When trying to install a client in a container, there seems to be an issue with xattr copying in the code doing backups of files. It looks like the actual problem is in shutil module from the standard Python library but never the less, we should cope with those exceptions.
shutil
I'm using F28 container here but you can reproduce it even with F27 or F29.
$ podman run -t -i --hostname f28-client.demo.freeipa.org --rm fedora:28 /bin/bash [root@f28-client /]# dnf -q -y install freeipa-client dbus-daemon: no process found dbus-daemon: no process found Failed to open connection to "system" message bus: Failed to connect to socket /run/dbus/system_bus_socket: No such file or directory install-info: No such file or directory for /usr/share/info/libidn.info.gz warning: /etc/adjtime created as /etc/adjtime.rpmnew System has not been booted with systemd as init system (PID 1). Can't operate. System has not been booted with systemd as init system (PID 1). Can't operate. System has not been booted with systemd as init system (PID 1). Can't operate. [root@f28-client /]# ipa-client-install --domain demo1.freeipa.org -p admin -w 'REDACTED' --no-ntp This program will set up FreeIPA client. Version 4.7.2 Discovery was successful! Client hostname: f28-client.demo.freeipa.org Realm: DEMO1.FREEIPA.ORG DNS Domain: demo1.freeipa.org IPA Server: ipa.demo1.freeipa.org BaseDN: dc=demo1,dc=freeipa,dc=org Continue to configure the system with these values? [no]: yes Skipping chrony configuration Successfully retrieved CA cert Subject: CN=Certificate Authority,O=DEMO1.FREEIPA.ORG Issuer: CN=Certificate Authority,O=DEMO1.FREEIPA.ORG Valid From: 2018-07-26 13:25:26 Valid Until: 2038-07-26 13:25:26 Subject: CN=DST Root CA X3,O=Digital Signature Trust Co. Issuer: CN=DST Root CA X3,O=Digital Signature Trust Co. Valid From: 2000-09-30 21:12:19 Valid Until: 2021-09-30 14:01:15 Subject: CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US Issuer: CN=DST Root CA X3,O=Digital Signature Trust Co. Valid From: 2016-03-17 16:40:46 Valid Until: 2021-03-17 16:40:46 Enrolled in IPA realm DEMO1.FREEIPA.ORG Created /etc/ipa/default.conf [Errno 13] Permission denied: '/var/lib/ipa-client/sysrestore/940bde17441ff0d0bce71f620148536f15fa9dfefaa2abd76877e028685b23e5-nsswitch.conf' The ipa-client-install command failed. See /var/log/ipaclient-install.log for more information
Below is a relevant part of the ipaclient-install.log:
ipaclient-install.log
2019-03-12T19:40:11Z DEBUG Backing up system configuration file '/etc/nsswitch.conf' 2019-03-12T19:40:11Z DEBUG File "/usr/lib/python3.6/site-packages/ipapython/admintool.py", line 179, in execute return_value = self.run() File "/usr/lib/python3.6/site-packages/ipapython/install/cli.py", line 347, in run return cfgr.run() File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 360, in run return self.execute() File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 386, in execute for rval in self._executor(): File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 431, in __runner exc_handler(exc_info) File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 460, in _handle_execute_exception self._handle_exception(exc_info) File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 450, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise raise value File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 421, in __runner step() File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 418, in <lambda> step = lambda: next(self.__gen) File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise raise value File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 655, in _configure next(executor) File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 431, in __runner exc_handler(exc_info) File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 460, in _handle_execute_exception self._handle_exception(exc_info) File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 518, in _handle_exception self.__parent._handle_exception(exc_info) File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 450, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise raise value File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 515, in _handle_exception super(ComponentBase, self)._handle_exception(exc_info) File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 450, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise raise value File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 421, in __runner step() File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 418, in <lambda> step = lambda: next(self.__gen) File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise raise value File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python3.6/site-packages/ipapython/install/common.py", line 65, in _install for unused in self._installer(self.parent): File "/usr/lib/python3.6/site-packages/ipaclient/install/client.py", line 3791, in main install(self) File "/usr/lib/python3.6/site-packages/ipaclient/install/client.py", line 2518, in install _install(options) File "/usr/lib/python3.6/site-packages/ipaclient/install/client.py", line 2778, in _install options, client_domain, hostname): File "/usr/lib/python3.6/site-packages/ipaclient/install/client.py", line 952, in configure_sssd_conf default_value=['files']) File "/usr/lib/python3.6/site-packages/ipaclient/install/client.py", line 305, in configure_nsswitch_database fstore.backup_file(paths.NSSWITCH_CONF) File "/usr/lib/python3.6/site-packages/ipalib/install/sysrestore.py", line 145, in backup_file shutil.copy2(path, backup_path) File "/usr/lib64/python3.6/shutil.py", line 258, in copy2 copystat(src, dst, follow_symlinks=follow_symlinks) File "/usr/lib64/python3.6/shutil.py", line 225, in copystat _copyxattr(src, dst, follow_symlinks=follow) File "/usr/lib64/python3.6/shutil.py", line 165, in _copyxattr os.setxattr(dst, name, value, follow_symlinks=follow_symlinks) 2019-03-12T19:40:11Z DEBUG The ipa-client-install command failed, exception: PermissionError: [Errno 13] Permission denied: '/var/lib/ipa-client/sysrestore/940bde17441ff0d0bce71f620148536f15 fa9dfefaa2abd76877e028685b23e5-nsswitch.conf' 2019-03-12T19:40:11Z ERROR [Errno 13] Permission denied: '/var/lib/ipa-client/sysrestore/940bde17441ff0d0bce71f620148536f15fa9dfefaa2abd76877e028685b23e5-nsswitch.conf' 2019-03-12T19:40:11Z ERROR The ipa-client-install command failed. See /var/log/ipaclient-install.log for more information
After looking at this with @fcami, we think we need to detect whether we run under containerized environment and catch these exceptions, allowing to proceed. For ipa-client-install it should be just fine to not store xattrs when running in a rootless container -- after all, we are not going to set up IPA master this way and restore of the files from sysrestore will not be used for a container instance, it will just be thrown away.
Since we get errno.EACCESS as an exception here, it is indicative of the problem but only if a top of the stacktrace is os.setxattr().
errno.EACCESS
os.setxattr()
systemd-detect-virt -c -q would return 0 if we are running under containerized environment.
systemd-detect-virt -c -q
Login to comment on this ticket.