freeipa

Clone
Source Code
GIT

#7807 Detect container installation to avoid Kernel keyring
Closed: fixed 5 years ago by tdudlak. Opened 5 years ago by cheimes.

Closed: fixed
Reopen Issue

The kernel keyring is not yet namespaces, see https://blog.jessfraz.com/post/two-objects-not-namespaced-linux-kernel/ . Keyrings can leak into other containers. Therefore keyrings should not be used in containerized environment.

FreeIPA installer for server and client should detect containerized environments and not configure Kerberos to use the keyring ccache backend.

A containerized environment can easily be detected by inspecting the cgroup for PID 1 in /proc/1/cgroup. The cgroup path in a non-containerized environment is either / or /init.scope -- at least on Fedora and RHEL. See http://man7.org/linux/man-pages/man7/cgroups.7.html for the file format

non-container case on Fedora 29

$ cat /proc/1/cgroup 
11:hugetlb:/
10:pids:/
9:blkio:/
8:devices:/
7:freezer:/
6:perf_event:/
5:cpu,cpuacct:/
4:memory:/
3:cpuset:/
2:net_cls,net_prio:/
1:name=systemd:/init.scope
0::/init.scope

non-container case on RHEL 7.6

$ cat /proc/1/cgroup 
11:blkio:/
10:devices:/
9:cpuset:/
8:perf_event:/
7:pids:/
6:hugetlb:/
5:memory:/
4:cpuacct,cpu:/
3:net_prio,net_cls:/
2:freezer:/
1:name=systemd:/

podman container

# cat /proc/1/cgroup 
11:hugetlb:/machine.slice/libpod-bff75ee76ca453b6e760cc3ad04e6c561645b4ba831691ff2d7580c79dda4812.scope
10:pids:/machine.slice/libpod-bff75ee76ca453b6e760cc3ad04e6c561645b4ba831691ff2d7580c79dda4812.scope
9:blkio:/machine.slice/libpod-bff75ee76ca453b6e760cc3ad04e6c561645b4ba831691ff2d7580c79dda4812.scope
8:devices:/machine.slice/libpod-bff75ee76ca453b6e760cc3ad04e6c561645b4ba831691ff2d7580c79dda4812.scope
7:freezer:/machine.slice/libpod-bff75ee76ca453b6e760cc3ad04e6c561645b4ba831691ff2d7580c79dda4812.scope
6:perf_event:/machine.slice/libpod-bff75ee76ca453b6e760cc3ad04e6c561645b4ba831691ff2d7580c79dda4812.scope
5:cpu,cpuacct:/machine.slice/libpod-bff75ee76ca453b6e760cc3ad04e6c561645b4ba831691ff2d7580c79dda4812.scope
4:memory:/machine.slice/libpod-bff75ee76ca453b6e760cc3ad04e6c561645b4ba831691ff2d7580c79dda4812.scope
3:cpuset:/machine.slice/libpod-bff75ee76ca453b6e760cc3ad04e6c561645b4ba831691ff2d7580c79dda4812.scope
2:net_cls,net_prio:/machine.slice/libpod-bff75ee76ca453b6e760cc3ad04e6c561645b4ba831691ff2d7580c79dda4812.scope
1:name=systemd:/machine.slice/libpod-bff75ee76ca453b6e760cc3ad04e6c561645b4ba831691ff2d7580c79dda4812.scope
0::/machine.slice/libpod-bff75ee76ca453b6e760cc3ad04e6c561645b4ba831691ff2d7580c79dda4812.scope

docker container

# cat /proc/1/cgroup 
11:hugetlb:/system.slice/docker-34df90967a284a4678c9b19c7621c00bfd70910c85236926096d6fd73c9f640a.scope
10:pids:/system.slice/docker-34df90967a284a4678c9b19c7621c00bfd70910c85236926096d6fd73c9f640a.scope
9:blkio:/system.slice/docker-34df90967a284a4678c9b19c7621c00bfd70910c85236926096d6fd73c9f640a.scope
8:devices:/system.slice/docker-34df90967a284a4678c9b19c7621c00bfd70910c85236926096d6fd73c9f640a.scope
7:freezer:/system.slice/docker-34df90967a284a4678c9b19c7621c00bfd70910c85236926096d6fd73c9f640a.scope
6:perf_event:/system.slice/docker-34df90967a284a4678c9b19c7621c00bfd70910c85236926096d6fd73c9f640a.scope
5:cpu,cpuacct:/system.slice/docker-34df90967a284a4678c9b19c7621c00bfd70910c85236926096d6fd73c9f640a.scope
4:memory:/system.slice/docker-34df90967a284a4678c9b19c7621c00bfd70910c85236926096d6fd73c9f640a.scope
3:cpuset:/system.slice/docker-34df90967a284a4678c9b19c7621c00bfd70910c85236926096d6fd73c9f640a.scope
2:net_cls,net_prio:/system.slice/docker-34df90967a284a4678c9b19c7621c00bfd70910c85236926096d6fd73c9f640a.scope
1:name=systemd:/system.slice/docker-34df90967a284a4678c9b19c7621c00bfd70910c85236926096d6fd73c9f640a.scope
0::/system.slice/docker-34df90967a284a4678c9b19c7621c00bfd70910c85236926096d6fd73c9f640a.scope

systemd-nspawn, lxc, and other container environments have similar cgroup definitions.

Metadata Update from @cheimes:
- Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/2677
- Issue assigned to cheimes
- Issue set to the milestone: FreeIPA 4.7.3
- Issue tagged with: containers
5 years ago

master:

  • 165a941 Don't configure KEYRING ccache in containers

ipa-4-7:

  • b149fff Don't configure KEYRING ccache in containers

Metadata Update from @tdudlak:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)
5 years ago

ipa-4-6:

  • 91e5405 Don't configure KEYRING ccache in containers

Metadata Update from @tdudlak:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1752005
4 years ago

Issue linked to Bugzilla: Bug 1752005

Login to comment on this ticket.

Metadata

containers

None
None
None
None
None
None
None
None
None
None
None
None
https://github.com/freeipa/freeipa/pull/2677
None
None
None
None
https://bugzilla.redhat.com/show_bug.cgi?id=1752005
None
None
None
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.