From 9f160b378b07fff8f283bf53cea0cf27e2c865c1 Mon Sep 17 00:00:00 2001 From: om Date: Sun, 15 Mar 2026 17:51:06 -0400 Subject: [PATCH 1/2] cmd/initContainer,utils/utils: added a check for kcm-socket When configuring kerberos, it was assumed the sssd-kcm service and corresponding socket were active. Which is not necessarily true, as it can be disabled and not exist. https://github.com/containers/toolbox/pull/1771 Signed-off-by: om --- src/cmd/initContainer.go | 10 +++++++++ src/pkg/utils/utils.go | 44 ++++++++++++++++++++++++++++++++++++++++ 2 files changed, 54 insertions(+) diff --git a/src/cmd/initContainer.go b/src/cmd/initContainer.go index b3a7bd983..d92082b40 100644 --- a/src/cmd/initContainer.go +++ b/src/cmd/initContainer.go @@ -565,6 +565,16 @@ func configureKerberos() error { return nil } + kcmSocketEnabled, err := utils.IsKCMSocketEnabled() + if err != nil { + return fmt.Errorf("failed to check if kcm socket is enabled: %w", err) + } + if !kcmSocketEnabled { + logrus.Debugf("%s: kcm socket not enabled", logPrefix) + logrus.Debugf("%s: skipping", logPrefix) + return nil + } + var builder strings.Builder builder.WriteString("# Written by Toolbx\n") builder.WriteString("# https://containertoolbx.org/\n") diff --git a/src/pkg/utils/utils.go b/src/pkg/utils/utils.go index f3de23b1b..e9ab745de 100644 --- a/src/pkg/utils/utils.go +++ b/src/pkg/utils/utils.go @@ -17,6 +17,7 @@ package utils import ( + "bufio" "errors" "fmt" "os" @@ -892,3 +893,46 @@ func ResolveContainerAndImageNames(container, distroCLI, imageCLI, releaseCLI st return container, image, release, nil } + +// IsKCMSocketEnabled checks if the KCM cache is enabled or not, by verifying the unix domain socket used +// by kcm exists. Normally, the default path is - /var/run/.heim_org.h5l.kcm-socket. +// +// However, we should be vary that this path is configurable. It can be overriden by setting the +// kcm_socket field in the [libdefaults] section to point to the new path, inside /etc/krb5.conf. +func IsKCMSocketEnabled() (bool, error) { + kcmSocketPath := "/var/run/.heim_org.h5l.kcm-socket" + + file, err := os.Open("/etc/krb5.conf") + if err != nil && !errors.Is(err, os.ErrNotExist) { + return false, err + } else if err == nil { + defer file.Close() + + scanner := bufio.NewScanner(file) + insideLibdefaultsSection := false + + for scanner.Scan() { + text := strings.TrimSpace(scanner.Text()) + if strings.HasPrefix(text, "[") { + insideLibdefaultsSection = text == "[libdefaults]" + continue + } + + if insideLibdefaultsSection { + parts := strings.SplitN(text, "=", 2) + if len(parts) == 2 && strings.TrimSpace(parts[0]) == "kcm_socket" { + kcmSocketPath = strings.TrimSpace(parts[1]) + } + } + } + } + + info, err := os.Stat(kcmSocketPath) + if err != nil && !errors.Is(err, os.ErrNotExist) { + return false, err + } else if errors.Is(err, os.ErrNotExist) { + return false, nil + } + + return info.Mode()&os.ModeSocket != 0, nil +} From 64625560fd6b416a91c77613b654789640c19917 Mon Sep 17 00:00:00 2001 From: om Date: Mon, 16 Mar 2026 17:23:26 -0400 Subject: [PATCH 2/2] utils/utils: fix spelling in comment https://github.com/containers/toolbox/pull/1771 Signed-off-by: om --- src/pkg/utils/utils.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/pkg/utils/utils.go b/src/pkg/utils/utils.go index e9ab745de..06070a3f0 100644 --- a/src/pkg/utils/utils.go +++ b/src/pkg/utils/utils.go @@ -897,7 +897,7 @@ func ResolveContainerAndImageNames(container, distroCLI, imageCLI, releaseCLI st // IsKCMSocketEnabled checks if the KCM cache is enabled or not, by verifying the unix domain socket used // by kcm exists. Normally, the default path is - /var/run/.heim_org.h5l.kcm-socket. // -// However, we should be vary that this path is configurable. It can be overriden by setting the +// However, we should be vary that this path is configurable. It can be overridden by setting the // kcm_socket field in the [libdefaults] section to point to the new path, inside /etc/krb5.conf. func IsKCMSocketEnabled() (bool, error) { kcmSocketPath := "/var/run/.heim_org.h5l.kcm-socket"