On 04/24/2017 08:08 AM, Patrick Uiterwijk wrote:
Hi,
On Mon, Apr 24, 2017 at 12:29 PM, Michal Minar <miminar@xxxxxxxxxx> wrote:
Did anyone successfully set up his fedora packaging environment in a
docker container?
I didn't get past `kinit miminar@xxxxxxxxxxxxxxxxx` in a container. It
gives me:
Invalid UID in persistent keyring name while getting default ccache
This is caused because Docker installs a default seccomp policy that denies
access to the Kernel keyring because this is not namespaced.
You can work around this by "export KRB5CCNAME=/tmp/ticket".
Alternatively, you can allow the container access to your host keyring.
For this, you can start with my policy:
https://github.com/puiterwijk/development-environments/blob/master/docker/koji/policy.json
SELinux would also block this, and if you have multiple containers
running with the same UID it will not work, even if we took down SELinux
and SECCOMP blocks. The bottom line is there is only one kernel keyring
per UID. I have asked to make keyrings namespace aware, but right now
the kernel guys believe usernamespace is the solution to this problem.
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
