V Thu, Mar 14, 2024 at 03:02:51PM -0400, Roberto C. Sánchez napsal(a): > In my case, I am trying to do all of this inside of a docker container: > > docker pull fedora:latest > sudo docker run -t -i fedora:latest /bin/bash > sudo dnf install -y fedora-packager fedora-review > fkinit -u <my_fedora_accounts_username> > > The only output I get is this: > > Enter your password and OTP concatenated. (Ignore that the prompt is for only the token) > kinit: Invalid UID in persistent keyring name while getting default ccache > Kerberos utils in Fedora by default store the Kerberos ticket into kernel's keyring. Kernel protects access to the keyring by matching UID of the process with the owner of the keyring. Since containers isolate a user namespace, the UID of proccesses inside the container do not match their UID from kernel's perspective. See <https://blog.tomecek.net/post/kerberos-in-a-container/> for the keyctl() failure. Many people "solve" it by reconfiguring the Kerberos utils to save the tickets into a file instead into a kernel memmory. E.g. with setting KRB5CCNAME environement variable to "FILE:..." value. (This is the case of the linked blog.) Or with commenting out default_ccache_name option in the in-container /etc/krb5.conf configuration file. Another option is disabling the user naspace isolation of the container. What the correct, in the sense of using kernel keyring, solution is I have no idea. -- Petr
Attachment:
signature.asc
Description: PGP signature
-- _______________________________________________ packaging mailing list -- packaging@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to packaging-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/packaging@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
