Bug 1456658
| Summary: | Atomic run doesn't start the sssd container | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Niranjan Mallapadi Raghavender <mniranja> |
| Component: | atomic | Assignee: | Lokesh Mandvekar <lsm5> |
| Status: | CLOSED ERRATA | QA Contact: | atomic-bugs <atomic-bugs> |
| Severity: | high | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 7.4 | CC: | ajia, atomic-bugs, bbaude, ddarrah, dwalsh, fkluknav, lfriedma, lslebodn, lsm5, miabbott, mniranja |
| Target Milestone: | rc | Keywords: | Extras, TestBlocker |
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | atomic-1.17.2-5.1.git2760e30.el7 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | 1454292 | Environment: | |
| Last Closed: | 2017-08-02 00:16:27 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1454292 | ||
| Bug Blocks: | |||
|
Comment 3
Lukas Slebodnik
2017-05-30 08:11:08 UTC
http://download-node-02.eng.bos.redhat.com/devel/candidate-trees/Atomic-7.4-20170526.0/x86_64/images/ with atomic version: Deployments: ● rhel-atomic-host:rhel-atomic-host/7/x86_64/standard Version: 7.4.0 (2017-05-26 12:38:52) Commit: 2c64fd22b089607d7dbafd37008775fc982d3be6a0be7e673bc7d518f2488735 atomic-1.17.2-1.1.git2760e30.el7.x86_64 The most recent 7.4 Extras composes are not pulling in the fixed 'atomic' RPM for some reason. I'll ask some rel-eng folks if they can get fix this for us. [root@dione ~]# atomic host status
State: idle
Deployments:
● rhel-atomic-host:rhel-atomic-host/7/x86_64/standard
Version: 7.4.0 (2017-06-30 18:37:40)
Commit: 8018f95c2f2f38a79e68f174dd5888b53769c0e4adcd89c87a802219091c9d0e
rhel-atomic-host:rhel-atomic-host/7/x86_64/standard
Version: 7.4.0 (2017-06-20 02:16:02)
Commit: c55bf46b4baaee58d637774e8515bc7e88b96e4acf099d8bca39c27757201442
[root@dione ~]# atomic info rhel7/sssd
Image Name: registry.access.redhat.com/rhel7/sssd:latest
RUN_OPTS_FILE: /var/lib/sssd_container/${NAME}/docker-run-opts
architecture: x86_64
authoritative-source-url: registry.access.redhat.com
build-date: 2017-06-26T13:13:15.224586
com.redhat.build-host: ip-10-29-120-19.ec2.internal
com.redhat.component: sssd-docker
description: The System Security Services Daemon (SSSD) provides a set of daemons to manage access to remote directories and authentication mechanisms. It provides Name Service Switch (NSS) and Pluggable Authentication Modules(PAM) interfaces toward the system and a pluggable back end system to connect to multiple different account sources.
distribution-scope: public
install: docker run --rm=true --privileged --net=host -v /:/host -e NAME=${NAME} -e IMAGE=${IMAGE} -e HOST=/host ${OPT1} ${IMAGE} /bin/install.sh
io.k8s.description: The System Security Services Daemon (SSSD) provides a set of daemons to manage access to remote directories and authentication mechanisms. It provides Name Service Switch (NSS) and Pluggable Authentication Modules(PAM) interfaces toward the system and a pluggable back end system to connect to multiple different account sources.
io.k8s.display-name: System Security Services Daemon (SSSD)
io.k8s.openshift.tags: security sssd authentication authorisation LDAP kerberos krb5 Active Directory IdM
io.openshift.tags: base rhel7
name: rhel7/sssd
release: 4
run: docker run -d --restart=always --name ${NAME} -e NAME=${NAME} -e IMAGE=${IMAGE} ${RUN_OPTS} ${IMAGE} /bin/run.sh
stop: docker kill -s TERM ${NAME}
summary: System Security Services Daemon (SSSD) provides centralized user authentication for Atomic Host.
uninstall: docker run --rm=true --privileged --net=host -v /:/host -e NAME=${NAME} -e IMAGE=${IMAGE} -e HOST=/host ${IMAGE} /bin/uninstall.sh
vcs-ref: 39aa22e88a849bf40e6a9d7f79dd37f6c0f70251
vcs-type: git
vendor: Red Hat, Inc.
version: 7.4
[root@dione ~]# atomic install rhel7/sssd realm join -v CENTAUR.TEST
docker run --rm=true --privileged --net=host -v /:/host -e NAME=sssd -e IMAGE=rhel7/sssd -e HOST=/host rhel7/sssd /bin/install.sh realm join -v CENTAUR.TEST
Initializing configuration context from host ...
* Resolving: _ldap._tcp.centaur.test
* Performing LDAP DSE lookup on: 192.168.122.187
Password for Administrator: * Successfully discovered: CENTAUR.TEST
* Required files: /usr/sbin/oddjobd, /usr/libexec/oddjob/mkhomedir, /usr/sbin/sssd, /usr/bin/net
* LANG=C LOGNAME=root /usr/bin/net -s /var/cache/realmd/realmd-smb-conf.BDVT2Y -U Administrator ads join CENTAUR.TEST
Enter Administrator's password:DNS update failed: NT_STATUS_UNSUCCESSFUL
Using short domain name -- CENTAUR
Joined 'DIONE' to dns domain 'CENTAUR.TEST'
DNS Update for dione.centaur.test failed: ERROR_DNS_UPDATE_FAILED
* LANG=C LOGNAME=root /usr/bin/net -s /var/cache/realmd/realmd-smb-conf.BDVT2Y -U Administrator ads keytab create
Enter Administrator's password:
* /usr/bin/systemctl enable sssd.service
* /usr/bin/systemctl restart sssd.service
* /usr/bin/sh -c /usr/sbin/authconfig --update --enablesssd --enablesssdauth --enablemkhomedir --nostart && /usr/bin/systemctl enable oddjobd.service && /usr/bin/systemctl start oddjobd.service
* Successfully enrolled machine in realm
Copying new configuration to host ...
