1572249 – atomic run --display rhel7/sssd doesn't start sssd container

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1572249 - atomic run --display rhel7/sssd doesn't start sssd container

Summary: atomic run --display rhel7/sssd doesn't start sssd container

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	atomic
Sub Component:
Version:	7.5
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Lokesh Mandvekar
QA Contact:	atomic-bugs@redhat.com
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2018-04-26 14:02 UTC by Niranjan Mallapadi Raghavender
Modified:	2018-08-28 01:19 UTC (History)
CC List:	7 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2018-08-27 17:27:14 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Niranjan Mallapadi Raghavender 2018-04-26 14:02:51 UTC

Description of problem:

atomic run --display rhel7/sssd doesn't start sssd container. 



Version-Release number of selected component (if applicable):
atomic-1.22.1-3.git2fd0860.el7.x86_64

How reproducible:


Steps to Reproduce:
1. Update AD ip in /etc/resolv.conf
2. save the AD administrator password in /etc/sssd/realm-join-password
echo "Secret123" > /etc/sssd/realm-join-password
3. Create an application sssd container joining to AD 

atomic install --opt1='--dns=10.65.223.136 --dns-search=juno.test --hostname=abc.juno.test -e SSSD_CONTAINER_TYPE=application --net=default' rhel7/sssd realm join -v JUNO.TEST

4. Start the container as below:
atomic run --display rhel7/sssd


[root@host-8-251-130 atomic]# atomic run --display rhel7/sssd                                                                                                                                         
docker run -d --restart=always --name sssd -e NAME=sssd -e IMAGE=rhel7/sssd --hostname abc.juno.test -v /var/lib/sssd_container/sssd/container/etc/dbus-1/system.d/:/etc/dbus-1/system.d/:Z -v /var/li
b/sssd_container/sssd/container/etc/ipa/:/etc/ipa/:Z -v /var/lib/sssd_container/sssd/container/etc/openldap/:/etc/openldap/:Z -v /var/lib/sssd_container/sssd/container/etc/ssh/:/etc/ssh/:Z -v /var/lib/sssd_container/sssd/container/etc/sssd/:/etc/sssd/:Z -v /var/lib/sssd_container/sssd/container/var/cache/realmd/:/var/cache/realmd/:Z -v /var/lib/sssd_container/sssd/container/var/lib/authconfig/last/:/var/lib/authconfig/last/:Z -v /var/lib/sssd_container/sssd/container/var/lib/ipa-client/sysrestore/:/var/lib/ipa-client/sysrestore/:Z -v /var/lib/sssd_container/sssd/container/var/lib/samba/:/var/lib/samba/:Z -v /var/lib/sssd_container/sssd/container/var/lib/sss/db/:/var/lib/sss/db/:Z -v /var/lib/sssd_container/sssd/container/var/lib/sss/gpo_cache/:/var/lib/sss/gpo_cache/:Z -v /var/lib/sssd_container/sssd/container/var/lib/sss/secrets/:/var/lib/sss/secrets/:Z -v /var/lib/sssd_container/sssd/container/var/lib/sss/keytabs/:/var/lib/sss/keytabs/:Z -v /var/lib/sssd_container/sssd/container/var/log/sssd/:/var/log/sssd/:Z -v /var/lib/sssd_container/sssd/container/etc/krb5.keytab:/etc/krb5.keytab:Z -v /var/lib/sssd_container/sssd/container/etc/nsswitch.conf:/etc/nsswitch.conf:Z -v /var/lib/sssd_container/sssd/container/etc/sysconfig/authconfig:/etc/sysconfig/authconfig:Z -v /var/lib/sssd_container/sssd/container/etc/sysconfig/network:/etc/sysconfig/network:Z -v /var/lib/sssd_container/sssd/container/etc/yp.conf:/etc/yp.conf:Z -v /var/lib/sssd_container/sssd/container/etc/resolv.conf:/etc/resolv.conf:Z -v /var/lib/sssd_container/sssd/client/etc/krb5.conf.d/:/etc/krb5.conf.d/:z -v /var/lib/sssd_container/sssd/client/var/lib/sss/mc/:/var/lib/sss/mc/:z -v /var/lib/sssd_container/sssd/client/var/lib/sss/pipes/:/var/lib/sss/pipes/:z -v /var/lib/sssd_container/sssd/client/var/lib/sss/pubconf/:/var/lib/sss/pubconf/:z -v /var/lib/sssd_container/sssd/client/var/run/dbus/:/var/run/dbus/:z -v /var/lib/sssd_container/sssd/client/etc/krb5.conf:/etc/krb5.conf:z -v /var/lib/sssd_container/sssd/client/etc/pam.d/fingerprint-auth-ac:/etc/pam.d/fingerprint-auth:z -v /var/lib/sssd_container/sssd/client/etc/pam.d/password-auth-ac:/etc/pam.d/password-auth:z -v /var/lib/sssd_container/sssd/client/etc/pam.d/smartcard-auth-ac:/etc/pam.d/smartcard-auth:z -v /var/lib/sssd_container/sssd/client/etc/pam.d/system-auth-ac:/etc/pam.d/system-auth:z -e WITH_KCM=yes -e SSSD_CONTAINER_TYPE=application --tmpfs /etc/selinux/ rhel7/sssd /bin/run.sh


