McLayn's questions

I'm trying to run a podman quadlet defined by a kubernetes YML file. I want it to run rootless in systemd under a web user on the host: systemctl --user status pod-web.

Inside the container, the PHP process is running under the 33:33 user. I want the /home/web/data directory on the host to be owned by the web user, but at the same time to be readable and writable by the 33:33 user inside the container, where it is mounted to /var/www/html.

In the comments, you can see some things I tried. Unfortunatelly, I don't understand the user namespaces and subuid/subgid enough to be able to make it work with the documentation and Copilot keeps halucinating, so any help from real people will be appreciated.

My problem is similar to this one, but I want to use a podman kube quadlet defined in a YML file.

Environment:

• AlmaLinux release 9.4 (Seafoam Ocelot)
• podman version 4.9.4-rhel
• systemd 252 (252-32.el9_4.7)
• SELinux enabled enforcing
• chown -R web:web /home/web
• usermod --add-subuids 100000-165535 --add-subgids 100000-165535 web

/home/web/pod-web.yml:

apiVersion: v1
kind: Pod
metadata:
  name: pod-web
#  annotations:
#    io.podman.annotations.userns: "keep-id"
spec:
  containers:
  - name: pod-web
    image: docker.io/library/php:8.3-apache
#    securityContext:
#      runAsUser: 33
#      runAsGroup: 33
#      supplementalGroups: [65536]
#    ports:
#    - containerPort: 80
#      hostPort: 8000
    volumeMounts:
    - mountPath: /var/www/html
      name: web-data
  volumes:
  - name: web-data
    hostPath:
      path: /home/web/data
  restartPolicy: Always

With runAsUser: 33 the container was logging:

(13)Permission denied: AH00072: make_sock: could not bind to address [::]:80
(13)Permission denied: AH00072: make_sock: could not bind to address 0.0.0.0:80

With runAsUser: 0 the container seems to run, but it is a bad practice as it gives too many privileges if I understand it correctly.

/home/web/.config/containers/systemd/pod-web.kube:

[Unit]
Description=Podman Quadlet: %p

[Service]
# ExecStartPre=/usr/bin/podman unshare -- /bin/bash -c 'chown -R 33:33 /home/web/data'

[Kube]
Yaml=/home/web/%p.yml
LogDriver=journald
#UserNS=keep-id:uid=33,gid=33
#UserNS=auto

[Install]
WantedBy=multi-user.target default.target

We have a server with the Alma Linux 9.3 OS. By default (as well as all current RHEL-like OSs) it has fapolicyd enabled. There is also an application server (WildFly/JBoss/Java) running on that server. The deployed application processes some data files (submited by users) and it works fine in the standard situation.

However currently, there is a period of time when the application needs to process 1000-ish files per minute. In such a situation, the fapolicyd overhead is utilising ~15% of CPU which we evaluated as too much.

I was unable to find anyone with a similar problem on the internet.

I'm also suprprised there is no fapolicyd tag here on ServerFault.

Questions:

• Is there a way to optimize fapolicyd configuration so that it could decide faster whether it allows or denies a file access?
  • One thing that comes to my mind is the ordering of custom rules.
  • Maybe using wildcard vs. using literal rules.
• Any hints how to evaluate how much important fapolicyd is for us?
  • Whether we can just turn it off or whether it is really a good idea to have it running despite the huge overhead.
  • Whether other distributions also use something like fapolicyd or whether it is "just additional security" and SELinux is enough. (I know they are not the same.)

Sources:

• STIG recommends to have fapolicyd enabled
• A Red Hat article about the basics of fapolicyd

I'm migrating KeyCloak v15 (WildFly v23) passwords from the old vault to elytron credential store. It works fine for the standard use case. In standalone.xml, I have: /server/extensions/extension:

<extension module="org.wildfly.extension.elytron"/>

/server/profile/subsystem:

<subsystem xmlns="urn:wildfly:elytron:13.0" final-providers="elytron" disallowed-providers="OracleUcrypto">
    <providers>
        <provider-loader name="elytron" module="org.wildfly.security.elytron"/>
    </providers>
    <audit-logging>
        <file-audit-log name="local-audit" path="audit-log.log" relative-to="jboss.server.log.dir" format="JSON"/>
    </audit-logging>
    <credential-stores>
        <credential-store name="credStore" location="/data/credStore.jceks">
            <implementation-properties>
                <property name="keyStoreType" value="JCEKS"/>
            </implementation-properties>
            <credential-reference clear-text="MASK-123456789;salt123;42"/>
        </credential-store>
    </credential-stores>
</subsystem>

and I access the passwords using /server/profile/subsystem[@xmlns="urn:jboss:domain:jgroups:8.0"]/stacks/stack[@name="tcp"]/auth-protocol/digest-token/shared-secret-reference:

<shared-secret-reference store="credStore" alias="myBlock::mySecret"/>

However, there is one secret I need to pass to a SPI in a property. Any idea how to do it? This was the old vault way:

/server/system-properties/property:

<property name="secret" value="${VAULT::myBlock::mySecret::1}"/>

/server/profile/subsystem[@xmlns="urn:jboss:domain:keycloak-server:1.1"]/spi:

<spi name="mySpi">
    <provider name="file" enabled="true">
        <properties>
            <property name="password" value="${secret}"/>
        </properties>
    </provider>
</spi>

I have a config file /etc/tmpfiles.d/test.conf:

z /dir/*         660 -    -    -
z /dir/subdir   2770 -    -    -
z /dir/subdir/*  660 -    -    -
Z /dir             - root test -

When I run systemd-tmpfiles --prefix=/dir --create /etc/tmpfiles.d/test.conf ; ll /dir, access rights of /dir/subdir are randomly

• sometimes drwxrws--- (from the /dir/* rule) and
• sometimes drw-rw---- (from the /dir/subdir rule).

How do I make it deterministic?

The point is that directory /dir contains a lot of files and one subdirectory and I want to set rw access rights to the files and rwx access rights to the subdirectory.

Centos 7

man tmpfiles.d

CentOS prints the following during boot

[ ***  ] A stop job is running for Security Auditing Service (9s / 1min 30s)

and then switches into the single user mode.

In KeyCLoak 15.0 (that is WildFly 23.0), I’m trying to configure access-log to also include username (or any ID of the user) when a user is logged in. In keycloak/standalone/configuration/standalone.xml, I configured XML:/server/profile/subsystem[@xmlns="urn:jboss:domain:undertow:12.0"]/server/host/access-log/@pattern pattern="%h %l %u %t "%r" %s/%S %b %T %I "%{i,User-Agent}""

The log gets correctly printed in the file I configured. However, the value of %u or %{REMOTE_USER} is always empty (that is -).

The only way to log some user ID I found was logging session cookie value with %{c,KEYCLOAK_SESSION} (it contains realm/user-ID/secret). Which isn’t a good idea to do in production.

Any idea on how to log username or userID in access-log?

Is it a KeyCLoak bug that %u or %{REMOTE_USER} is empty even when there is an active user session in KeyCloak? Or is it possible in KeyCLoak to configure which user attribute value goes in REMOTE_USER?

Alternativelly, how to put the userID in some header to use one of the following?

• %{i,xxx} for incoming headers
• %{o,xxx} for outgoing response headers
• %{c,xxx} for a specific cookie
• %{r,xxx} where xxx is an attribute in the ServletRequest
• %{s,xxx} where xxx is an attribute in the HttpSession

Among others, I tried these. None of them was populated.

%{s,user} 
%{s,userId} 
%{s,client_id} 
%{s,USER_ID} 
%{s,USER} 
%{s,org.keycloak.adapters.spi.KeycloakAccount} 
%{s,KeycloakAccount} 
%{s,org.keycloak.adapters.tomcat.CatalinaSessionTokenStore.SerializableKeycloakAccount} 
%{s,SerializableKeycloakAccount} 
%{s,org.keycloak.adapters.saml.SamlSession} 
%{s,SamlSession} 
%{s,org.keycloak.adapters.undertow.KeycloakUndertowAccount} 
%{s,KeycloakUndertowAccount} 
%{s,org.keycloak.KeycloakSecurityContext} 
%{s,KeycloakSecurityContext} 
%{s,io.undertow.servlet.util.SavedRequest} 
%{s,SavedRequest}

%{r,tokenInfo} 
%{r,KeycloakSecurityContext} 
%{r,ElytronHttpFacade} 
%{r,AdapterDeploymentContext} 
%{r,TOKEN_STORE_NOTE}