RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1454292 - Atomic run doesn't start the sssd container
Summary: Atomic run doesn't start the sssd container
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: atomic
Version: 7.3
Hardware: x86_64
OS: Linux
unspecified
high
Target Milestone: rc
: ---
Assignee: Brent Baude
QA Contact: atomic-bugs@redhat.com
URL:
Whiteboard:
Depends On:
Blocks: 1456658
TreeView+ depends on / blocked
 
Reported: 2017-05-22 12:01 UTC by Niranjan Mallapadi Raghavender
Modified: 2017-05-30 06:02 UTC (History)
9 users (show)

Fixed In Version: atomic-1.17.2-4.git2760e30.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1456658 (view as bug list)
Environment:
Last Closed: 2017-05-26 14:29:34 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2017:1323 0 normal SHIPPED_LIVE atomic bug fix and enhancement update 2017-05-26 18:13:56 UTC

Description Niranjan Mallapadi Raghavender 2017-05-22 12:01:35 UTC
Description of problem:

/usr/bin/atomic run --name=sssd rhel7/sssd fails with below error:

The image 'sssd' appears to have not been installed and has an INSTALL label.  You should install this image first.  Re-run with --ignore to bypass this error.

root@atomic-00 ~]# cat /var/lib/atomic/install.json
{"registry.access.redhat.com/rhel7/sssd:latest": {"install_date": "2017-05-22 10:42:21", "id": "fad80f01d8fa1995687b4db02a18ddae0989ada0f661d18789eed790f850d67c", "container_name": "sssd"}}[root@atomic-00 ~]# ^C



Version-Release number of selected component (if applicable):

atomic-1.17.2-3.git2760e30.el7.x86_64
[root@atomic-00 ~]# atomic host status
State: idle
Deployments:
● rhel-atomic-host:rhel-atomic-host/7/x86_64/standard
             Version: 7.3.5 (2017-05-18 19:08:58)
              Commit: d049e353c4e4ba00866b2176b48ba247a8f6e050a729c3853b5d5afe323c045




How reproducible:


Steps to Reproduce:
1. atomic install rhel7/sssd realm join -v --membership-software=samba <AD-Domain>
2. Start the sssd container
3./usr/bin/atomic run --name=sssd rhel7/sssd

Actual results:
The image 'sssd' appears to have not been installed and has an INSTALL label.  You should install this image first.  Re-run with --ignore to bypass this error.


Expected results:
Atomic run --name sssd should run the sssd container.

Additional info:

If we pass --ignore it starts

[root@atomic-00 ~]# /usr/bin/atomic --ignore run --name=sssd rhel7/sssd
docker run -d --restart=always --net=host --name sssd -e NAME=sssd -e IMAGE=rhel7/sssd --security-opt=label:user:system_u --security-opt=label:role:system_r --security-opt=label:type:spc_t --security-opt=label:level:s0 --security-opt=seccomp:/etc/sssd/keyring.json --cap-drop=all --cap-add=IPC_LOCK --cap-add=CHOWN --cap-add=DAC_READ_SEARCH --cap-add=DAC_OVERRIDE --cap-add=KILL --cap-add=NET_ADMIN --cap-add=SYS_NICE --cap-add=FOWNER --cap-add=SETGID --cap-add=SETUID --cap-add=SYS_ADMIN --cap-add=SYS_RESOURCE --cap-add=BLOCK_SUSPEND -v /etc/ipa/:/etc/ipa/:ro -v /etc/krb5.conf:/etc/krb5.conf:ro -v /etc/krb5.conf.d/:/etc/krb5.conf.d/ -v /etc/krb5.keytab:/etc/krb5.keytab:ro -v /etc/nsswitch.conf:/etc/nsswitch.conf:ro -v /etc/openldap/:/etc/openldap/:ro -v /etc/pam.d/:/etc/pam.d/:ro -v /etc/passwd:/etc/passwd.host:ro -v /etc/pki/nssdb/:/etc/pki/nssdb/:ro -v /etc/ssh/:/etc/ssh/:ro -v /etc/sssd/:/etc/sssd/:ro -v /etc/systemd/system/sssd.service.d:/etc/systemd/system/sssd.service.d:ro -v /etc/sysconfig/authconfig:/etc/sysconfig/authconfig:ro -v /etc/sysconfig/network:/etc/sysconfig/network:ro -v /etc/sysconfig/sssd:/etc/sysconfig/sssd:ro -v /etc/yp.conf:/etc/yp.conf:ro -v /var/cache/realmd/:/var/cache/realmd/ -v /var/lib/authconfig/last/:/var/lib/authconfig/last/:ro -v /var/lib/ipa-client/sysrestore/:/var/lib/ipa-client/sysrestore/:ro -v /var/lib/samba/:/var/lib/samba/ -v /var/lib/sss/:/var/lib/sss/ -v /var/log/sssd/:/var/log/sssd/ -v /var/run/dbus/system_bus_socket:/var/run/dbus/system_bus_socket rhel7/sssd /bin/run.sh

