[lxc-devel] [PATCH 1/3] Fix version checking and deal with pam_loginuid in CentOS template.
Michael H. Warfield
mhw at WittsEnd.com
Thu Dec 19 16:36:08 UTC 2013
Fix version checking and deal with pam_loginuid in CentOS template.
This deals with a reported issue when running and building containers
on a CentOS host system.
Fixed various typos in version checking when running on a CentOS system.
Added logic for differences between point releases (6.5) and rolling (6).
Added version detection logic when running on RHEL systems as well.
Fixed cpe detection string (CentOS is not adhering to their own registration).
Added logic to disable the pam_loginuid.so binary in containers.
Signed-off-by: Michael H. Warfield <mhw at WittsEnd.com>
---
templates/lxc-centos.in | 68 ++++++++++++++++++++++++++++++++++++++++++++-----
1 file changed, 62 insertions(+), 6 deletions(-)
diff --git a/templates/lxc-centos.in b/templates/lxc-centos.in
index 95802dc..7d47715 100644
--- a/templates/lxc-centos.in
+++ b/templates/lxc-centos.in
@@ -54,17 +54,34 @@ fi
if [ "${CPE_NAME}" = "" -a -e /etc/system-release-cpe ]
then
CPE_NAME=$(head -n1 /etc/system-release-cpe)
- CPE_URI=$(expr ${CPE_NAME} : '\([^:]*:[^:*]\)')
+ CPE_URI=$(expr ${CPE_NAME} : '\([^:]*:[^:]*\)')
if [ "${CPE_URI}" != "cpe:/o" ]
then
CPE_NAME=
else
- echo "Host CPE ID from /etc/system-release-cpe: ${CPE_NAME}"
# Probably a better way to do this but sill remain posix
# compatible but this works, shrug...
# Must be nice and not introduce convenient bashisms here.
+ #
+ # According to the official registration at Mitre and NIST,
+ # this should have been something like this for CentOS:
+ # cpe:/o:centos:centos:6
+ # or this:
+ # cpe:/o:centos:centos:6.5
+ #
ID=$(expr ${CPE_NAME} : '[^:]*:[^:]*:[^:]*:\([^:]*\)')
+ # The "enterprise_linux" is a bone toss back to RHEL.
+ # Since CentOS and RHEL are so tightly coupled, we'll
+ # take the RHEL version if we're running on it and do the
+ # equivalent version for CentOS.
+ if [ ${ID} = "linux" -o ${ID} = "enterprise_linux" ]
+ then
+ # Instead we got this: cpe:/o:centos:linux:6
+ ID=$(expr ${CPE_NAME} : '[^:]*:[^:]*:\([^:]*\)')
+ fi
+
VERSION_ID=$(expr ${CPE_NAME} : '[^:]*:[^:]*:[^:]*:[^:]*:\([^:]*\)')
+ echo "Host CPE ID from /etc/system-release-cpe: ${CPE_NAME}"
fi
fi
@@ -72,10 +89,14 @@ if [ "${CPE_NAME}" != "" -a "${ID}" = "centos" -a "${VERSION_ID}" != "" ]
then
centos_host_ver=${VERSION_ID}
is_centos=true
-elif [ -e /etc/redhat-release ]
+elif [ "${CPE_NAME}" != "" -a "${ID}" = "redhat" -a "${VERSION_ID}" != "" ]
+then
+ redhat_host_ver=${VERSION_ID}
+ is_redhat=true
+elif [ -e /etc/centos-release ]
then
# Only if all other methods fail, try to parse the redhat-release file.
- centos_host_ver=$( sed -e '/^CentOS /!d' -e 's/CentOS*\srelease\s*\([0-9][0-9]*\)\s.*/\1/' < /etc/redhat-release )
+ centos_host_ver=$( sed -e '/^CentOS /!d' -e 's/CentOS.*\srelease\s*\([0-9][0-9.]*\)\s.*/\1/' < /etc/centos-release )
if [ "$centos_host_ver" != "" ]
then
is_centos=true
@@ -130,6 +151,32 @@ configure_centos()
sed -i '/^session.*pam_loginuid.so/s/^session/# session/' ${rootfs_path}/etc/pam.d/login
sed -i '/^session.*pam_loginuid.so/s/^session/# session/' ${rootfs_path}/etc/pam.d/sshd
+ if [ -f ${rootfs_path}/etc/pam.d/crond ]
+ then
+ sed -i '/^session.*pam_loginuid.so/s/^session/# session/' ${rootfs_path}/etc/pam.d/crond
+ fi
+
+ # In addition to disabling pam_loginuid in the above config files
+ # we'll also disable it by linking it to pam_permit to catch any
+ # we missed or any that get installed after the container is built.
+ #
+ # Catch either or both 32 and 64 bit archs.
+ if [ -f ${rootfs_path}/lib/security/pam_loginuid.so ]
+ then
+ ( cd ${rootfs_path}/lib/security/
+ mv pam_loginuid.so pam_loginuid.so.disabled
+ ln -s pam_permit.so pam_loginuid.so
+ )
+ fi
+
+ if [ -f ${rootfs_path}/lib64/security/pam_loginuid.so ]
+ then
+ ( cd ${rootfs_path}/lib64/security/
+ mv pam_loginuid.so pam_loginuid.so.disabled
+ ln -s pam_permit.so pam_loginuid.so
+ )
+ fi
+
# configure the network using the dhcp
cat <<EOF > ${rootfs_path}/etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0
@@ -543,15 +590,24 @@ fi
if [ -z "$release" ]; then
if [ "$is_centos" -a "$centos_host_ver" ]; then
release=$centos_host_ver
+ elif [ "$is_redhat" -a "$redhat_host_ver" ]; then
+ # This is needed to clean out bullshit like 6workstation and 6server.
+ release=$(expr $redhat_host_ver : '\([0-9.]*\)')
else
- echo "This is not a centos host and release missing, defaulting to 6 use -R|--release to specify release"
+ echo "This is not a CentOS or Redhat host and release is missing, defaulting to 6 use -R|--release to specify release"
release=6
fi
fi
# CentOS 7 and above should run systemd. We need autodev enabled to keep
# systemd from causing problems.
-if [ $release -gt 6 ]; then
+#
+# There is some ambiguity here due to the differnce between versioning
+# of point specific releases such as 6.5 and the rolling release 6. We
+# only want the major number here if it's a point release...
+
+mrelease=$(expr $release : '\([0-9]*\)')
+if [ $mrelease -gt 6 ]; then
auto_dev="1"
else
auto_dev="0"
--
1.8.3.1
--
Michael H. Warfield (AI4NB) | (770) 978-7061 | mhw at WittsEnd.com
/\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/
NIC whois: MHW9 | An optimist believes we live in the best of all
PGP Key: 0x674627FF | possible worlds. A pessimist is sure of it!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 482 bytes
Desc: This is a digitally signed message part
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20131219/bdaefe01/attachment-0001.pgp>
More information about the lxc-devel
mailing list