Actual results:

No sssd container started

[root@host-8-251-130 sssd]# docker ps
CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS               NAMES




Expected results:
sssd container should be started. 


Additional info:
[root@host-8-251-130 sssd]# cat /var/lib/atomic/install.json
{"registry.access.redhat.com/rhel7/sssd:latest": [{"install_date": "2018-04-26 13:50:20", "id": "4ded565230b4c2bf9da4f1ea7a3c80c36c023f0e6b8658ba44f1b265c8c79476", "container_name": "sssd"}]}[root@host-8-251-130 sssd]#

Comment 3 Niranjan Mallapadi Raghavender 2018-04-26 14:04:45 UTC

[root@host-8-251-130 sssd]# atomic host status
State: idle
Deployments:
● ostree://rhel-atomic-host-ostree:rhel-atomic-host/7/x86_64/standard
                   Version: 7.5.1 (2018-04-19 14:39:11)
                    Commit: 506129139134ad61959180b1ea6be373812abe8062b7a1c95341ae3e994bd63b

  ostree://rhel-atomic-host-ostree:rhel-atomic-host/7/x86_64/standard
                   Version: 7.5.0 (2018-02-22 15:51:49)
                    Commit: 474534b1a1a2945c8ff2ad72cb646aaa25ec7b2d9fa9413a99a8cd2ef885dfdc

Comment 4 Niranjan Mallapadi Raghavender 2018-04-26 14:12:53 UTC

Following errors are seen in journalctl

Apr 26 14:11:53 host-8-251-130.host.centralci.eng.rdu2.redhat.com dockerd-current[1256]: time="2018-04-26T14:11:53.754876368Z" level=error msg="Handler for GET /v1.26/containers/sssd/json returned error: No such container: sssd"
Apr 26 14:11:53 host-8-251-130.host.centralci.eng.rdu2.redhat.com dockerd-current[1256]: time="2018-04-26T14:11:53.755078661Z" level=error msg="Handler for GET /v1.26/containers/sssd/json returned error: No such container: sssd"

Comment 5 Daniel Walsh 2018-04-26 14:16:10 UTC

Do you have the registries.conf file setup correctly?

Comment 6 Niranjan Mallapadi Raghavender 2018-04-26 14:19:10 UTC

I haven't touched registries.conf, i never had to,

[root@host-8-251-130 sssd]# cat /etc/containers/registries.conf
# This is a system-wide configuration file used to
# keep track of registries for various container backends.
# It adheres to TOML format and does not support recursive
# lists of registries.