This container uses privileged security switches:

INFO: --cap-add 
      Adding capabilities to your container could allow processes from the container to break out onto your host system.

INFO: --net=host 
      Processes in this container can listen to ports (and possibly rawip traffic) on the host's network.

For more information on these switches and their security implications, consult the manpage for 'docker run'.

90c5ba13422f923c18a9078b3460ed6ffb33aecac217ec4cc896449b3cfea401


Currently we cannot start sssd container and changes in the atomic utility in version atomic-1.17.2-3.git2760e30.el7.x86_64 . This is a regression.

Comment 3 Brent Baude 2017-05-22 13:17:27 UTC
if you use the fully qualified image name, does it work?

Comment 4 Niranjan Mallapadi Raghavender 2017-05-22 13:25:00 UTC
This issue is seen on 7.3.5 Atomic image, please set the version to 7.3

Comment 5 Niranjan Mallapadi Raghavender 2017-05-22 13:26:02 UTC
if you use the fully qualified image name, does it work?

Do you mean /usr/bin/atomic run --name=rhel7/sssd rhel7/sssd ?

Comment 6 Brent Baude 2017-05-22 13:28:27 UTC
registry.access.redhat.com/rhel7/sssd:latest <-- more like that ... also, could you provide docker images and docker ps -a ?

Comment 7 Lukas Slebodnik 2017-05-22 13:46:02 UTC
What do you mean by fully qualified name?
If you meant together with registry then I can tag any image with different name.
Or I can import image as a tarball (with docker import).


And as you can see neither of names have registry in name.

[root@atomic-00 ~]# docker images 
REPOSITORY             TAG                                               IMAGE ID            CREATED             SIZE
rhel7/sssd             latest                                            fad80f01d8fa        3 days ago          357.6 MB
lslebodn/sssd-docker   extras-rhel-7.3-docker-candidate-20170519091256   fad80f01d8fa        3 days ago          357.6 MB

Comment 8 Niranjan Mallapadi Raghavender 2017-05-22 15:13:44 UTC
Requested Output:

[root@atomic-00 ~]# docker ps -a
CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS               NAMES
[root@atomic-00 ~]# docker images
REPOSITORY             TAG                                               IMAGE ID            CREATED             SIZE
lslebodn/sssd-docker   extras-rhel-7.3-docker-candidate-20170519091256   fad80f01d8fa        3 days ago          357.6 MB
rhel7/sssd             latest                                            fad80f01d8fa        3 days ago          357.6 MB

Comment 9 Niranjan Mallapadi Raghavender 2017-05-22 15:18:33 UTC
I am not sure why the version was changed to 7.4, but the issue we are seeing is in 7.3 Atomic host

Comment 11 Brent Baude 2017-05-22 19:01:27 UTC
This should fix the issue reported if you cannot use fq names:

https://github.com/projectatomic/atomic/pull/1010

Comment 13 Alex Jia 2017-05-23 03:42:54 UTC
(In reply to Brent Baude from comment #11)
> This should fix the issue reported if you cannot use fq names:
> 
> https://github.com/projectatomic/atomic/pull/1010

There are several questions in here.

Q1: this PR hasn't been merged into master branch of upstream atomic, so the atomic-1.17.2-5.1.git2760e30.el7.x86_64 can't include the patch.

Q2: this PR doesn't work for me, I still got same error like before whatever you use fq images name or not

Q3: for system container, user should run atomic install before executing atomic run, atomic run only can pull images if images doesn't exist and execute RUN label, it can't execute INSTALL label.

