Bug 1454292
Summary: | Atomic run doesn't start the sssd container | |||
---|---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Niranjan Mallapadi Raghavender <mniranja> | |
Component: | atomic | Assignee: | Brent Baude <bbaude> | |
Status: | CLOSED ERRATA | QA Contact: | atomic-bugs <atomic-bugs> | |
Severity: | high | Docs Contact: | ||
Priority: | unspecified | |||
Version: | 7.3 | CC: | ajia, bbaude, ddarrah, dwalsh, fkluknav, lfriedma, lslebodn, lsm5, mniranja | |
Target Milestone: | rc | Keywords: | Extras, Regression, TestBlocker | |
Target Release: | --- | |||
Hardware: | x86_64 | |||
OS: | Linux | |||
Whiteboard: | ||||
Fixed In Version: | atomic-1.17.2-4.git2760e30.el7 | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | ||
Clone Of: | ||||
: | 1456658 (view as bug list) | Environment: | ||
Last Closed: | 2017-05-26 14:29:34 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | ||||
Bug Blocks: | 1456658 |
Description
Niranjan Mallapadi Raghavender
2017-05-22 12:01:35 UTC
if you use the fully qualified image name, does it work? This issue is seen on 7.3.5 Atomic image, please set the version to 7.3 if you use the fully qualified image name, does it work? Do you mean /usr/bin/atomic run --name=rhel7/sssd rhel7/sssd ? registry.access.redhat.com/rhel7/sssd:latest <-- more like that ... also, could you provide docker images and docker ps -a ? What do you mean by fully qualified name? If you meant together with registry then I can tag any image with different name. Or I can import image as a tarball (with docker import). And as you can see neither of names have registry in name. [root@atomic-00 ~]# docker images REPOSITORY TAG IMAGE ID CREATED SIZE rhel7/sssd latest fad80f01d8fa 3 days ago 357.6 MB lslebodn/sssd-docker extras-rhel-7.3-docker-candidate-20170519091256 fad80f01d8fa 3 days ago 357.6 MB Requested Output: [root@atomic-00 ~]# docker ps -a CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES [root@atomic-00 ~]# docker images REPOSITORY TAG IMAGE ID CREATED SIZE lslebodn/sssd-docker extras-rhel-7.3-docker-candidate-20170519091256 fad80f01d8fa 3 days ago 357.6 MB rhel7/sssd latest fad80f01d8fa 3 days ago 357.6 MB I am not sure why the version was changed to 7.4, but the issue we are seeing is in 7.3 Atomic host This should fix the issue reported if you cannot use fq names: https://github.com/projectatomic/atomic/pull/1010 (In reply to Brent Baude from comment #11) > This should fix the issue reported if you cannot use fq names: > > https://github.com/projectatomic/atomic/pull/1010 There are several questions in here. Q1: this PR hasn't been merged into master branch of upstream atomic, so the atomic-1.17.2-5.1.git2760e30.el7.x86_64 can't include the patch. Q2: this PR doesn't work for me, I still got same error like before whatever you use fq images name or not Q3: for system container, user should run atomic install before executing atomic run, atomic run only can pull images if images doesn't exist and execute RUN label, it can't execute INSTALL label. Q4: even though w/o above errors, users also can't start sssd container w/o providing any credentials to enrol machine to IPA domain. https://hub.docker.com/r/fedora/sssd/ The proper steps to reproduce the error is: 1. Specify AD ip address in /etc/resolv.conf (should be the first entry) 2. create a file /etc/sssd/realm-join-password with contents containing password AD Administrator password (Ex. echo 'Secret123' > /etc/sssd/realm-join-password) 3. Atomic install rhel7/sssd realm join -v --membership-software=samba <AD-DOMAIN.TEST> 4. systemctl start sssd (which in turn runs atomic run (/usr/bin/atomic run --name=sssd rhel7/sssd) In my atomic host w/ atomic-1.17.2-4.git2760e30.el7.x86_64, I haven't met previous known issue. [root@atomic-host-test cloud-user]# atomic host status State: idle Deployments: ● rhel-atomic-host-ostree:rhel-atomic-host/7/x86_64/standard Version: 7.3.5 (2017-05-18 19:08:58) Commit: d049e353c4e4ba00866b2176b48ba247a8f6e050a729c3853b5d5afe323c0450 Unlocked: development [root@atomic-host-test cloud-user]# rpm -q atomic atomic-1.17.2-4.git2760e30.el7.x86_64 [root@atomic-host-test cloud-user]# atomic --debug run --name=sssd rhel7/sssd Need to pull rhel7/sssd Pulling registry.access.redhat.com/rhel7/sssd:latest ... Copying blob sha256:458d8d8f632f08b1a4dc793b138d1417b8698fb60856dddbad41b409d756789b 68.90 MB / ? [----------------------------------=----------------------------] Copying blob sha256:aec4a233c9cde489b172437842425444dbbaa4ccf90363aab1bab71941a393b2 0 B / ? [--------------------------------------------------------------------=] Copying blob sha256:22062cb44f1ab0e29b0a6c6b008a6d15a033d08a3b07ce833d79f0dbbfe01beb 52.80 MB / ? [--------------=------------------------------------------------] Copying config sha256:fd1daa180d5e5c5c31f7ba4c2818594ed713e8d36fdd1c2e4b4f538c001408cb 0 B / 8.19 KB [---------------------------------------------------------------] Writing manifest to image destination Storing signatures 8.19 KB / 8.19 KB [===========================================================]docker run -d --restart=always --net=host --name sssd -e NAME=sssd -e IMAGE=rhel7/sssd --security-opt=label:user:system_u --security-opt=label:role:system_r --security-opt=label:type:spc_t --security-opt=label:level:s0 --security-opt=seccomp:/etc/sssd/keyring.json --cap-drop=all --cap-add=IPC_LOCK --cap-add=CHOWN --cap-add=DAC_READ_SEARCH --cap-add=DAC_OVERRIDE --cap-add=KILL --cap-add=NET_ADMIN --cap-add=SYS_NICE --cap-add=FOWNER --cap-add=SETGID --cap-add=SETUID --cap-add=SYS_ADMIN --cap-add=SYS_RESOURCE --cap-add=BLOCK_SUSPEND -v /etc/ipa/:/etc/ipa/:ro -v /etc/krb5.conf:/etc/krb5.conf:ro -v /etc/krb5.conf.d/:/etc/krb5.conf.d/ -v /etc/krb5.keytab:/etc/krb5.keytab:ro -v /etc/nsswitch.conf:/etc/nsswitch.conf:ro -v /etc/openldap/:/etc/openldap/:ro -v /etc/pam.d/:/etc/pam.d/:ro -v /etc/passwd:/etc/passwd.host:ro -v /etc/pki/nssdb/:/etc/pki/nssdb/:ro -v /etc/ssh/:/etc/ssh/:ro -v /etc/sssd/:/etc/sssd/:ro -v /etc/systemd/system/sssd.service.d:/etc/systemd/system/sssd.service.d:ro -v /etc/sysconfig/authconfig:/etc/sysconfig/authconfig:ro -v /etc/sysconfig/network:/etc/sysconfig/network:ro -v /etc/sysconfig/sssd:/etc/sysconfig/sssd:ro -v /etc/yp.conf:/etc/yp.conf:ro -v /var/cache/realmd/:/var/cache/realmd/ -v /var/lib/authconfig/last/:/var/lib/authconfig/last/:ro -v /var/lib/ipa-client/sysrestore/:/var/lib/ipa-client/sysrestore/:ro -v /var/lib/samba/:/var/lib/samba/ -v /var/lib/sss/:/var/lib/sss/ -v /var/log/sssd/:/var/log/sssd/ -v /var/run/dbus/system_bus_socket:/var/run/dbus/system_bus_socket rhel7/sssd /bin/run.sh This container uses privileged security switches: INFO: --cap-add Adding capabilities to your container could allow processes from the container to break out onto your host system. INFO: --net=host Processes in this container can listen to ports (and possibly rawip traffic) on the host's network. For more information on these switches and their security implications, consult the manpage for 'docker run'. /usr/bin/docker-current: opening seccomp profile (/etc/sssd/keyring.json) failed: open /etc/sssd/keyring.json: no such file or directory. See '/usr/bin/docker-current run --help'. Traceback (most recent call last): File "/usr/bin/atomic", line 203, in <module> sys.exit(_func()) File "/usr/lib/python2.7/site-packages/Atomic/run.py", line 120, in run return