How do you map in /etc/krb5.conf into an Execution Environment?

, ,

Hi

I have changed the Job settings in my AAP install, and I wanted to add /etc/krb5.conf to the list of “Paths to expose to isolated jobs”. That didn’t work. I got errors that sounded like SElinux, and permission denied on /etc/passwd for some reason.

I tried instead to add /etc/krb5.conf.d and that worked, but I then got an even more mysterious error: “Kerberos auth failure for principal XXX with pexpect: Included profile directory could not be read while initializing Kerberos 5 library”.

That sounded like it could use that path in the container, but something else broke.

Someone know how you’re really supposed to get your /etc/krb5.conf to be accessible from within your EE? Do I have to rebuilt the EE and include that file?

2 Likes

We’ve historically baked this directly into the EE and rebuild/repush the image if needed (we do scheduled rebuilds anyways). This may not be the best way of doing it and would be interested if there are others who have a better method, but it’s been solid for us for the last couple years.

Best regards,

Joe

3 Likes

If necessary I’d build the settings into the EE. Generally speaking for a typical enterprise AD environment it’s not required. You can control enough of the settings via the connection plugin and by formatting the username to include the correct UPN suffix (case sensitive for KRB5 and not Windows by default in AD it’s uppercase) to get the job done.

2 Likes

The simplest way is to mount it from a configmap via custom pod spec in container group. You need to go to instance groups, then either create a new one or modify the default container group, check custom pod specification and then add proper kubernetes attributes to mount a config map key as a single file (not directory).
It would be something like:

apiVersion: v1
kind: Pod
spec:
  containers:
    - name: worker
...
      volumeMounts:
        - name: krb5-conf
          mountPath: /etc/krb5.conf
          subPath: krb5.conf
  volumes:
    - name: krb5-conf
      configMap:
        name: my-krb5-config
        items:
          - key: krb5.conf
            path: krb5.conf

This works great and is valid for all EE images, as it is mounted on top of what comes with EE.

1 Like

That’s a good one. Sadly, I’m running the non-kubernetes containerized install, so for me it’s a bit more work. But, excellent point of reference if someone comes to this post later looking for answers.

That indeed complicates things a bit. But since you use non-kubernetes yet still contenerized environment, is there maybe a way to modify the container template to include additional mounts? You have a way to influence which image is being taken. Even if this is not available from AWX/AAP console, this should be doable on the execution node itself somehow…

How about trying to tackle this SELinux issue before building EE yourself, for example:

  • What exactly is the error?
  • Did you add :z to the path specified in “Paths to expose to isolated jobs”?
  • Does it work if you temporarily run setenforce 0 ? (Don’t forget to set it back to 1!)
  • How about labeling your file with container_file_t using chcon ?
1 Like

It turned out not be related to SELinux after all. What I got was what looked like an unrelated permission denied. It turned out to be a syntax error for the map. I did try to change the setenforce and realized the error was not SELinux.

In the end I did map /etc/krb5.conf.d/ with :O as a suffix to the path. In that folder there was a sssd related file that has to be removed as it refers to a file not in the file system that gets mapped.

With that done, kinit works with the provided krb5.conf in /etc/krb5.conf.d/ just fine. Now I’ve gotten another error, but it’s clearly a python dependency that will have to go into an EE.

Thanks for the help and suggestions!