The kernel keyring is not yet namespaces, see https://blog.jessfraz.com/post/two-objects-not-namespaced-linux-kernel/ . Keyrings can leak into other containers. Therefore keyrings should not be used in containerized environment.
FreeIPA installer for server and client should detect containerized environments and not configure Kerberos to use the keyring ccache backend.
A containerized environment can easily be detected by inspecting the cgroup for PID 1 in /proc/1/cgroup. The cgroup path in a non-containerized environment is either / or /init.scope -- at least on Fedora and RHEL. See http://man7.org/linux/man-pages/man7/cgroups.7.html for the file format
/proc/1/cgroup
/
/init.scope
$ cat /proc/1/cgroup 11:hugetlb:/ 10:pids:/ 9:blkio:/ 8:devices:/ 7:freezer:/ 6:perf_event:/ 5:cpu,cpuacct:/ 4:memory:/ 3:cpuset:/ 2:net_cls,net_prio:/ 1:name=systemd:/init.scope 0::/init.scope
$ cat /proc/1/cgroup 11:blkio:/ 10:devices:/ 9:cpuset:/ 8:perf_event:/ 7:pids:/ 6:hugetlb:/ 5:memory:/ 4:cpuacct,cpu:/ 3:net_prio,net_cls:/ 2:freezer:/ 1:name=systemd:/
# cat /proc/1/cgroup 11:hugetlb:/machine.slice/libpod-bff75ee76ca453b6e760cc3ad04e6c561645b4ba831691ff2d7580c79dda4812.scope 10:pids:/machine.slice/libpod-bff75ee76ca453b6e760cc3ad04e6c561645b4ba831691ff2d7580c79dda4812.scope 9:blkio:/machine.slice/libpod-bff75ee76ca453b6e760cc3ad04e6c561645b4ba831691ff2d7580c79dda4812.scope 8:devices:/machine.slice/libpod-bff75ee76ca453b6e760cc3ad04e6c561645b4ba831691ff2d7580c79dda4812.scope 7:freezer:/machine.slice/libpod-bff75ee76ca453b6e760cc3ad04e6c561645b4ba831691ff2d7580c79dda4812.scope 6:perf_event:/machine.slice/libpod-bff75ee76ca453b6e760cc3ad04e6c561645b4ba831691ff2d7580c79dda4812.scope 5:cpu,cpuacct:/machine.slice/libpod-bff75ee76ca453b6e760cc3ad04e6c561645b4ba831691ff2d7580c79dda4812.scope 4:memory:/machine.slice/libpod-bff75ee76ca453b6e760cc3ad04e6c561645b4ba831691ff2d7580c79dda4812.scope 3:cpuset:/machine.slice/libpod-bff75ee76ca453b6e760cc3ad04e6c561645b4ba831691ff2d7580c79dda4812.scope 2:net_cls,net_prio:/machine.slice/libpod-bff75ee76ca453b6e760cc3ad04e6c561645b4ba831691ff2d7580c79dda4812.scope 1:name=systemd:/machine.slice/libpod-bff75ee76ca453b6e760cc3ad04e6c561645b4ba831691ff2d7580c79dda4812.scope 0::/machine.slice/libpod-bff75ee76ca453b6e760cc3ad04e6c561645b4ba831691ff2d7580c79dda4812.scope
# cat /proc/1/cgroup 11:hugetlb:/system.slice/docker-34df90967a284a4678c9b19c7621c00bfd70910c85236926096d6fd73c9f640a.scope 10:pids:/system.slice/docker-34df90967a284a4678c9b19c7621c00bfd70910c85236926096d6fd73c9f640a.scope 9:blkio:/system.slice/docker-34df90967a284a4678c9b19c7621c00bfd70910c85236926096d6fd73c9f640a.scope 8:devices:/system.slice/docker-34df90967a284a4678c9b19c7621c00bfd70910c85236926096d6fd73c9f640a.scope 7:freezer:/system.slice/docker-34df90967a284a4678c9b19c7621c00bfd70910c85236926096d6fd73c9f640a.scope 6:perf_event:/system.slice/docker-34df90967a284a4678c9b19c7621c00bfd70910c85236926096d6fd73c9f640a.scope 5:cpu,cpuacct:/system.slice/docker-34df90967a284a4678c9b19c7621c00bfd70910c85236926096d6fd73c9f640a.scope 4:memory:/system.slice/docker-34df90967a284a4678c9b19c7621c00bfd70910c85236926096d6fd73c9f640a.scope 3:cpuset:/system.slice/docker-34df90967a284a4678c9b19c7621c00bfd70910c85236926096d6fd73c9f640a.scope 2:net_cls,net_prio:/system.slice/docker-34df90967a284a4678c9b19c7621c00bfd70910c85236926096d6fd73c9f640a.scope 1:name=systemd:/system.slice/docker-34df90967a284a4678c9b19c7621c00bfd70910c85236926096d6fd73c9f640a.scope 0::/system.slice/docker-34df90967a284a4678c9b19c7621c00bfd70910c85236926096d6fd73c9f640a.scope
systemd-nspawn, lxc, and other container environments have similar cgroup definitions.
Metadata Update from @cheimes: - Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/2677 - Issue assigned to cheimes - Issue set to the milestone: FreeIPA 4.7.3 - Issue tagged with: containers
master:
ipa-4-7:
Metadata Update from @tdudlak: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
ipa-4-6:
Metadata Update from @tdudlak: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1752005
Issue linked to Bugzilla: Bug 1752005
Login to comment on this ticket.