Jan Pazdziora

@shaohme, could you provide some mod_auth_form configuration that you envision to be used with the OTP setup?

In general, `mod_intercept_form_submit` (via `mod_authnz_pam`), with fallback to `mod_auth_gssapi`, would likely provide reasonable solution.

Is this a cgroups v1 or cgroups v2 host? What OS (and version) and what docker version?

I believe the guidance in the [README](https://github.com/freeipa/freeipa-container#readme) is to use the `/sys/fs/cgroup:/sys/fs/cgroup:ro` bind mount only for cgroups v1, not v2. So please remove that ``` volumes: - /sys/fs/cgroup:/sys/fs/cgroup:ro ``` And...

And you have `"userns-remap": "dockeruser"` configured and `dockeruser` ranges defined in `/etc/subuid` and `/etc/subgid` in this case? The typical setup is with `"userns-remap": "default"` and the `dockremap` like we do...

I believe here the issue is the generic "run systemd in container on that specific host and container runtime", not the permissions. That's why I'm leading @jpVm5jYYRE1VIKL towards figuring out...

We seem to have lost traction here.

This issue originated from discussion in https://bugzilla.redhat.com/show_bug.cgi?id=1927154.

Note that with latest OpenSSL 3 builds, the unconditional use of SHA-1 seems to cause segfault: https://bugzilla.redhat.com/show_bug.cgi?id=2043476.

The error comes from containerd attempting to start the `helper-pod-create-pvc-1e7e0729-1ec4-4b0e-91ef-3c41e0495783` that gets initiated by the `local-path-provisioner-6bc4bddd6b-rnsqd` to fulfill the PVC request that comes from https://github.com/rancher/local-path-provisioner/blob/master/examples/pvc-with-local-volume/pvc.yaml.