be.run(img_object, atomic=self, args=self.args) File "/usr/lib/python2.7/site-packages/Atomic/backends/_docker.py", line 590, in run return util.check_call(command, env=atomic.cmd_env()) File "/usr/lib/python2.7/site-packages/Atomic/util.py", line 147, in check_call return subprocess.check_call(cmd, env=env, stdin=stdin, stderr=stderr, stdout=stdout, close_fds=True) File "/usr/lib64/python2.7/subprocess.py", line 542, in check_call raise CalledProcessError(retcode, cmd) CalledProcessError: Command '['docker', 'run', '-d', '--restart=always', '--net=host', '--name', 'sssd', '-e', 'NAME=sssd', '-e', 'IMAGE=rhel7/sssd', '--security-opt=label:user:system_u', '--security-opt=label:role:system_r', '--security-opt=label:type:spc_t', '--security-opt=label:level:s0', '--security-opt=seccomp:/etc/sssd/keyring.json', '--cap-drop=all', '--cap-add=IPC_LOCK', '--cap-add=CHOWN', '--cap-add=DAC_READ_SEARCH', '--cap-add=DAC_OVERRIDE', '--cap-add=KILL', '--cap-add=NET_ADMIN', '--cap-add=SYS_NICE', '--cap-add=FOWNER', '--cap-add=SETGID', '--cap-add=SETUID', '--cap-add=SYS_ADMIN', '--cap-add=SYS_RESOURCE', '--cap-add=BLOCK_SUSPEND', '-v', '/etc/ipa/:/etc/ipa/:ro', '-v', '/etc/krb5.conf:/etc/krb5.conf:ro', '-v', '/etc/krb5.conf.d/:/etc/krb5.conf.d/', '-v', '/etc/krb5.keytab:/etc/krb5.keytab:ro', '-v', '/etc/nsswitch.conf:/etc/nsswitch.conf:ro', '-v', '/etc/openldap/:/etc/openldap/:ro', '-v', '/etc/pam.d/:/etc/pam.d/:ro', '-v', '/etc/passwd:/etc/passwd.host:ro', '-v', '/etc/pki/nssdb/:/etc/pki/nssdb/:ro', '-v', '/etc/ssh/:/etc/ssh/:ro', '-v', '/etc/sssd/:/etc/sssd/:ro', '-v', '/etc/systemd/system/sssd.service.d:/etc/systemd/system/sssd.service.d:ro', '-v', '/etc/sysconfig/authconfig:/etc/sysconfig/authconfig:ro', '-v', '/etc/sysconfig/network:/etc/sysconfig/network:ro', '-v', '/etc/sysconfig/sssd:/etc/sysconfig/sssd:ro', '-v', '/etc/yp.conf:/etc/yp.conf:ro', '-v', '/var/cache/realmd/:/var/cache/realmd/', '-v', '/var/lib/authconfig/last/:/var/lib/authconfig/last/:ro', '-v', '/var/lib/ipa-client/sysrestore/:/var/lib/ipa-client/sysrestore/:ro', '-v', '/var/lib/samba/:/var/lib/samba/', '-v', '/var/lib/sss/:/var/lib/sss/', '-v', '/var/log/sssd/:/var/log/sssd/', '-v', '/var/run/dbus/system_bus_socket:/var/run/dbus/system_bus_socket', 'rhel7/sssd', '/bin/run.sh']' returned non-zero exit status 125 NOTE: just a confirmation, the file /etc/sssd/keyring.json need to be provided by users, right? I gave a try in my RHEL7.3 system w/ atomic-1.17.2-4.git2760e30.el7.x86_64 again, I still met previous known issue. [root@localhost ~]# cat /etc/redhat-release Red Hat Enterprise Linux Server release 7.3 (Maipo) [root@localhost ~]# rpm -q atomic skopeo docker atomic-1.17.2-4.git2760e30.el7.x86_64 skopeo-0.1.19-1.1.git62e3747.el7.x86_64 docker-1.12.6-30.1.git1398f24.el7.x86_64 [root@localhost ~]# atomic --debug run --name=sssd rhel7/sssd Need to pull rhel7/sssd Pulling registry.access.redhat.com/rhel7/sssd:latest ... Copying blob sha256:458d8d8f632f08b1a4dc793b138d1417b8698fb60856dddbad41b409d756789b 68.90 MB / ? [----------------------------------=----------------------------] Copying blob sha256:aec4a233c9cde489b172437842425444dbbaa4ccf90363aab1bab71941a393b2 0 B / ? [--------------------------------------------------------------------=] Copying blob sha256:22062cb44f1ab0e29b0a6c6b008a6d15a033d08a3b07ce833d79f0dbbfe01beb 52.80 MB / ? [--------------=------------------------------------------------] Copying config sha256:fd1daa180d5e5c5c31f7ba4c2818594ed713e8d36fdd1c2e4b4f538c001408cb 0 B / 8.19 KB [---------------------------------------------------------------] Writing manifest to image destination Storing signatures 8.19 KB / 8.19 KB [===========================================================]The