Q4: even though w/o above errors, users also can't start sssd container w/o providing any credentials to enrol machine to IPA domain.

https://hub.docker.com/r/fedora/sssd/

Comment 15 Niranjan Mallapadi Raghavender 2017-05-23 03:53:32 UTC
The proper steps to reproduce the error is:


1. Specify AD ip address in /etc/resolv.conf (should be the first entry)
2. create a file /etc/sssd/realm-join-password with contents containing password AD Administrator password  (Ex. echo 'Secret123' > /etc/sssd/realm-join-password)
3. Atomic install rhel7/sssd realm join -v --membership-software=samba <AD-DOMAIN.TEST>
4. systemctl start sssd (which in turn runs atomic run (/usr/bin/atomic run --name=sssd rhel7/sssd)

Comment 19 Alex Jia 2017-05-23 10:09:57 UTC
In my atomic host w/ atomic-1.17.2-4.git2760e30.el7.x86_64, I haven't met previous known issue.

[root@atomic-host-test cloud-user]# atomic host status
State: idle
Deployments:
● rhel-atomic-host-ostree:rhel-atomic-host/7/x86_64/standard
             Version: 7.3.5 (2017-05-18 19:08:58)
              Commit: d049e353c4e4ba00866b2176b48ba247a8f6e050a729c3853b5d5afe323c0450
            Unlocked: development

[root@atomic-host-test cloud-user]# rpm -q atomic
atomic-1.17.2-4.git2760e30.el7.x86_64

[root@atomic-host-test cloud-user]# atomic --debug run --name=sssd rhel7/sssd
Need to pull rhel7/sssd
Pulling registry.access.redhat.com/rhel7/sssd:latest ...
Copying blob sha256:458d8d8f632f08b1a4dc793b138d1417b8698fb60856dddbad41b409d756789b
 68.90 MB / ? [----------------------------------=----------------------------] 
Copying blob sha256:aec4a233c9cde489b172437842425444dbbaa4ccf90363aab1bab71941a393b2
 0 B / ? [--------------------------------------------------------------------=]
Copying blob sha256:22062cb44f1ab0e29b0a6c6b008a6d15a033d08a3b07ce833d79f0dbbfe01beb
 52.80 MB / ? [--------------=------------------------------------------------] 
Copying config sha256:fd1daa180d5e5c5c31f7ba4c2818594ed713e8d36fdd1c2e4b4f538c001408cb
 0 B / 8.19 KB [---------------------------------------------------------------]
Writing manifest to image destination
Storing signatures
 8.19 KB / 8.19 KB [===========================================================]docker run -d --restart=always --net=host --name sssd -e NAME=sssd -e IMAGE=rhel7/sssd --security-opt=label:user:system_u --security-opt=label:role:system_r --security-opt=label:type:spc_t --security-opt=label:level:s0 --security-opt=seccomp:/etc/sssd/keyring.json --cap-drop=all --cap-add=IPC_LOCK --cap-add=CHOWN --cap-add=DAC_READ_SEARCH --cap-add=DAC_OVERRIDE --cap-add=KILL --cap-add=NET_ADMIN --cap-add=SYS_NICE --cap-add=FOWNER --cap-add=SETGID --cap-add=SETUID --cap-add=SYS_ADMIN --cap-add=SYS_RESOURCE --cap-add=BLOCK_SUSPEND -v /etc/ipa/:/etc/ipa/:ro -v /etc/krb5.conf:/etc/krb5.conf:ro -v /etc/krb5.conf.d/:/etc/krb5.conf.d/ -v /etc/krb5.keytab:/etc/krb5.keytab:ro -v /etc/nsswitch.conf:/etc/nsswitch.conf:ro -v /etc/openldap/:/etc/openldap/:ro -v /etc/pam.d/:/etc/pam.d/:ro -v /etc/passwd:/etc/passwd.host:ro -v /etc/pki/nssdb/:/etc/pki/nssdb/:ro -v /etc/ssh/:/etc/ssh/:ro -v /etc/sssd/:/etc/sssd/:ro -v /etc/systemd/system/sssd.service.d:/etc/systemd/system/sssd.service.d:ro -v /etc/sysconfig/authconfig:/etc/sysconfig/authconfig:ro -v /etc/sysconfig/network:/etc/sysconfig/network:ro -v /etc/sysconfig/sssd:/etc/sysconfig/sssd:ro -v /etc/yp.conf:/etc/yp.conf:ro -v /var/cache/realmd/:/var/cache/realmd/ -v /var/lib/authconfig/last/:/var/lib/authconfig/last/:ro -v /var/lib/ipa-client/sysrestore/:/var/lib/ipa-client/sysrestore/:ro -v /var/lib/samba/:/var/lib/samba/ -v /var/lib/sss/:/var/lib/sss/ -v /var/log/sssd/:/var/log/sssd/ -v /var/run/dbus/system_bus_socket:/var/run/dbus/system_bus_socket rhel7/sssd /bin/run.sh

