On Saturday, March 18, 2017 1:24:13 AM CDT Alexander Bokovoy wrote: > On la, 18 maalis 2017, Anthony Joseph Messina wrote: > >I've been running freeipa-server-4.x.x.fc25.x86_64 in systemd-nspawn > >selinux- wrapped full OS containers for a while. > > > >After upgrading to F25 on the host, systemd disabled access to the KEYRING > >ccache type from nspawn containers since the kernel keyring isn't > >namespaced. So anything that needs to get a keytab results in something > >like the following. > > > >-bash-4.3# kinit > >kinit: Invalid UID in persistent keyring name while getting default ccache > > > >dnf upgrades end up failing until I 'export KRB5CCNAME=FILE:/tmp/whatever' > >and manually upgrade as if I performed an offline upgrade. > > > >Other than that, no issues to report. > > > >Are there any concerns if I switch the krb5.com default_ccache_name on the > >freeipa systemd-nspawn servers to MEMORY or FILE? Which would be > >preferred? > No concerns for FILE. KEYRING uses kernel keyring which is *not* > namespaced so you are seeing the same kernel keyring in the container > that a user with the same UID sees outside of it. > > Don't use MEMORY ccache type, it is storing credentials in the process > address space. Its purpose is to allow applications to have temporary > ccaches they don't want to back with files.
Thank you Alexander. -A -- Anthony - https://messinet.com/ - https://messinet.com/~amessina/gallery F9B6 560E 68EA 037D 8C3D D1C9 FF31 3BDB D9D8 99B6 -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
