Bug 1752005

Summary: Keyrings should not be used in containerized environment
Product: Red Hat Enterprise Linux 7 Reporter: Tibor Dudlák <tdudlak>
Component: ipaAssignee: Florence Blanc-Renaud <frenaud>
Status: CLOSED ERRATA QA Contact: ipa-qe <ipa-qe>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.7CC: ksiddiqu, pasik, rcritten, ssidhaye, tscherf
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-4.6.6-6.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-03-31 19:55:52 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Comment 2 Florence Blanc-Renaud 2019-09-13 12:40:36 UTC 
Upstream ticket:
https://pagure.io/freeipa/issue/7807
Comment 3 Florence Blanc-Renaud 2019-09-13 13:26:52 UTC 
Fixed upstream:
master:
https://pagure.io/freeipa/c/165a941109a9a5f7ac8f85bdda93b4132875a7b1

ipa-4-7:
https://pagure.io/freeipa/c/b149fff80675b07d280bd0ca8e11a69dc25d0e34

ipa-4-6:
https://pagure.io/freeipa/c/91e54057f130f0c2d9da8506e34c3cadc9cd9c6e
Comment 5 Sumedh Sidhaye 2019-12-17 11:50:09 UTC 
Build used for verification:
ipa-server-4.6.6-11.el7.x86_64

Non Containerized:

[root@master ~]# klist
Ticket cache: KEYRING:persistent:0:0
Default principal: admin

Valid starting       Expires              Service principal
2019-12-17T12:27:22  2019-12-18T12:27:19  HTTP/master.testrealm.test
2019-12-17T12:27:21  2019-12-18T12:27:19  krbtgt/TESTREALM.TEST
[root@master ~]# rpm -q ipa-server
ipa-server-4.6.6-11.el7.x86_64
[root@master ~]# cat /etc/krb5.conf | grep default_ccache_name
 default_ccache_name = KEYRING:persistent:%{uid}
[root@master ~]# 
[root@master ~]# systemd-detect-virt --container
none

Containerized env:

[root@master ~]# docker exec -it ipadocker systemd-detect-virt --container
other
[root@master ~]# docker exec -it ipadocker rpm -q ipa-server
ipa-server-4.6.6-11.el7.x86_64

[root@master ~]# docker exec -it ipadocker cat /etc/krb5.conf | grep defaut_ccache_name
[root@master ~]#
[root@master ~]# docker exec -it ipadocker /bin/bash -ti
[root@master /]# kinit admin
Password for admin: 
[root@master ~]# docker exec -it ipadocker klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin

Valid starting     Expires            Service principal
12/17/19 11:38:19  12/18/19 11:38:16  krbtgt/ND78.PNQ
[root@master ~]#
Comment 7 errata-xmlrpc 2020-03-31 19:55:52 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:1083