This container uses privileged security switches:

INFO: --cap-add 
      Adding capabilities to your container could allow processes from the container to break out onto your host system.

INFO: --net=host 
      Processes in this container can listen to ports (and possibly rawip traffic) on the host's network.

For more information on these switches and their security implications, consult the manpage for 'docker run'.

/usr/bin/docker-current: opening seccomp profile (/etc/sssd/keyring.json) failed: open /etc/sssd/keyring.json: no such file or directory.
See '/usr/bin/docker-current run --help'.

Traceback (most recent call last):
  File "/usr/bin/atomic", line 203, in <module>
    sys.exit(_func())
  File "/usr/lib/python2.7/site-packages/Atomic/run.py", line 120, in run
    return be.run(img_object, atomic=self, args=self.args)
  File "/usr/lib/python2.7/site-packages/Atomic/backends/_docker.py", line 590, in run
    return util.check_call(command, env=atomic.cmd_env())
  File "/usr/lib/python2.7/site-packages/Atomic/util.py", line 147, in check_call
    return subprocess.check_call(cmd, env=env, stdin=stdin, stderr=stderr, stdout=stdout, close_fds=True)
  File "/usr/lib64/python2.7/subprocess.py", line 542, in check_call
    raise CalledProcessError(retcode, cmd)
CalledProcessError: Command '['docker', 'run', '-d', '--restart=always', '--net=host', '--name', 'sssd', '-e', 'NAME=sssd', '-e', 'IMAGE=rhel7/sssd', '--security-opt=label:user:system_u', '--security-opt=label:role:system_r', '--security-opt=label:type:spc_t', '--security-opt=label:level:s0', '--security-opt=seccomp:/etc/sssd/keyring.json', '--cap-drop=all', '--cap-add=IPC_LOCK', '--cap-add=CHOWN', '--cap-add=DAC_READ_SEARCH', '--cap-add=DAC_OVERRIDE', '--cap-add=KILL', '--cap-add=NET_ADMIN', '--cap-add=SYS_NICE', '--cap-add=FOWNER', '--cap-add=SETGID', '--cap-add=SETUID', '--cap-add=SYS_ADMIN', '--cap-add=SYS_RESOURCE', '--cap-add=BLOCK_SUSPEND', '-v', '/etc/ipa/:/etc/ipa/:ro', '-v', '/etc/krb5.conf:/etc/krb5.conf:ro', '-v', '/etc/krb5.conf.d/:/etc/krb5.conf.d/', '-v', '/etc/krb5.keytab:/etc/krb5.keytab:ro', '-v', '/etc/nsswitch.conf:/etc/nsswitch.conf:ro', '-v', '/etc/openldap/:/etc/openldap/:ro', '-v', '/etc/pam.d/:/etc/pam.d/:ro', '-v', '/etc/passwd:/etc/passwd.host:ro', '-v', '/etc/pki/nssdb/:/etc/pki/nssdb/:ro', '-v', '/etc/ssh/:/etc/ssh/:ro', '-v', '/etc/sssd/:/etc/sssd/:ro', '-v', '/etc/systemd/system/sssd.service.d:/etc/systemd/system/sssd.service.d:ro', '-v', '/etc/sysconfig/authconfig:/etc/sysconfig/authconfig:ro', '-v', '/etc/sysconfig/network:/etc/sysconfig/network:ro', '-v', '/etc/sysconfig/sssd:/etc/sysconfig/sssd:ro', '-v', '/etc/yp.conf:/etc/yp.conf:ro', '-v', '/var/cache/realmd/:/var/cache/realmd/', '-v', '/var/lib/authconfig/last/:/var/lib/authconfig/last/:ro', '-v', '/var/lib/ipa-client/sysrestore/:/var/lib/ipa-client/sysrestore/:ro', '-v', '/var/lib/samba/:/var/lib/samba/', '-v', '/var/lib/sss/:/var/lib/sss/', '-v', '/var/log/sssd/:/var/log/sssd/', '-v', '/var/run/dbus/system_bus_socket:/var/run/dbus/system_bus_socket', 'rhel7/sssd', '/bin/run.sh']' returned non-zero exit status 125


