1456658 – Atomic run doesn't start the sssd container

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1456658 - Atomic run doesn't start the sssd container

Summary: Atomic run doesn't start the sssd container

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	atomic
Sub Component:
Version:	7.4
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Lokesh Mandvekar
QA Contact:	atomic-bugs@redhat.com
Docs Contact:
URL:
Whiteboard:
Depends On:	1454292
Blocks:
TreeView+	depends on / blocked

Reported:	2017-05-30 06:02 UTC by Niranjan Mallapadi Raghavender
Modified:	2017-08-02 00:16 UTC (History)
CC List:	11 users (show)
Fixed In Version:	atomic-1.17.2-5.1.git2760e30.el7
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:	1454292
Environment:
Last Closed:	2017-08-02 00:16:27 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2017:2348	0	normal	SHIPPED_LIVE	atomic bug fix and enhancement update	2017-08-08 22:52:08 UTC

Comment 3 Lukas Slebodnik 2017-05-30 08:11:08 UTC

This should be already fixed in 7.4
https://brewweb.engineering.redhat.com/brew/buildinfo?buildID=559423

Which version of package do you have? And which ostree repository do you use with 7.4?

Comment 4 Niranjan Mallapadi Raghavender 2017-05-30 08:47:38 UTC

http://download-node-02.eng.bos.redhat.com/devel/candidate-trees/Atomic-7.4-20170526.0/x86_64/images/

with atomic version:

Deployments:
● rhel-atomic-host:rhel-atomic-host/7/x86_64/standard
             Version: 7.4.0 (2017-05-26 12:38:52)
              Commit: 2c64fd22b089607d7dbafd37008775fc982d3be6a0be7e673bc7d518f2488735

atomic-1.17.2-1.1.git2760e30.el7.x86_64

Comment 5 Micah Abbott 2017-05-30 15:11:23 UTC

The most recent 7.4 Extras composes are not pulling in the fixed 'atomic' RPM for some reason.  I'll ask some rel-eng folks if they can get fix this for us.

Comment 8 Niranjan Mallapadi Raghavender 2017-07-07 10:44:21 UTC

[root@dione ~]# atomic host status
State: idle
Deployments:
● rhel-atomic-host:rhel-atomic-host/7/x86_64/standard
                Version: 7.4.0 (2017-06-30 18:37:40)
                 Commit: 8018f95c2f2f38a79e68f174dd5888b53769c0e4adcd89c87a802219091c9d0e

  rhel-atomic-host:rhel-atomic-host/7/x86_64/standard
                Version: 7.4.0 (2017-06-20 02:16:02)
                 Commit: c55bf46b4baaee58d637774e8515bc7e88b96e4acf099d8bca39c27757201442