Service sssd.service configured to run SSSD container.
Test-1: Start the container using atomic run
--------------------------------------------
[root@dione ~]# atomic run --name=sssd rhel7/sssd
docker run -d --restart=always --name sssd -e NAME=sssd -e IMAGE=rhel7/sssd --security-opt=seccomp:/etc/sssd/keyring.json --net=host --security-opt=label:user:system_u --security-opt=label:role:system_r --security-opt=label:type:spc_t --security-opt=label:level:s0 --security-opt=seccomp:/etc/sssd/keyring.json --cap-drop=all --cap-add=IPC_LOCK --cap-add=CHOWN --cap-add=DAC_READ_SEARCH --cap-add=DAC_OVERRIDE --cap-add=KILL --cap-add=NET_ADMIN --cap-add=SYS_NICE --cap-add=FOWNER --cap-add=SETGID --cap-add=SETUID --cap-add=SYS_ADMIN --cap-add=SYS_RESOURCE --cap-add=BLOCK_SUSPEND -v /etc/ipa/:/etc/ipa/:ro -v /etc/krb5.conf:/etc/krb5.conf:ro -v /etc/krb5.conf.d/:/etc/krb5.conf.d/ -v /etc/krb5.keytab:/etc/krb5.keytab:ro -v /etc/nsswitch.conf:/etc/nsswitch.conf:ro -v /etc/openldap/:/etc/openldap/:ro -v /etc/pam.d/:/etc/pam.d/:ro -v /etc/passwd:/etc/passwd.host:ro -v /etc/pki/nssdb/:/etc/pki/nssdb/:ro -v /etc/ssh/:/etc/ssh/:ro -v /etc/sssd/:/etc/sssd/:ro -v /etc/systemd/system/sssd.service.d:/etc/systemd/system/sssd.service.d:ro -v /etc/sysconfig/authconfig:/etc/sysconfig/authconfig:ro -v /etc/sysconfig/network:/etc/sysconfig/network:ro -v /etc/sysconfig/sssd:/etc/sysconfig/sssd:ro -v /etc/yp.conf:/etc/yp.conf:ro -v /var/cache/realmd/:/var/cache/realmd/ -v /var/lib/authconfig/last/:/var/lib/authconfig/last/:ro -v /var/lib/ipa-client/sysrestore/:/var/lib/ipa-client/sysrestore/:ro -v /var/lib/samba/:/var/lib/samba/ -v /var/lib/sss/:/var/lib/sss/ -v /var/log/sssd/:/var/log/sssd/ -v /var/run/dbus/system_bus_socket:/var/run/dbus/system_bus_socket -e WITH_KCM=no -e SSSD_CONTAINER_TYPE=system rhel7/sssd /bin/run.sh
This container uses privileged security switches:
INFO: --cap-add
Adding capabilities to your container could allow processes from the container to break out onto your host system.
INFO: --net=host
Processes in this container can listen to ports (and possibly rawip traffic) on the host's network.
For more information on these switches and their security implications, consult the manpage for 'docker run'.
d97214ecdf67897ee6cf4e409c14dd4a32fa9cb90fc354295d4773114a4e5c0c
[root@dione ~]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
d97214ecdf67 rhel7/sssd "/bin/run.sh" 12 seconds ago Up 10 seconds sssd
[root@dione ~]# id Administrator
uid=1993600500(administrator) gid=1993600513(domain users) groups=1993600513(domain users),1993600520(group policy creator owners),1993600519(enterprise admins),1993600512(domain admins),1993600518(schema admins),1993601669(myunixgroup),1993601671(testgroup1),1993600572(denied rodc password replication group)
Test-2: Stop the container using atomic stop
---------------------------------------------
[root@dione ~]# atomic stop sssd
docker kill -s TERM sssd
sssd
[root@dione ~]# ps -ef | grep sssd
root 84694 84049 0 10:37 pts/0 00:00:00 grep --color=auto sssd
Test-3: Start the container using systemctl
--------------------------------------------
[root@dione ~]# systemctl start sssd
[root@dione ~]# ps -ef | grep sssd
root 84760 84740 0 10:38 ? 00:00:00 tail -f /var/log/sssd/systemctl.log
root 84764 84740 0 10:38 ? 00:00:00 /usr/sbin/sssd -i -f
root 84765 84764 4 10:38 ? 00:00:00 /usr/libexec/sssd/sssd_be --domain CENTAUR.TEST --uid 0 --gid 0 --debug-to-files
root 84766 84764 0 10:38 ? 00:00:00 /usr/libexec/sssd/sssd_nss --uid 0 --gid 0 --debug-to-files
root 84767 84764 0 10:38 ? 00:00:00 /usr/libexec/sssd/sssd_pam --uid 0 --gid 0 --debug-to-files
root 84791 84049 0 10:38 pts/0 00:00:00 grep --color=auto sssd
Test-4: Stop the container using systemctl
-----------------------------------------------
[root@dione ~]# systemctl stop sssd
[root@dione ~]# ps -ef | grep sssd
root 84835 84049 0 10:38 pts/0 00:00:00 grep --color=auto sssd
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:2348 |