NOTE: just a confirmation, the file /etc/sssd/keyring.json need to be provided by users, right? 


I gave a try in my RHEL7.3 system w/ atomic-1.17.2-4.git2760e30.el7.x86_64 again, I still met previous known issue.

[root@localhost ~]# cat /etc/redhat-release 
Red Hat Enterprise Linux Server release 7.3 (Maipo)

[root@localhost ~]# rpm -q atomic skopeo docker
atomic-1.17.2-4.git2760e30.el7.x86_64
skopeo-0.1.19-1.1.git62e3747.el7.x86_64
docker-1.12.6-30.1.git1398f24.el7.x86_64

[root@localhost ~]# atomic --debug run --name=sssd rhel7/sssd
Need to pull rhel7/sssd
Pulling registry.access.redhat.com/rhel7/sssd:latest ...
Copying blob sha256:458d8d8f632f08b1a4dc793b138d1417b8698fb60856dddbad41b409d756789b
 68.90 MB / ? [----------------------------------=----------------------------] 
Copying blob sha256:aec4a233c9cde489b172437842425444dbbaa4ccf90363aab1bab71941a393b2
 0 B / ? [--------------------------------------------------------------------=]
Copying blob sha256:22062cb44f1ab0e29b0a6c6b008a6d15a033d08a3b07ce833d79f0dbbfe01beb
 52.80 MB / ? [--------------=------------------------------------------------] 
Copying config sha256:fd1daa180d5e5c5c31f7ba4c2818594ed713e8d36fdd1c2e4b4f538c001408cb
 0 B / 8.19 KB [---------------------------------------------------------------]
Writing manifest to image destination
Storing signatures
 8.19 KB / 8.19 KB [===========================================================]The image 'sssd' appears to have not been installed and has an INSTALL label.  You should install this image first.  Re-run with --ignore to bypass this error.
Traceback (most recent call last):
  File "/usr/bin/atomic", line 203, in <module>
    sys.exit(_func())
  File "/usr/lib/python2.7/site-packages/Atomic/run.py", line 120, in run
    return be.run(img_object, atomic=self, args=self.args)
  File "/usr/lib/python2.7/site-packages/Atomic/backends/_docker.py", line 548, in run
    "error.".format(iobject.name or iobject.image))
ValueError: The image 'sssd' appears to have not been installed and has an INSTALL label.  You should install this image first.  Re-run with --ignore to bypass this error.