image 'sssd' appears to have not been installed and has an INSTALL label. You should install this image first. Re-run with --ignore to bypass this error. Traceback (most recent call last): File "/usr/bin/atomic", line 203, in <module> sys.exit(_func()) File "/usr/lib/python2.7/site-packages/Atomic/run.py", line 120, in run return be.run(img_object, atomic=self, args=self.args) File "/usr/lib/python2.7/site-packages/Atomic/backends/_docker.py", line 548, in run "error.".format(iobject.name or iobject.image)) ValueError: The image 'sssd' appears to have not been installed and has an INSTALL label. You should install this image first. Re-run with --ignore to bypass this error. (In reply to Alex Jia from comment #19) > In my atomic host w/ atomic-1.17.2-4.git2760e30.el7.x86_64, I haven't met > previous known issue. > > [root@atomic-host-test cloud-user]# atomic host status > State: idle > Deployments: > ● rhel-atomic-host-ostree:rhel-atomic-host/7/x86_64/standard > Version: 7.3.5 (2017-05-18 19:08:58) > Commit: > d049e353c4e4ba00866b2176b48ba247a8f6e050a729c3853b5d5afe323c0450 > Unlocked: development > > [root@atomic-host-test cloud-user]# rpm -q atomic > atomic-1.17.2-4.git2760e30.el7.x86_64 > > [root@atomic-host-test cloud-user]# atomic --debug run --name=sssd rhel7/sssd > Need to pull rhel7/sssd > Pulling registry.access.redhat.com/rhel7/sssd:latest ... > Copying blob > sha256:458d8d8f632f08b1a4dc793b138d1417b8698fb60856dddbad41b409d756789b > 68.90 MB / ? > [----------------------------------=----------------------------] > Copying blob > sha256:aec4a233c9cde489b172437842425444dbbaa4ccf90363aab1bab71941a393b2 > 0 B / ? > [--------------------------------------------------------------------=] > Copying blob > sha256:22062cb44f1ab0e29b0a6c6b008a6d15a033d08a3b07ce833d79f0dbbfe01beb > 52.80 MB / ? > [--------------=------------------------------------------------] > Copying config > sha256:fd1daa180d5e5c5c31f7ba4c2818594ed713e8d36fdd1c2e4b4f538c001408cb > 0 B / 8.19 KB > [---------------------------------------------------------------] > Writing manifest to image destination > Storing signatures > 8.19 KB / 8.19 KB > [===========================================================]docker run -d > --restart=always --net=host --name sssd -e NAME=sssd -e IMAGE=rhel7/sssd > --security-opt=label:user:system_u --security-opt=label:role:system_r > --security-opt=label:type:spc_t --security-opt=label:level:s0 > --security-opt=seccomp:/etc/sssd/keyring.json --cap-drop=all > --cap-add=IPC_LOCK --cap-add=CHOWN --cap-add=DAC_READ_SEARCH > --cap-add=DAC_OVERRIDE --cap-add=KILL --cap-add=NET_ADMIN --cap-add=SYS_NICE > --cap-add=FOWNER --cap-add=SETGID --cap-add=SETUID --cap-add=SYS_ADMIN > --cap-add=SYS_RESOURCE --cap-add=BLOCK_SUSPEND -v /etc/ipa/:/etc/ipa/:ro -v > /etc/krb5.conf:/etc/krb5.conf:ro -v /etc/krb5.conf.d/:/etc/krb5.conf.d/ -v > /etc/krb5.keytab:/etc/krb5.keytab:ro -v > /etc/nsswitch.conf:/etc/nsswitch.conf:ro -v /etc/openldap/:/etc/openldap/:ro > -v /etc/pam.d/:/etc/pam.d/:ro -v /etc/passwd:/etc/passwd.host:ro -v > /etc/pki/nssdb/:/etc/pki/nssdb/:ro -v /etc/ssh/:/etc/ssh/:ro -v > /etc/sssd/:/etc/sssd/:ro -v > /etc/systemd/system/sssd.service.d:/etc/systemd/system/sssd.service.d:ro -v > /etc/sysconfig/authconfig:/etc/sysconfig/authconfig:ro -v > /etc/sysconfig/network:/etc/sysconfig/network:ro -v > /etc/sysconfig/sssd:/etc/sysconfig/sssd:ro -v /etc/yp.conf:/etc/yp.conf:ro > -v /var/cache/realmd/:/var/cache/realmd/ -v > /var/lib/authconfig/last/:/var/lib/authconfig/last/:ro -v > /var/lib/ipa-client/sysrestore/:/var/lib/ipa-client/sysrestore/:ro -v > /var/lib/samba/:/var/lib/samba/ -v /var/lib/sss/:/var/lib/sss/ -v > /var/log/sssd/:/var/log/sssd/ -v > /var/run/dbus/system_bus_socket:/var/run/dbus/system_bus_socket rhel7/sssd > /bin/run.sh > > This container uses privileged security switches: > > INFO: --cap-add > Adding capabilities to your container could allow processes from the > container to break out onto your host system. > > INFO: --net=host > Processes in this container can listen to ports (and possibly rawip > traffic) on the host's network. > > For more information on these switches and their security implications, > consult the manpage for 'docker run'. > > /usr/bin/docker-current: opening seccomp profile (/etc/sssd/keyring.json) > failed: open /etc/sssd/keyring.json: no such file or directory. > See '/usr/bin/docker-current run --help'. > > Traceback (most recent call last): > File "/usr/bin/atomic", line 203, in <module> > sys.exit(_func()) > File "/usr/lib/python2.7/site-packages/Atomic/run.py", line 120, in run > return be.run(img_object, atomic=self, args=self.args) > File "/usr/lib/python2.7/site-packages/Atomic/backends/_docker.py", line > 590, in run > return util.check_call(command, env=atomic.cmd_env()) > File "/usr/lib/python2.7/site-packages/Atomic/util.py", line 147, in > check_call > return subprocess.check_call(cmd, env=env, stdin=stdin, stderr=stderr, > stdout=stdout, close_fds=True) > File "/usr/lib64/python2.7/subprocess.py", line 542, in check_call > raise CalledProcessError(retcode, cmd) > CalledProcessError: Command '['docker', 'run', '-d', '--restart=always', > '--net=host', '--name', 'sssd', '-e', 'NAME=sssd', '-e', 'IMAGE=rhel7/sssd', > '--security-opt=label:user:system_u', '--security-opt=label:role:system_r', > '--security-opt=label:type:spc_t', '--security-opt=label:level:s0', > '--security-opt=seccomp:/etc/sssd/keyring.json', '--cap-drop=all', > '--cap-add=IPC_LOCK', '--cap-add=CHOWN', '--cap-add=DAC_READ_SEARCH', > '--cap-add=DAC_OVERRIDE', '--cap-add=KILL', '--cap-add=NET_ADMIN', > '--cap-add=SYS_NICE', '--cap-add=FOWNER', '--cap-add=SETGID', > '--cap-add=SETUID', '--cap-add=SYS_ADMIN', '--cap-add=SYS_RESOURCE', > '--cap-add=BLOCK_SUSPEND', '-v', '/etc/ipa/:/etc/ipa/:ro', '-v', > '/etc/krb5.conf:/etc/krb5.conf:ro', '-v', > '/etc/krb5.conf.d/:/etc/krb5.conf.d/', '-v', > '/etc/krb5.keytab:/etc/krb5.keytab:ro', '-v', > '/etc/nsswitch.conf:/etc/nsswitch.conf:ro', '-v', > '/etc/openldap/:/etc/openldap/:ro', '-v', '/etc/pam.d/:/etc/pam.d/:ro', > '-v', '/etc/passwd:/etc/passwd.host:ro', '-v', > '/etc/pki/nssdb/:/etc/pki/nssdb/:ro', '-v', '/etc/ssh/:/etc/ssh/:ro', '-v', > '/etc/sssd/:/etc/sssd/:ro', '-v', > '/etc/systemd/system/sssd.service.d:/etc/systemd/system/sssd.service.d:ro', > '-v', '/etc/sysconfig/authconfig:/etc/sysconfig/authconfig:ro', '-v', > '/etc/sysconfig/network:/etc/sysconfig/network:ro', '-v', > '/etc/sysconfig/sssd:/etc/sysconfig/sssd:ro', '-v', > '/etc/yp.conf:/etc/yp.conf:ro', '-v', > '/var/cache/realmd/:/var/cache/realmd/', '-v', > '/var/lib/authconfig/last/:/var/lib/authconfig/last/:ro', '-v', > '/var/lib/ipa-client/sysrestore/:/var/lib/ipa-client/sysrestore/:ro', '-v', > '/var/lib/samba/:/var/lib/samba/', '-v', '/var/lib/sss/:/var/lib/sss/', > '-v', '/var/log/sssd/:/var/log/sssd/', '-v', > '/var/run/dbus/system_bus_socket:/var/run/dbus/system_bus_socket', > 'rhel7/sssd', '/bin/run.sh']' returned non-zero exit status 125 > > > NOTE: just a confirmation, the file /etc/sssd/keyring.json need to be > provided by users, right? > NO; the files is created by atomic install And you run just "atomic run" without "atomic install". You were not using correct steps to reproduce. Description of ticket says: Steps to Reproduce: 1. atomic install rhel7/sssd realm join -v --membership-software=samba <AD-Domain> 2. Start