[Freeipa-devel] [PATCH] 439 Allow kernel keyring CCACHE when supported
Petr Viktorin
pviktori at redhat.com
Mon Dec 2 15:05:06 UTC 2013
On 12/02/2013 03:42 PM, Simo Sorce wrote:
> On Mon, 2013-12-02 at 14:51 +0100, Petr Viktorin wrote:
>> On 12/02/2013 02:01 PM, Martin Kosek wrote:
>>> On 12/02/2013 01:58 PM, Petr Viktorin wrote:
>>>> On 11/29/2013 01:48 PM, Martin Kosek wrote:
>>>>> On 11/19/2013 12:35 PM, Petr Viktorin wrote:
>>>>>> On 11/05/2013 07:22 PM, Martin Kosek wrote:
>>>>>>> Server and client installer should allow kernel keyring ccache when
>>>>>>> supported.
>>>>
>>>>>>
>>>>>> How do I enable the kernel keyring? On f20 I get this:
>>>>>>
>>>>>> 2013-11-19T11:28:07Z DEBUG Starting external process
>>>>>> 2013-11-19T11:28:07Z DEBUG args=keyctl get_persistent @s 0
>>>>>> 2013-11-19T11:28:07Z DEBUG Process finished, return code=1
>>>>>> 2013-11-19T11:28:07Z DEBUG stdout=
>>>>>> 2013-11-19T11:28:07Z DEBUG stderr=keyctl_get_persistent: Key has been revoked
>>>>>
>>>>> It should be enabled out of the box. But there were some initial issues with
>>>>> persistent keyring in the first versions of kernel with a support, hopefully
>>>>> this was just a fluke which disappeared.
>>>>>
>>>>> This is what I see on my F20 with kernel-3.11.9-300.fc20.x86_64:
>>>>>
>>>>> # keyctl get_persistent @s 0
>>>>> 637466038
>>>>
>>>> With kernel-3.11.10-300.fc20.x86_64, I get an error again:
>>>> $ keyctl get_persistent @s 0
>>>> keyctl_get_persistent: Key has been revoked
>>>
>>> Not sure if it is a typo, but you won't surely get a root's keyring as a
>>> non-root user...
>>
>> It is just a typo, but it looks like you got me on the right track.
>> keyctl apparently needs a real root login:
>>
>> $ sudo keyctl get_persistent @s 0
>> keyctl_get_persistent: Key has been revoked
>>
>> $ sudo su
>> # keyctl get_persistent @s 0
>> keyctl_get_persistent: Key has been revoked
>> # exit
>>
>> $ sudo su -
>> Last login: Mon Dec 2 14:09:36 CET 2013 on pts/1
>> # keyctl get_persistent @s 0
>> 968622527
>> # logout
>>
>
> Please use "sudo -i" to get an interactive 'login' shell.
>
>> Unsurprisingly, when ipa-server-install is run from sudo, it complains
>> that the key is unsupported. From a root login all is OK.
>>
>> Is that expected?
>
> You should run ipa-server-install using a login shell I think.
> Should we open a bug to detect this and fail ?
It's always worked with just sudo for me. So yes, if it's required I
think we should enforce it.
--
Petr³
More information about the Freeipa-devel
mailing list