Comment 20 Lukas Slebodnik 2017-05-23 10:59:32 UTC
(In reply to Alex Jia from comment #19)
> In my atomic host w/ atomic-1.17.2-4.git2760e30.el7.x86_64, I haven't met
> previous known issue.
> 
> [root@atomic-host-test cloud-user]# atomic host status
> State: idle
> Deployments:
> ● rhel-atomic-host-ostree:rhel-atomic-host/7/x86_64/standard
>              Version: 7.3.5 (2017-05-18 19:08:58)
>               Commit:
> d049e353c4e4ba00866b2176b48ba247a8f6e050a729c3853b5d5afe323c0450
>             Unlocked: development
> 
> [root@atomic-host-test cloud-user]# rpm -q atomic
> atomic-1.17.2-4.git2760e30.el7.x86_64
> 
> [root@atomic-host-test cloud-user]# atomic --debug run --name=sssd rhel7/sssd
> Need to pull rhel7/sssd
> Pulling registry.access.redhat.com/rhel7/sssd:latest ...
> Copying blob
> sha256:458d8d8f632f08b1a4dc793b138d1417b8698fb60856dddbad41b409d756789b
>  68.90 MB / ?
> [----------------------------------=----------------------------] 
> Copying blob
> sha256:aec4a233c9cde489b172437842425444dbbaa4ccf90363aab1bab71941a393b2
>  0 B / ?
> [--------------------------------------------------------------------=]
> Copying blob
> sha256:22062cb44f1ab0e29b0a6c6b008a6d15a033d08a3b07ce833d79f0dbbfe01beb
>  52.80 MB / ?
> [--------------=------------------------------------------------] 
> Copying config
> sha256:fd1daa180d5e5c5c31f7ba4c2818594ed713e8d36fdd1c2e4b4f538c001408cb
>  0 B / 8.19 KB
> [---------------------------------------------------------------]
> Writing manifest to image destination
> Storing signatures
>  8.19 KB / 8.19 KB
> [===========================================================]docker run -d
> --restart=always --net=host --name sssd -e NAME=sssd -e IMAGE=rhel7/sssd
> --security-opt=label:user:system_u --security-opt=label:role:system_r
> --security-opt=label:type:spc_t --security-opt=label:level:s0
> --security-opt=seccomp:/etc/sssd/keyring.json --cap-drop=all
> --cap-add=IPC_LOCK --cap-add=CHOWN --cap-add=DAC_READ_SEARCH
> --cap-add=DAC_OVERRIDE --cap-add=KILL --cap-add=NET_ADMIN --cap-add=SYS_NICE
> --cap-add=FOWNER --cap-add=SETGID --cap-add=SETUID --cap-add=SYS_ADMIN
> --cap-add=SYS_RESOURCE --cap-add=BLOCK_SUSPEND -v /etc/ipa/:/etc/ipa/:ro -v
> /etc/krb5.conf:/etc/krb5.conf:ro -v /etc/krb5.conf.d/:/etc/krb5.conf.d/ -v
> /etc/krb5.keytab:/etc/krb5.keytab:ro -v
> /etc/nsswitch.conf:/etc/nsswitch.conf:ro -v /etc/openldap/:/etc/openldap/:ro
> -v /etc/pam.d/:/etc/pam.d/:ro -v /etc/passwd:/etc/passwd.host:ro -v
> /etc/pki/nssdb/:/etc/pki/nssdb/:ro -v /etc/ssh/:/etc/ssh/:ro -v
> /etc/sssd/:/etc/sssd/:ro -v
> /etc/systemd/system/sssd.service.d:/etc/systemd/system/sssd.service.d:ro -v
> /etc/sysconfig/authconfig:/etc/sysconfig/authconfig:ro -v
> /etc/sysconfig/network:/etc/sysconfig/network:ro -v
> /etc/sysconfig/sssd:/etc/sysconfig/sssd:ro -v /etc/yp.conf:/etc/yp.conf:ro
> -v /var/cache/realmd/:/var/cache/realmd/ -v
> /var/lib/authconfig/last/:/var/lib/authconfig/last/:ro -v
> /var/lib/ipa-client/sysrestore/:/var/lib/ipa-client/sysrestore/:ro -v
> /var/lib/samba/:/var/lib/samba/ -v /var/lib/sss/:/var/lib/sss/ -v
> /var/log/sssd/:/var/log/sssd/ -v
> /var/run/dbus/system_bus_socket:/var/run/dbus/system_bus_socket rhel7/sssd
> /bin/run.sh
> 
> This container uses privileged security switches:
> 
> INFO: --cap-add 
