<div dir="ltr"><div>Hello again.<br></div><div class="gmail_extra"><div class="gmail_quote"><br></div><div class="gmail_quote">Yes, I see now that LXC 1.0.6 is there as rpm, but that is the first time since 0.8.0, and I started to use LXC 1.0.</div><div class="gmail_quote"><br></div><div class="gmail_quote">I use my script called srvctl to control the creation and configuration of containers.</div><div class="gmail_quote"><a href="https://github.com/LaKing/Fedora-scripts">https://github.com/LaKing/Fedora-scripts</a><br></div><div class="gmail_quote"><br></div><div class="gmail_quote">It compiled with "autogen - configure - make - make install" before, but I added the option to use yum and the rpm now.</div><div class="gmail_quote"><br></div><div class="gmail_quote">The user addition part adds user, set password and creates a keypair. </div><div class="gmail_quote">I usually log in as root with key, .. but the problem came to light when users su-ed to a normal user and run capistrano - a ruby deploy script.</div><div class="gmail_quote">So, I think the password should be ther, valid, not expired. Users use keys though.</div><div class="gmail_quote"><br></div><div class="gmail_quote"><div class="gmail_quote">[user@crontest root]$ crontab -l</div><div class="gmail_quote">You (user) are not allowed to use this program (crontab)</div><div class="gmail_quote">See crontab(1) for more information</div><div><br></div><div><br></div><div>I will test it on another system that runs srvctl based on rpm installation.</div><div><br></div></div><div class="gmail_quote">And, .. I will be on holidays the next 12 days, ... <br></div><div class="gmail_quote"><br></div><div class="gmail_quote">Greetings, ..</div><div class="gmail_quote"><br></div><div class="gmail_quote">On Thu, Oct 23, 2014 at 7:10 PM, Michael H. Warfield <span dir="ltr"><<a href="mailto:mhw@wittsend.com" target="_blank">mhw@wittsend.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><span class="">On Thu, 2014-10-23 at 17:17 +0200, István Király wrote:<br>
> Hello Mike.<br>
><br>
><br>
> Host is Fedora 20 with kernel 3.16.4-200.fc20.x86_64<br>
><br>
><br>
> LXC: 1.0.6 compiled from latest release<br>
<br>
<br>
</span>Ooo??? LXC 1.0.6 is in the repositories. Any reason for not using the<br>
repo based LXC rpms?<br>
<br>
When you say "compiled from latest release", did you do a "configure ;<br>
make ; make install" or did you do a "configure ; make rpm ; yum<br>
localinstall" (the later is preferred for maintainability and to avoid<br>
library skew).<br>
<span class=""><br>
> Host is fedora with SELinux disabled.<br>
<br>
</span>Ok... That setup matches mine exactly.<br>
<span class="">><br>
> Container was created with the fedora template but in an earlier<br>
> version of LXC.<br>
<br>
</span>That SHOULD be OK unless it was a very early version of LXC (like 0.8 or<br>
earlier).<br>
<span class="">><br>
> I'm not sure what you mean by container version. Containers are also<br>
> Fedora 20.<br>
<br>
</span>That's what I meant.<br>
<span class="">><br>
> Logged in with ssh. LXC is running on the background.<br>
<br>
</span>Matches what I'm doing... Are you logging with with a password or an<br>
SSH auth key? If the later, does the user have a valid, non-expired,<br>
password?<br>
<span class="">><br>
> I just created a new test-container, added my user and it behaves<br>
> exactly the same.<br>
<br>
</span>Ok... How did you add your user? Just useradd and then run passwd to<br>
set the passwd? I'm seeing similar complaints when the user password is<br>
expired or locked but you can still connecting using ssh via an ssh auth<br>
key.<br>
<span class=""><br>
> Without /etc/cron.allow<br>
> You (user) are not allowed to access to (crontab) because of pam<br>
> configuration.<br>
<br>
</span>Ok... This is what's not making any sense to me. That's saying<br>
"because of pam configuration" and I'm trying to understand WHAT pam<br>
configuration. I do see a potential problem in /etc/pam.d/crond that<br>
could impact cron jobs running (it's the session line referencing<br>
pam_loginuid.so that could blow up) but that should not affect running<br>
"contab -e"<br>
<br>
Did you install any additional software after the container creation?<br>
<span class="">><br>
> With ALL (then newline) in /etc/cron.allow<br>
<br>
</span>This should not be necessary in any case...<br>
<span class="">><br>
> [user@crontest ~]$ crontab -e<br>
> You (user) are not allowed to use this program (crontab)<br>
> See crontab(1) for more information<br>
<br>
</span>What happens if you run "crontab -l"?<br>
<br>
Looking around, you might have something quirky going on with<br>
that /etc/pam.d/crond file after all.<br>
<br>
<a href="http://www.linuxquestions.org/questions/linux-security-4/failed-to-authorize-user-with-pam-permission-denied-4175492110/" target="_blank">http://www.linuxquestions.org/questions/linux-security-4/failed-to-authorize-user-with-pam-permission-denied-4175492110/</a><br>
<br>
