[Freeipa-users] FreeIPA default_ccache_name in systemd-nspawn container
Anthony Joseph Messina
amessina at messinet.com
Sat Mar 18 06:34:12 UTC 2017
On Saturday, March 18, 2017 1:24:13 AM CDT Alexander Bokovoy wrote:
> On la, 18 maalis 2017, Anthony Joseph Messina wrote:
> >I've been running freeipa-server-4.x.x.fc25.x86_64 in systemd-nspawn
> >selinux- wrapped full OS containers for a while.
> >
> >After upgrading to F25 on the host, systemd disabled access to the KEYRING
> >ccache type from nspawn containers since the kernel keyring isn't
> >namespaced. So anything that needs to get a keytab results in something
> >like the following.
> >
> >-bash-4.3# kinit
> >kinit: Invalid UID in persistent keyring name while getting default ccache
> >
> >dnf upgrades end up failing until I 'export KRB5CCNAME=FILE:/tmp/whatever'
> >and manually upgrade as if I performed an offline upgrade.
> >
> >Other than that, no issues to report.
> >
> >Are there any concerns if I switch the krb5.com default_ccache_name on the
> >freeipa systemd-nspawn servers to MEMORY or FILE? Which would be
> >preferred?
> No concerns for FILE. KEYRING uses kernel keyring which is *not*
> namespaced so you are seeing the same kernel keyring in the container
> that a user with the same UID sees outside of it.
>
> Don't use MEMORY ccache type, it is storing credentials in the process
> address space. Its purpose is to allow applications to have temporary
> ccaches they don't want to back with files.
Thank you Alexander. -A
--
Anthony - https://messinet.com/ - https://messinet.com/~amessina/gallery
F9B6 560E 68EA 037D 8C3D D1C9 FF31 3BDB D9D8 99B6
More information about the Freeipa-users
mailing list