>       Adding capabilities to your container could allow processes from the
> container to break out onto your host system.
> 
> INFO: --net=host 
>       Processes in this container can listen to ports (and possibly rawip
> traffic) on the host's network.
> 
> For more information on these switches and their security implications,
> consult the manpage for 'docker run'.
> 
> /usr/bin/docker-current: opening seccomp profile (/etc/sssd/keyring.json)
> failed: open /etc/sssd/keyring.json: no such file or directory.
> See '/usr/bin/docker-current run --help'.
> 
> Traceback (most recent call last):
>   File "/usr/bin/atomic", line 203, in <module>
>     sys.exit(_func())
>   File "/usr/lib/python2.7/site-packages/Atomic/run.py", line 120, in run
>     return be.run(img_object, atomic=self, args=self.args)
>   File "/usr/lib/python2.7/site-packages/Atomic/backends/_docker.py", line
> 590, in run
>     return util.check_call(command, env=atomic.cmd_env())
>   File "/usr/lib/python2.7/site-packages/Atomic/util.py", line 147, in
> check_call
>     return subprocess.check_call(cmd, env=env, stdin=stdin, stderr=stderr,
> stdout=stdout, close_fds=True)
>   File "/usr/lib64/python2.7/subprocess.py", line 542, in check_call
>     raise CalledProcessError(retcode, cmd)
> CalledProcessError: Command '['docker', 'run', '-d', '--restart=always',
> '--net=host', '--name', 'sssd', '-e', 'NAME=sssd', '-e', 'IMAGE=rhel7/sssd',
> '--security-opt=label:user:system_u', '--security-opt=label:role:system_r',
> '--security-opt=label:type:spc_t', '--security-opt=label:level:s0',
> '--security-opt=seccomp:/etc/sssd/keyring.json', '--cap-drop=all',
> '--cap-add=IPC_LOCK', '--cap-add=CHOWN', '--cap-add=DAC_READ_SEARCH',
> '--cap-add=DAC_OVERRIDE', '--cap-add=KILL', '--cap-add=NET_ADMIN',
> '--cap-add=SYS_NICE', '--cap-add=FOWNER', '--cap-add=SETGID',
> '--cap-add=SETUID', '--cap-add=SYS_ADMIN', '--cap-add=SYS_RESOURCE',
> '--cap-add=BLOCK_SUSPEND', '-v', '/etc/ipa/:/etc/ipa/:ro', '-v',
> '/etc/krb5.conf:/etc/krb5.conf:ro', '-v',
> '/etc/krb5.conf.d/:/etc/krb5.conf.d/', '-v',
> '/etc/krb5.keytab:/etc/krb5.keytab:ro', '-v',
> '/etc/nsswitch.conf:/etc/nsswitch.conf:ro', '-v',
> '/etc/openldap/:/etc/openldap/:ro', '-v', '/etc/pam.d/:/etc/pam.d/:ro',
> '-v', '/etc/passwd:/etc/passwd.host:ro', '-v',
> '/etc/pki/nssdb/:/etc/pki/nssdb/:ro', '-v', '/etc/ssh/:/etc/ssh/:ro', '-v',
> '/etc/sssd/:/etc/sssd/:ro', '-v',
> '/etc/systemd/system/sssd.service.d:/etc/systemd/system/sssd.service.d:ro',
> '-v', '/etc/sysconfig/authconfig:/etc/sysconfig/authconfig:ro', '-v',
> '/etc/sysconfig/network:/etc/sysconfig/network:ro', '-v',
> '/etc/sysconfig/sssd:/etc/sysconfig/sssd:ro', '-v',
> '/etc/yp.conf:/etc/yp.conf:ro', '-v',
> '/var/cache/realmd/:/var/cache/realmd/', '-v',
> '/var/lib/authconfig/last/:/var/lib/authconfig/last/:ro', '-v',
> '/var/lib/ipa-client/sysrestore/:/var/lib/ipa-client/sysrestore/:ro', '-v',
> '/var/lib/samba/:/var/lib/samba/', '-v', '/var/lib/sss/:/var/lib/sss/',
> '-v', '/var/log/sssd/:/var/log/sssd/', '-v',
> '/var/run/dbus/system_bus_socket:/var/run/dbus/system_bus_socket',
> 'rhel7/sssd', '/bin/run.sh']' returned non-zero exit status 125
> 
> 
> NOTE: just a confirmation, the file /etc/sssd/keyring.json need to be
> provided by users, right? 
> 
NO; the files is created by atomic install

