[Fedora Rawhide - pre 37] running free-ipa in OKD/OpenShift fails since "systemd hardening efforts" were implemented
jngrb opened this issue · comments
This commit introduces "systemd hardening efforts" to 389ds. Namely, they are:
# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
ProtectSystem=full
# Protectsystem full mounts /etc ro, so we need to allow /etc/dirsrv to be writeable here.
ReadWritePaths=/etc/dirsrv
ProtectHome=true
PrivateDevices=true
ProtectHostname=true
ProtectClock=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectKernelLogs=true
ProtectControlGroups=true
RestrictRealtime=true
These special protection measures require special privileges which a systemd-based container does not have when running inside OKD/Openshift - at least with the SCC defined here