the sssd container 3./usr/bin/atomic run --name=sssd rhel7/sssd And you used just 3rd steps. Which is not a bug in atomic utility but PEBKAC :-) As I understand it, the root cause is using the 'short name' of an image when doing 'atomic install' and 'atomic run' did not always work. I do not have the environment to test the 'sssd' container, but the 'cockpit-ws' container has an install label, so I tested with that: # rpm -q atomic atomic-1.17.2-4.git2760e30.el7.x86_64 # atomic pull rhel7/cockpit-ws Pulling registry.access.redhat.com/rhel7/cockpit-ws:latest ... Copying blob sha256:8642dd241e54ecb57f49345f135e9bcedb0546e7e61c1ca4d0008a9925f50444 68.78 MB / ? [=--------------------------------------------------------------] Copying blob sha256:fdd633d880f736958e14a036256b2def325acf6b438b7c849139fe92d5cbe4ce 0 B / ? [--------------------------------------------------------------------=] Copying blob sha256:96bf84a741f858cc77749a1410a21c883f853bd87a47d94b742268cec2f1606a 5.59 MB / ? [--------------------------------------------------------=-------] Copying config sha256:b6e8506cc2e13bed2de0dc07bbe097d173c7e953c2812bbe1baf5e9842ccac91 0 B / 5.97 KB [---------------------------------------------------------------] Writing manifest to image destination Storing signatures 5.97 KB / 5.97 KB [===========================================================] # atomic images list REPOSITORY TAG IMAGE ID CREATED VIRTUAL SIZE TYPE registry.access.redhat.com/rhel7/cockpit-ws latest b6e8506cc2e1 2017-04-24 06:50 209.77 MB docker # atomic install --name cockpit rhel7/cockpit-ws /usr/bin/docker run --rm --privileged -v /:/host rhel7/cockpit-ws /container/atomic-install + sed -e /pam_selinux/d -e /pam_sepermit/d /etc/pam.d/cockpit + mkdir -p /host/etc/cockpit/ws-certs.d /host/etc/cockpit/machines.d + chmod 755 /host/etc/cockpit/ws-certs.d /host/etc/cockpit/machines.d + chown root:root /host/etc/cockpit/ws-certs.d /host/etc/cockpit/machines.d + mkdir -p /host/var/lib/cockpit + chmod 775 /host/var/lib/cockpit + chown root:wheel /host/var/lib/cockpit + mkdir -p /etc/ssh + /bin/mount --bind /host/etc/cockpit /etc/cockpit + /usr/sbin/remotectl certificate --ensure # atomic run --name cockpit rhel7/cockpit-ws /usr/bin/docker run -d --privileged --pid=host -v /:/host rhel7/cockpit-ws /container/atomic-run --local-ssh This container uses privileged security switches: INFO: --pid=host Processes in this container can see and interact with all processes on the host and disables SELinux within the container. INFO: --privileged This container runs without separation and should be considered the same as root on your system. For more information on these switches and their security implications, consult the manpage for 'docker run'. 871494abdcc3e952f59405f5af6293756f2c23f3acb6092358e57886f5577762 # atomic containers list CONTAINER ID IMAGE COMMAND CREATED STATE BACKEND RUNTIME 871494abdcc3 rhel7/cockpit-ws /container/atomic-ru 2017-05-23 14:07 running docker docker I believe this is fixed, but would like the folks testing the 'sssd' container to confirm. (In reply to Micah Abbott from comment #21) > As I understand it, the root cause is using the 'short name' of an image > when doing 'atomic install' and 'atomic run' did not always work. > > I do not have the environment to test the 'sssd' container, but the > 'cockpit-ws' container has an install label, so I tested with that: I also haven't a available AD for testing. > > I believe this is fixed, but would like the folks testing the 'sssd' > container to confirm. Lukas Slebodnik has confirmed it works for him, it should be safe to move the bug to VERIFIED I think. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:1323 |