And you run just "atomic run" without "atomic install".

You were not using correct steps to reproduce.
Description of ticket says:

   Steps to Reproduce:
   1. atomic install rhel7/sssd realm join -v --membership-software=samba  <AD-Domain>
   2. Start the sssd container
   3./usr/bin/atomic run --name=sssd rhel7/sssd

And you used just 3rd steps. Which is not a bug in atomic utility but PEBKAC :-)

Comment 21 Micah Abbott 2017-05-23 14:10:26 UTC
As I understand it, the root cause is using the 'short name' of an image when doing 'atomic install' and 'atomic run' did not always work.

I do not have the environment to test the 'sssd' container, but the 'cockpit-ws' container has an install label, so I tested with that:

# rpm -q atomic
atomic-1.17.2-4.git2760e30.el7.x86_64

# atomic pull rhel7/cockpit-ws
Pulling registry.access.redhat.com/rhel7/cockpit-ws:latest ...
Copying blob sha256:8642dd241e54ecb57f49345f135e9bcedb0546e7e61c1ca4d0008a9925f50444
 68.78 MB / ? [=--------------------------------------------------------------] 
Copying blob sha256:fdd633d880f736958e14a036256b2def325acf6b438b7c849139fe92d5cbe4ce
 0 B / ? [--------------------------------------------------------------------=]
Copying blob sha256:96bf84a741f858cc77749a1410a21c883f853bd87a47d94b742268cec2f1606a
 5.59 MB / ? [--------------------------------------------------------=-------] 
Copying config sha256:b6e8506cc2e13bed2de0dc07bbe097d173c7e953c2812bbe1baf5e9842ccac91
 0 B / 5.97 KB [---------------------------------------------------------------]
Writing manifest to image destination
Storing signatures
 5.97 KB / 5.97 KB [===========================================================]

# atomic images list
   REPOSITORY                                    TAG      IMAGE ID       CREATED            VIRTUAL SIZE   TYPE      
   registry.access.redhat.com/rhel7/cockpit-ws   latest   b6e8506cc2e1   2017-04-24 06:50   209.77 MB      docker    

# atomic install --name cockpit rhel7/cockpit-ws
/usr/bin/docker run --rm --privileged -v /:/host rhel7/cockpit-ws /container/atomic-install
+ sed -e /pam_selinux/d -e /pam_sepermit/d /etc/pam.d/cockpit
+ mkdir -p /host/etc/cockpit/ws-certs.d /host/etc/cockpit/machines.d
+ chmod 755 /host/etc/cockpit/ws-certs.d /host/etc/cockpit/machines.d
+ chown root:root /host/etc/cockpit/ws-certs.d /host/etc/cockpit/machines.d
+ mkdir -p /host/var/lib/cockpit
+ chmod 775 /host/var/lib/cockpit
+ chown root:wheel /host/var/lib/cockpit
+ mkdir -p /etc/ssh
+ /bin/mount --bind /host/etc/cockpit /etc/cockpit
+ /usr/sbin/remotectl certificate --ensure

# atomic run --name cockpit rhel7/cockpit-ws
/usr/bin/docker run -d --privileged --pid=host -v /:/host rhel7/cockpit-ws /container/atomic-run --local-ssh

This container uses privileged security switches:

INFO: --pid=host 
      Processes in this container can see and interact with all processes on the host and disables SELinux within the container.

INFO: --privileged 
      This container runs without separation and should be considered the same as root on your system.

For more information on these switches and their security implications, consult the manpage for 'docker run'.

871494abdcc3e952f59405f5af6293756f2c23f3acb6092358e57886f5577762

# atomic containers list
   CONTAINER ID IMAGE                COMMAND              CREATED          STATE      BACKEND    RUNTIME   
   871494abdcc3 rhel7/cockpit-ws     /container/atomic-ru 2017-05-23 14:07 running    docker     docker    


I believe this is fixed, but would like the folks testing the 'sssd' container to confirm.

Comment 22 Alex Jia 2017-05-23 14:16:14 UTC
(In reply to Micah Abbott from comment #21)
> As I understand it, the root cause is using the 'short name' of an image
> when doing 'atomic install' and 'atomic run' did not always work.
> 
> I do not have the environment to test the 'sssd' container, but the
> 'cockpit-ws' container has an install label, so I tested with that:

I also haven't a available AD for testing.

> 
> I believe this is fixed, but would like the folks testing the 'sssd'
> container to confirm.

Lukas Slebodnik has confirmed it works for him, it should be safe to move the bug to VERIFIED I think.

Comment 24 errata-xmlrpc 2017-05-26 14:29:34 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:1323


Note You need to log in before you can comment on or make changes to this bug.