Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Fedora Rawhide - pre 37] running free-ipa in OKD/OpenShift fails since "systemd hardening efforts" were implemented #42

Open
jngrb opened this issue Aug 1, 2022 · 0 comments

Comments

@jngrb
Copy link

jngrb commented Aug 1, 2022

This commit introduces "systemd hardening efforts" to 389ds. Namely, they are:

# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
ProtectSystem=full
# Protectsystem full mounts /etc ro, so we need to allow /etc/dirsrv to be writeable here.
ReadWritePaths=/etc/dirsrv
ProtectHome=true
PrivateDevices=true
ProtectHostname=true
ProtectClock=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectKernelLogs=true
ProtectControlGroups=true
RestrictRealtime=true

These special protection measures require special privileges which a systemd-based container does not have when running inside OKD/Openshift - at least with the SCC defined here

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant