Don't configure KEYRING ccache in containers

Kernel keyrings are not namespaced yet. Keyrings can leak into other containers. Therefore keyrings should not be used in containerized environment. Don't configure Kerberos to use KEYRING ccache backen when a container environment is detected by systemd-detect-virt --container. Fixes: https://pagure.io/freeipa/issue/7807 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
2025-02-25 18:55:28 -06:00 · 2018-12-12 17:32:06 +01:00
parent 49cc72d5c9
commit 165a941109
5 changed files with 64 additions and 3 deletions
--- a/ipaplatform/redhat/tasks.py
+++ b/ipaplatform/redhat/tasks.py
@@ -32,6 +32,7 @@ import socket
 import traceback
 import errno
 import urllib
+import subprocess
 import sys

 from ctypes.util import find_library
@@ -183,6 +184,26 @@ class RedHatTaskNamespace(BaseTaskNamespace):
                 "resolution to 'lo' interface. You might need to enable IPv6 "
                 "on the interface 'lo' in sysctl.conf.")

+    def detect_container(self):
+        """Check if running inside a container
+
+        :returns: container runtime or None
+        :rtype: str, None
+        """
+        try:
+            output = subprocess.check_output(
+                [paths.SYSTEMD_DETECT_VIRT, '--container'],
+                stderr=subprocess.STDOUT
+            )
+        except subprocess.CalledProcessError as e:
+            if e.returncode == 1:
+                # No container runtime detected
+                return None
+            else:
+                raise
+        else:
+            return output.decode('utf-8').strip()
+
    def restore_pre_ipa_client_configuration(self, fstore, statestore,
                                             was_sssd_installed,
                                             was_sssd_configured):