Could try editing the "pam_access.so" like and setting that with debug<br>
to find out why it's being refused. While you're in there, commend out<br>
this line and see if it makes a difference:<br>
<br>
session required pam_loginuid.so<br>
<br>
The whole pam loginuid thing is a problem in containers. Doesn't<br>
explain why I don't see it through...<br>
<br>
> Thank you very much.<br>
><br>
Regards,<br>
Mike<br>
<div class=""><div class="h5"><br>
> Greetings, ...<br>
><br>
> On Thu, Oct 23, 2014 at 2:57 PM, Michael H. Warfield<br>
> <<a href="mailto:mhw@wittsend.com">mhw@wittsend.com</a>> wrote:<br>
> On Thu, 2014-10-23 at 06:18 +0200, István Király wrote:<br>
> > Hello list, ..<br>
> ><br>
> ><br>
> > I noticed some strange behavior, that I could not resolve so<br>
> far,<br>
> > regarding cron and crontab.<br>
> ><br>
> ><br>
> > [user@container]$ crontab -e<br>
> > You (user) are not allowed to access to (crontab) because of<br>
> pam<br>
> > configuration.<br>
> ><br>
> ><br>
> > While digging in, I created /etc/cron.allow and added ALL.<br>
> The<br>
> > message changed to:<br>
> ><br>
> ><br>
> > You (user) are not allowed to use this program (crontab)<br>
> > See crontab(1) for more information<br>
> ><br>
> ><br>
> > Google search didn't bring me closer to a solution.<br>
> ><br>
> ><br>
> > On a native fedora, crontab works out of the box, even<br>
> without a<br>
> > cron.allow file.<br>
> ><br>
> ><br>
> > If someone has ideas / suggestions, I would look at them.<br>
><br>
> It's working fine here with all my Fedora containers of<br>
> various vintage<br>
> (all Fedora hosts).<br>
><br>
> 1) What is the host distro and version?<br>
><br>
> 2) What is the container version?<br>
><br>
> 3) If the host is Ubuntu or Debian, are you running with<br>
> apparmor<br>
> enabled and have you set lxc.aa_profile = unconfined in the<br>
> container<br>
> config?<br>
><br>
> 4) How did you create the container (lxc-create, hand rolled,<br>
> fedora<br>
> template, download template)?<br>
><br>
> 5) Version of LXC in the host?<br>
><br>
> 6) How are you logged in? From lxc-start in forground? From<br>
> lxc-console? From ssh connection?<br>
><br>
> > Greetings, ...<br>
> ><br>
> ><br>
> > --<br>
> > Király István<br>
> > <a href="tel:%2B36%20209%20753%20758" value="+36209753758">+36 209 753 758</a><br>
> > LaKing@D250.hu<br>
><br>
> Regards,<br>
> Mike<br>
> --<br>
> Michael H. Warfield (AI4NB) | <a href="tel:%28770%29%20978-7061" value="+17709787061">(770) 978-7061</a> |<br>
> mhw@WittsEnd.com<br>
> /\/\|=mhw=|\/\/ | <a href="tel:%28678%29%20463-0932" value="+16784630932">(678) 463-0932</a> |<br>
> <a href="http://www.wittsend.com/mhw/" target="_blank">http://www.wittsend.com/mhw/</a><br>
> NIC whois: MHW9 | An optimist believes we live in<br>
> the best of all<br>
> PGP Key: 0x674627FF | possible worlds. A pessimist is<br>
> sure of it!<br>
><br>
><br>
> _______________________________________________<br>
> lxc-users mailing list<br>
> <a href="mailto:lxc-users@lists.linuxcontainers.org">lxc-users@lists.linuxcontainers.org</a><br>
> <a href="http://lists.linuxcontainers.org/listinfo/lxc-users" target="_blank">http://lists.linuxcontainers.org/listinfo/lxc-users</a><br>
><br>
><br>
><br>
><br>
> --<br>
> Király István<br>
> <a href="tel:%2B36%20209%20753%20758" value="+36209753758">+36 209 753 758</a><br>
> LaKing@D250.hu<br>
><br>
><br>
> _______________________________________________<br>
> lxc-users mailing list<br>
> <a href="mailto:lxc-users@lists.linuxcontainers.org">lxc-users@lists.linuxcontainers.org</a><br>
> <a href="http://lists.linuxcontainers.org/listinfo/lxc-users" target="_blank">http://lists.linuxcontainers.org/listinfo/lxc-users</a><br>
<br>
--<br>
Michael H. Warfield (AI4NB) | <a href="tel:%28770%29%20978-7061" value="+17709787061">(770) 978-7061</a> | mhw@WittsEnd.com<br>
/\/\|=mhw=|\/\/ | <a href="tel:%28678%29%20463-0932" value="+16784630932">(678) 463-0932</a> | <a href="http://www.wittsend.com/mhw/" target="_blank">http://www.wittsend.com/mhw/</a><br>
NIC whois: MHW9 | An optimist believes we live in the best of all<br>
PGP Key: 0x674627FF | possible worlds. A pessimist is sure of it!<br>
<br>
</div></div><br>_______________________________________________<br>
lxc-users mailing list<br>
<a href="mailto:lxc-users@lists.linuxcontainers.org">lxc-users@lists.linuxcontainers.org</a><br>
<a href="http://lists.linuxcontainers.org/listinfo/lxc-users" target="_blank">http://lists.linuxcontainers.org/listinfo/lxc-users</a><br></blockquote></div><br><br clear="all"><div><br></div>-- <br><div dir="ltr"><div style="text-align:left"><font size="4">Király </font><span style="font-size:large">István</span></div><div style="text-align:left"><font>+36 209 753 758</font></div><div style="text-align:left"><font><a href="mailto:LaKing@D250.hu" target="_blank">LaKing@D250.hu</a></font></div><div style="text-align:left"><a href="http://d250.hu" target="_blank"><img src="http://laking.d250.hu/lab.png"></a><br></div></div>
</div></div>