[root@dione ~]# atomic info rhel7/sssd
Image Name: registry.access.redhat.com/rhel7/sssd:latest
RUN_OPTS_FILE: /var/lib/sssd_container/${NAME}/docker-run-opts
architecture: x86_64
authoritative-source-url: registry.access.redhat.com
build-date: 2017-06-26T13:13:15.224586
com.redhat.build-host: ip-10-29-120-19.ec2.internal
com.redhat.component: sssd-docker
description: The System Security Services Daemon (SSSD) provides a set of daemons to manage access to remote directories and authentication mechanisms. It provides Name Service Switch (NSS) and Pluggable Authentication Modules(PAM) interfaces toward the system and a pluggable back end system to connect to multiple different account sources.
distribution-scope: public
install: docker run --rm=true --privileged --net=host -v /:/host        -e NAME=${NAME} -e IMAGE=${IMAGE} -e HOST=/host         ${OPT1}         ${IMAGE} /bin/install.sh
io.k8s.description: The System Security Services Daemon (SSSD) provides a set of daemons to manage access to remote directories and authentication mechanisms. It provides Name Service Switch (NSS) and Pluggable Authentication Modules(PAM) interfaces toward the system and a pluggable back end system to connect to multiple different account sources.
io.k8s.display-name: System Security Services Daemon (SSSD)
io.k8s.openshift.tags: security sssd authentication authorisation LDAP kerberos krb5 Active Directory IdM
io.openshift.tags: base rhel7
name: rhel7/sssd
release: 4
run: docker run -d --restart=always --name ${NAME} -e NAME=${NAME} -e IMAGE=${IMAGE}    ${RUN_OPTS}     ${IMAGE} /bin/run.sh
stop: docker kill -s TERM ${NAME}
summary: System Security Services Daemon (SSSD) provides centralized user authentication for Atomic Host.
uninstall: docker run --rm=true --privileged --net=host -v /:/host -e NAME=${NAME} -e IMAGE=${IMAGE} -e HOST=/host ${IMAGE} /bin/uninstall.sh
vcs-ref: 39aa22e88a849bf40e6a9d7f79dd37f6c0f70251
vcs-type: git
vendor: Red Hat, Inc.
version: 7.4
[root@dione ~]# atomic install rhel7/sssd realm join -v CENTAUR.TEST
docker run --rm=true --privileged --net=host -v /:/host -e NAME=sssd -e IMAGE=rhel7/sssd -e HOST=/host rhel7/sssd /bin/install.sh realm join -v CENTAUR.TEST
Initializing configuration context from host ...
 * Resolving: _ldap._tcp.centaur.test
 * Performing LDAP DSE lookup on: 192.168.122.187
Password for Administrator:  * Successfully discovered: CENTAUR.TEST
 * Required files: /usr/sbin/oddjobd, /usr/libexec/oddjob/mkhomedir, /usr/sbin/sssd, /usr/bin/net
 * LANG=C LOGNAME=root /usr/bin/net -s /var/cache/realmd/realmd-smb-conf.BDVT2Y -U Administrator ads join CENTAUR.TEST
Enter Administrator's password:DNS update failed: NT_STATUS_UNSUCCESSFUL

Using short domain name -- CENTAUR
Joined 'DIONE' to dns domain 'CENTAUR.TEST'
DNS Update for dione.centaur.test failed: ERROR_DNS_UPDATE_FAILED
 * LANG=C LOGNAME=root /usr/bin/net -s /var/cache/realmd/realmd-smb-conf.BDVT2Y -U Administrator ads keytab create
Enter Administrator's password:
 * /usr/bin/systemctl enable sssd.service
 * /usr/bin/systemctl restart sssd.service
 * /usr/bin/sh -c /usr/sbin/authconfig --update --enablesssd --enablesssdauth --enablemkhomedir --nostart && /usr/bin/systemctl enable oddjobd.service && /usr/bin/systemctl start oddjobd.service
 * Successfully enrolled machine in realm

Copying new configuration to host ...
Service sssd.service configured to run SSSD container.

Test-1: Start the container using atomic run
--------------------------------------------
[root@dione ~]# atomic run --name=sssd rhel7/sssd
docker run -d --restart=always --name sssd -e NAME=sssd -e IMAGE=rhel7/sssd --security-opt=seccomp:/etc/sssd/keyring.json --net=host --security-opt=label:user:system_u --security-opt=label:role:system_r --security-opt=label:type:spc_t --security-opt=label:level:s0 --security-opt=seccomp:/etc/sssd/keyring.json --cap-drop=all --cap-add=IPC_LOCK --cap-add=CHOWN --cap-add=DAC_READ_SEARCH --cap-add=DAC_OVERRIDE --cap-add=KILL --cap-add=NET_ADMIN --cap-add=SYS_NICE --cap-add=FOWNER --cap-add=SETGID --cap-add=SETUID --cap-add=SYS_ADMIN --cap-add=SYS_RESOURCE --cap-add=BLOCK_SUSPEND -v /etc/ipa/:/etc/ipa/:ro -v /etc/krb5.conf:/etc/krb5.conf:ro -v /etc/krb5.conf.d/:/etc/krb5.conf.d/ -v /etc/krb5.keytab:/etc/krb5.keytab:ro -v /etc/nsswitch.conf:/etc/nsswitch.conf:ro -v /etc/openldap/:/etc/openldap/:ro -v /etc/pam.d/:/etc/pam.d/:ro -v /etc/passwd:/etc/passwd.host:ro -v /etc/pki/nssdb/:/etc/pki/nssdb/:ro -v /etc/ssh/:/etc/ssh/:ro -v /etc/sssd/:/etc/sssd/:ro -v /etc/systemd/system/sssd.service.d:/etc/systemd/system/sssd.service.d:ro -v /etc/sysconfig/authconfig:/etc/sysconfig/authconfig:ro -v /etc/sysconfig/network:/etc/sysconfig/network:ro -v /etc/sysconfig/sssd:/etc/sysconfig/sssd:ro -v /etc/yp.conf:/etc/yp.conf:ro -v /var/cache/realmd/:/var/cache/realmd/ -v /var/lib/authconfig/last/:/var/lib/authconfig/last/:ro -v /var/lib/ipa-client/sysrestore/:/var/lib/ipa-client/sysrestore/:ro -v /var/lib/samba/:/var/lib/samba/ -v /var/lib/sss/:/var/lib/sss/ -v /var/log/sssd/:/var/log/sssd/ -v /var/run/dbus/system_bus_socket:/var/run/dbus/system_bus_socket -e WITH_KCM=no -e SSSD_CONTAINER_TYPE=system rhel7/sssd /bin/run.sh

