Don't configure KEYRING ccache in containers

Kernel keyrings are not namespaced yet. Keyrings can leak into other
containers. Therefore keyrings should not be used in containerized
environment.

Don't configure Kerberos to use KEYRING ccache backen when a container
environment is detected by systemd-detect-virt --container.

Fixes: https://pagure.io/freeipa/issue/7807
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
This commit is contained in:
Christian Heimes 2018-12-12 17:32:06 +01:00 committed by Tibor Dudlák
parent 49cc72d5c9
commit 165a941109
No known key found for this signature in database
GPG Key ID: 12B8BD343576CDF5
5 changed files with 64 additions and 3 deletions

View File

@ -30,6 +30,7 @@ class BasePathNamespace:
LS = "/bin/ls" LS = "/bin/ls"
SH = "/bin/sh" SH = "/bin/sh"
SYSTEMCTL = "/bin/systemctl" SYSTEMCTL = "/bin/systemctl"
SYSTEMD_DETECT_VIRT = "/bin/systemd-detect-virt"
TAR = "/bin/tar" TAR = "/bin/tar"
AUTOFS_LDAP_AUTH_CONF = "/etc/autofs_ldap_auth.conf" AUTOFS_LDAP_AUTH_CONF = "/etc/autofs_ldap_auth.conf"
ETC_FEDORA_RELEASE = "/etc/fedora-release" ETC_FEDORA_RELEASE = "/etc/fedora-release"

View File

@ -106,6 +106,14 @@ class BaseTaskNamespace:
raise NotImplementedError() raise NotImplementedError()
def detect_container(self):
"""Check if running inside a container
:returns: container runtime or None
:rtype: str, None
"""
raise NotImplementedError
def restore_hostname(self, fstore, statestore): def restore_hostname(self, fstore, statestore):
""" """
Restores the original hostname as backed up in the Restores the original hostname as backed up in the

View File

@ -32,6 +32,7 @@ import socket
import traceback import traceback
import errno import errno
import urllib import urllib
import subprocess
import sys import sys
from ctypes.util import find_library from ctypes.util import find_library
@ -183,6 +184,26 @@ class RedHatTaskNamespace(BaseTaskNamespace):
"resolution to 'lo' interface. You might need to enable IPv6 " "resolution to 'lo' interface. You might need to enable IPv6 "
"on the interface 'lo' in sysctl.conf.") "on the interface 'lo' in sysctl.conf.")
def detect_container(self):
"""Check if running inside a container
:returns: container runtime or None
:rtype: str, None
"""
try:
output = subprocess.check_output(
[paths.SYSTEMD_DETECT_VIRT, '--container'],
stderr=subprocess.STDOUT
)
except subprocess.CalledProcessError as e:
if e.returncode == 1:
# No container runtime detected
return None
else:
raise
else:
return output.decode('utf-8').strip()
def restore_pre_ipa_client_configuration(self, fstore, statestore, def restore_pre_ipa_client_configuration(self, fstore, statestore,
was_sssd_installed, was_sssd_installed,
was_sssd_configured): was_sssd_configured):

View File

@ -23,6 +23,7 @@ import os
from ipapython.ipautil import run from ipapython.ipautil import run
from ipaplatform.paths import paths from ipaplatform.paths import paths
from ipaplatform.tasks import tasks
# NOTE: Absolute path not required for keyctl since we reset the environment # NOTE: Absolute path not required for keyctl since we reset the environment
# in ipautil.run. # in ipautil.run.
@ -73,10 +74,14 @@ def get_persistent_key(key):
return result.raw_output.rstrip() return result.raw_output.rstrip()
def is_persistent_keyring_supported(): def is_persistent_keyring_supported(check_container=True):
""" """Returns True if the kernel persistent keyring is supported.
Returns True if the kernel persistent keyring is supported.
If check_container is True and a containerized environment is detected,
return False. There is no support for keyring namespace isolation yet.
""" """
if check_container and tasks.detect_container() is not None:
return False
uid = os.geteuid() uid = os.geteuid()
try: try:
get_persistent_key(str(uid)) get_persistent_key(str(uid))

View File

@ -3,6 +3,8 @@
# #
from __future__ import absolute_import from __future__ import absolute_import
import os
from ipaplatform.tasks import tasks from ipaplatform.tasks import tasks
@ -28,3 +30,27 @@ def test_ipa_version():
assert not v3 == v4 assert not v3 == v4
assert v4 > v3 assert v4 > v3
assert v4 >= v3 assert v4 >= v3
def test_detect_container():
container = None
# naive detection, may fail for OpenVZ and other container runtimes
if os.path.isfile('/run/systemd/container'):
with open('/run/systemd/container') as f:
container = f.read().strip()
elif os.geteuid() == 0:
with open('/proc/1/environ') as f:
environ = f.read()
for item in environ.split('\x00'):
if not item:
continue
k, v = item.split('=', 1)
if k == 'container':
container = v
detected = tasks.detect_container()
if container == 'oci':
# systemd doesn't know about podman
assert detected in {'container-other', container}
else:
assert detected == container