On Срд, 15 ліс 2023, Sam Morris via FreeIPA-users wrote:
I've just installed a Fedora 39 system and joined it to my IPA domain.
I've found that when an IPA user connects with SSH, they can't launch
podman rootless containers, nor can they create scope units.
Local users are unaffected, hence I thought I'd post here in the hope
that someone else can reproduce the error and/or can suggest additional
troubleshooting steps.
Do you have subordinate IDs allocated for these IPA users?
This works for me:
$ cat /etc/redhat-release
Fedora release 39 (Thirty Nine)
$ sudo authselect current
Profile ID: sssd
Enabled features:
- with-sudo
- with-mkhomedir
- with-subid
- with-gssapi
$ grep subid /etc/nsswitch.conf
subid: sss
$ ipa subid-find --owner abokovoy
------------------------
1 subordinate id matched
------------------------
Unique ID: ad0dad02-99bf-43ef-8594-d8cd20be882b
Owner: abokovoy
SubUID range start: 2147483648
SubUID range size: 65536
SubGID range start: 2147483648
SubGID range size: 65536
----------------------------
Number of entries returned 1
----------------------------
$ systemd-run --user --scope echo hello
Running scope as unit: run-r6261964e99b24d22a61a033ac7bdb461.scope
hello
And in the journal I see:
systemd[2471]: Started run-r6261964e99b24d22a61a033ac7bdb461.scope -
/usr/bin/echo hello.
podman also works with the systemd-based containers in rootless mode.
Here's what systemd logs when I try run 'systemd-run --user --scope echo
hello':
Nov 15 08:52:15 systemd[6789]: run-r340eeb2a10484700937e131eaa242301.scope:
Couldn't move process 127204 to requested cgroup
'/user.slice/user-1673000001.slice/user@1673000001.service/app.slice/run-r340eeb2a10484700937e131eaa242301.scope'
(directly or via the system bus): Input/output error
Nov 15 08:52:15 systemd[6789]: run-r340eeb2a10484700937e131eaa242301.scope:
Failed to add PIDs to scope's control group: Permission denied
Nov 15 08:52:15 systemd[6789]: run-r340eeb2a10484700937e131eaa242301.scope:
Failed with result 'resources'.
Nov 15 08:52:15 systemd[6789]: Failed to start
run-r340eeb2a10484700937e131eaa242301.scope - /usr/bin/echo hello.
Full details are at
<https://bugzilla.redhat.com/show_bug.cgi?id=2249514>.
--
Sam Morris <https://robots.org.uk/>
PGP: rsa4096/CAAA AA1A CA69 A83A 892B 1855 D20B 4202 5CDA 27B9
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