This container uses privileged security switches:

INFO: --cap-add 
      Adding capabilities to your container could allow processes from the container to break out onto your host system.

INFO: --net=host 
      Processes in this container can listen to ports (and possibly rawip traffic) on the host's network.


For more information on these switches and their security implications, consult the manpage for 'docker run'.

d97214ecdf67897ee6cf4e409c14dd4a32fa9cb90fc354295d4773114a4e5c0c
[root@dione ~]# docker ps
CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS               NAMES
d97214ecdf67        rhel7/sssd          "/bin/run.sh"       12 seconds ago      Up 10 seconds                           sssd
[root@dione ~]# id Administrator
uid=1993600500(administrator) gid=1993600513(domain users) groups=1993600513(domain users),1993600520(group policy creator owners),1993600519(enterprise admins),1993600512(domain admins),1993600518(schema admins),1993601669(myunixgroup),1993601671(testgroup1),1993600572(denied rodc password replication group)



Test-2: Stop the container using atomic stop
---------------------------------------------

[root@dione ~]# atomic stop sssd
docker kill -s TERM sssd
sssd
[root@dione ~]# ps -ef | grep sssd
root      84694  84049  0 10:37 pts/0    00:00:00 grep --color=auto sssd


Test-3: Start the container using systemctl
--------------------------------------------
[root@dione ~]# systemctl start sssd
[root@dione ~]# ps -ef | grep sssd
root      84760  84740  0 10:38 ?        00:00:00 tail -f /var/log/sssd/systemctl.log
root      84764  84740  0 10:38 ?        00:00:00 /usr/sbin/sssd -i -f
root      84765  84764  4 10:38 ?        00:00:00 /usr/libexec/sssd/sssd_be --domain CENTAUR.TEST --uid 0 --gid 0 --debug-to-files
root      84766  84764  0 10:38 ?        00:00:00 /usr/libexec/sssd/sssd_nss --uid 0 --gid 0 --debug-to-files
root      84767  84764  0 10:38 ?        00:00:00 /usr/libexec/sssd/sssd_pam --uid 0 --gid 0 --debug-to-files
root      84791  84049  0 10:38 pts/0    00:00:00 grep --color=auto sssd


Test-4: Stop the container using systemctl
-----------------------------------------------
[root@dione ~]# systemctl stop sssd
[root@dione ~]# ps -ef | grep sssd
root      84835  84049  0 10:38 pts/0    00:00:00 grep --color=auto sssd

Comment 9 Alex Jia 2017-07-08 14:05:02 UTC

Moving to VERIFIED status per Comment 8.

Comment 11 errata-xmlrpc 2017-08-02 00:16:27 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2348

Note You need to log in before you can comment on or make changes to this bug.