspawn container
Alexander Bokovoy
abokovoy at redhat.com
Sat Mar 18 06:24:13 UTC 2017
On la, 18 maalis 2017, Anthony Joseph Messina wrote:
>I've been running freeipa-server-4.x.x.fc25.x86_64 in systemd-nspawn selinux-
>wrapped full OS containers for a while.
>
>After upgrading to F25 on the host, systemd disabled access to the KEYRING
>ccache type from nspawn containers since the kernel keyring isn't namespaced.
>So anything that needs to get a keytab results in something like the
>following.
>
>-bash-4.3# kinit
>kinit: Invalid UID in persistent keyring name while getting default ccache
>
>dnf upgrades end up failing until I 'export KRB5CCNAME=FILE:/tmp/whatever' and
>manually upgrade as if I performed an offline upgrade.
>
>Other than that, no issues to report.
>
>Are there any concerns if I switch the krb5.com default_ccache_name on the
>freeipa systemd-nspawn servers to MEMORY or FILE? Which would be preferred?
No concerns for FILE. KEYRING uses kernel keyring which is *not*
namespaced so you are seeing the same kernel keyring in the container
that a user with the same UID sees outside of it.
Don't use MEMORY ccache type, it is storing credentials in the process
address space. Its purpose is to allow applications to have temporary
ccaches they don't want to back with files.
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list