[Freeipa-devel] [PATCH] 439 Allow kernel keyring CCACHE when supported

Simo Sorce simo at redhat.com
Mon Dec 2 14:42:02 UTC 2013


On Mon, 2013-12-02 at 14:51 +0100, Petr Viktorin wrote:
> On 12/02/2013 02:01 PM, Martin Kosek wrote:
> > On 12/02/2013 01:58 PM, Petr Viktorin wrote:
> >> On 11/29/2013 01:48 PM, Martin Kosek wrote:
> >>> On 11/19/2013 12:35 PM, Petr Viktorin wrote:
> >>>> On 11/05/2013 07:22 PM, Martin Kosek wrote:
> >>>>> Server and client installer should allow kernel keyring ccache when
> >>>>> supported.
> >>
> >>>>
> >>>> How do I enable the kernel keyring? On f20 I get this:
> >>>>
> >>>> 2013-11-19T11:28:07Z DEBUG Starting external process
> >>>> 2013-11-19T11:28:07Z DEBUG args=keyctl get_persistent @s 0
> >>>> 2013-11-19T11:28:07Z DEBUG Process finished, return code=1
> >>>> 2013-11-19T11:28:07Z DEBUG stdout=
> >>>> 2013-11-19T11:28:07Z DEBUG stderr=keyctl_get_persistent: Key has been revoked
> >>>
> >>> It should be enabled out of the box. But there were some initial issues with
> >>> persistent keyring in the first versions of kernel with a support, hopefully
> >>> this was just a fluke which disappeared.
> >>>
> >>> This is what I see on my F20 with kernel-3.11.9-300.fc20.x86_64:
> >>>
> >>> # keyctl get_persistent @s 0
> >>> 637466038
> >>
> >> With kernel-3.11.10-300.fc20.x86_64, I get an error again:
> >> $ keyctl get_persistent @s 0
> >> keyctl_get_persistent: Key has been revoked
> >
> > Not sure if it is a typo, but you won't surely get a root's keyring as a
> > non-root user...
> 
> It is just a typo, but it looks like you got me on the right track. 
> keyctl apparently needs a real root login:
> 
> $ sudo keyctl get_persistent @s 0
> keyctl_get_persistent: Key has been revoked
> 
> $ sudo su
> # keyctl get_persistent @s 0
> keyctl_get_persistent: Key has been revoked
> # exit
> 
> $ sudo su -
> Last login: Mon Dec  2 14:09:36 CET 2013 on pts/1
> # keyctl get_persistent @s 0
> 968622527
> # logout
> 

Please use "sudo -i" to get an interactive 'login' shell.

> Unsurprisingly, when ipa-server-install is run from sudo, it complains 
> that the key is unsupported. From a root login all is OK.
> 
> Is that expected?

You should run ipa-server-install using a login shell I think.
Should we open a bug to detect this and fail ?

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York




More information about the Freeipa-devel mailing list