# The default location for this configuration file is /etc/containers/registries.conf.

# The only valid categories are: 'registries.search', 'registries.insecure', 
# and 'registries.block'.

[registries.search]
registries = ['registry.access.redhat.com']

# If you need to access insecure registries, add the registry's fully-qualified name.
# An insecure registry is one that does not have a valid SSL certificate or only does HTTP.
[registries.insecure]
registries = []


# If you need to block pull access from a registry, uncomment the section below
# and add the registries fully-qualified name.
#
# Docker only
[registries.block]
registries = []

[root@host-8-251-130 sssd]# docker images
REPOSITORY                                    TAG                 IMAGE ID            CREATED             SIZE
registry.access.stage.redhat.com/rhel7/sssd   latest              4ded565230b4        3 days ago          382 MB
rhel7/sssd                                    latest              4ded565230b4        3 days ago          382 MB

Comment 7 Niranjan Mallapadi Raghavender 2018-04-26 14:24:28 UTC

atomic uninstall fails with error message . will open a separate bug.

Comment 8 Brent Baude 2018-04-26 14:35:13 UTC

is there anything in ps -a ?

if so, anything in the container logs?

Comment 9 Niranjan Mallapadi Raghavender 2018-04-26 14:51:41 UTC

ps -a doesn't show anything, Container logs ?, the sssd container didn't start at all.

Also atomic run works and sssd container starts if i don't use --display.
$ atomic run rhel7/sssd

But if i use --display it doesn't start the sssd container. This was working in all previous atomic versions.

Comment 10 Niranjan Mallapadi Raghavender 2018-05-02 06:44:34 UTC

Any update on this ?

Comment 11 Nikhil Dehadrai 2018-05-02 07:51:59 UTC

Additional observation:


Steps:
1. Install sssd-container image as application using ipa-client

# atomic install --opt1='--hostname=<client-name> -e SSSD_CONTAINER_TYPE=application --net=default' rhel7/sssd --principal admin --password Secret123  --domain nd2may.pnq --server=ipadocker.nd2may.pnq --realm ND2MAY.PNQ --force-join 

2. # atomic run --display rhel7/sssd
3. # docker ps, Error response from daemon: No such container: sssd
4. # atomic run rhel7/sssd
5. # docker ps, Container named 'sssd' is running
6. # docker stop sssd, Stop this container
7. # atomic run --display rhel7/sssd
8. # docker ps,  This time Container named 'sssd' is running


Console:
-----------
[root@ipasssdclient ~]# docker stop sssd
sssd
[root@ipasssdclient ~]# docker ps
CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS               NAMES
[root@ipasssdclient ~]# atomic run --display rhel7/sssd
sssd
[root@ipasssdclient ~]# docker ps
CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS               NAMES
849662e9d760        rhel7/sssd          "/bin/run.sh"       59 seconds ago      Up 3 seconds                            sssd
[root@ipasssdclient ~]# docker exec -it sssd kinit admin
Password for admin: 
[root@ipasssdclient ~]#

Comment 12 Daniel Walsh 2018-05-02 12:27:39 UTC

It looks to me like atomic run --display is working just as it was defined to run.

man atomic run
...
 --display
         Display the image's run options and environment variables populated into the run command.  The run command will not execute if --display is specified.  If --display is not specified the run
       command will execute.

If in previous versions the command was actually running, then that was the bug.

Comment 13 Nikhil Dehadrai 2018-05-03 05:54:48 UTC

(In reply to Daniel Walsh from comment #12)
> It looks to me like atomic run --display is working just as it was defined
> to run.
> 
> man atomic run
> ...
>  --display
>          Display the image's run options and environment variables populated
> into the run command.  The run command will not execute if --display is
> specified.  If --display is not specified the run
>        command will execute.
> 
> If in previous versions the command was actually running, then that was the
> bug.

In that case as per observations in above comment#11, after step7, the run command using --display option does run the container, is this expected?

Comment 14 Daniel Walsh 2018-05-03 13:21:12 UTC

Correct.

Comment 15 Micah Abbott 2018-08-27 17:27:14 UTC

Based on the latest comments, it appears that `atomic run --display` was incorrectly starting a container, instead of just previewing the command that would be used to start the container.

Since the behavior of `atomic run --display` in the most recent version (atomic-1.22.1-22.git5a342e3.el7.x86_64) now matches the documented behavior, I'm going to close this as NOTABUG.

Note You need to log in before you can comment on or make changes to this bug.