[lxc-devel] [PATCH 1/3] Fix version checking and deal with pam_loginuid in CentOS template.
Michael H. Warfield
mhw at WittsEnd.com
Fri Dec 20 02:23:44 UTC 2013
On Thu, 2013-12-19 at 22:17 +0100, Stéphane Graber wrote:
> On Thu, Dec 19, 2013 at 11:36:08AM -0500, Michael H. Warfield wrote:
> > Fix version checking and deal with pam_loginuid in CentOS template.
> >
> > This deals with a reported issue when running and building containers
> > on a CentOS host system.
> >
> > Fixed various typos in version checking when running on a CentOS system.
> > Added logic for differences between point releases (6.5) and rolling (6).
> > Added version detection logic when running on RHEL systems as well.
> > Fixed cpe detection string (CentOS is not adhering to their own registration).
> > Added logic to disable the pam_loginuid.so binary in containers.
> >
> > Signed-off-by: Michael H. Warfield <mhw at WittsEnd.com>
> > ---
> > templates/lxc-centos.in | 68 ++++++++++++++++++++++++++++++++++++++++++++-----
> > 1 file changed, 62 insertions(+), 6 deletions(-)
> >
> > diff --git a/templates/lxc-centos.in b/templates/lxc-centos.in
> > index 95802dc..7d47715 100644
> > --- a/templates/lxc-centos.in
> > +++ b/templates/lxc-centos.in
> > @@ -54,17 +54,34 @@ fi
> > if [ "${CPE_NAME}" = "" -a -e /etc/system-release-cpe ]
> > then
> > CPE_NAME=$(head -n1 /etc/system-release-cpe)
> > - CPE_URI=$(expr ${CPE_NAME} : '\([^:]*:[^:*]\)')
> > + CPE_URI=$(expr ${CPE_NAME} : '\([^:]*:[^:]*\)')
> > if [ "${CPE_URI}" != "cpe:/o" ]
> > then
> > CPE_NAME=
> > else
> > - echo "Host CPE ID from /etc/system-release-cpe: ${CPE_NAME}"
> > # Probably a better way to do this but sill remain posix
> > # compatible but this works, shrug...
> > # Must be nice and not introduce convenient bashisms here.
> > + #
> > + # According to the official registration at Mitre and NIST,
> > + # this should have been something like this for CentOS:
> > + # cpe:/o:centos:centos:6
> > + # or this:
> > + # cpe:/o:centos:centos:6.5
> > + #
> > ID=$(expr ${CPE_NAME} : '[^:]*:[^:]*:[^:]*:\([^:]*\)')
> > + # The "enterprise_linux" is a bone toss back to RHEL.
> > + # Since CentOS and RHEL are so tightly coupled, we'll
> > + # take the RHEL version if we're running on it and do the
> > + # equivalent version for CentOS.
> > + if [ ${ID} = "linux" -o ${ID} = "enterprise_linux" ]
> > + then
> > + # Instead we got this: cpe:/o:centos:linux:6
> > + ID=$(expr ${CPE_NAME} : '[^:]*:[^:]*:\([^:]*\)')
> > + fi
> > +
> > VERSION_ID=$(expr ${CPE_NAME} : '[^:]*:[^:]*:[^:]*:[^:]*:\([^:]*\)')
> > + echo "Host CPE ID from /etc/system-release-cpe: ${CPE_NAME}"
> > fi
> > fi
> >
> > @@ -72,10 +89,14 @@ if [ "${CPE_NAME}" != "" -a "${ID}" = "centos" -a "${VERSION_ID}" != "" ]
> > then
> > centos_host_ver=${VERSION_ID}
> > is_centos=true
> > -elif [ -e /etc/redhat-release ]
> > +elif [ "${CPE_NAME}" != "" -a "${ID}" = "redhat" -a "${VERSION_ID}" != "" ]
> > +then
> > + redhat_host_ver=${VERSION_ID}
> > + is_redhat=true
> > +elif [ -e /etc/centos-release ]
> > then
> > # Only if all other methods fail, try to parse the redhat-release file.
> > - centos_host_ver=$( sed -e '/^CentOS /!d' -e 's/CentOS*\srelease\s*\([0-9][0-9]*\)\s.*/\1/' < /etc/redhat-release )
> > + centos_host_ver=$( sed -e '/^CentOS /!d' -e 's/CentOS.*\srelease\s*\([0-9][0-9.]*\)\s.*/\1/' < /etc/centos-release )
> > if [ "$centos_host_ver" != "" ]
> > then
> > is_centos=true
> > @@ -130,6 +151,32 @@ configure_centos()
> > sed -i '/^session.*pam_loginuid.so/s/^session/# session/' ${rootfs_path}/etc/pam.d/login
> > sed -i '/^session.*pam_loginuid.so/s/^session/# session/' ${rootfs_path}/etc/pam.d/sshd
> >
> > + if [ -f ${rootfs_path}/etc/pam.d/crond ]
> > + then
> > + sed -i '/^session.*pam_loginuid.so/s/^session/# session/' ${rootfs_path}/etc/pam.d/crond
> > + fi
> > +
> > + # In addition to disabling pam_loginuid in the above config files
> > + # we'll also disable it by linking it to pam_permit to catch any
> > + # we missed or any that get installed after the container is built.
> > + #
> > + # Catch either or both 32 and 64 bit archs.
> > + if [ -f ${rootfs_path}/lib/security/pam_loginuid.so ]
> > + then
> > + ( cd ${rootfs_path}/lib/security/
> > + mv pam_loginuid.so pam_loginuid.so.disabled
> > + ln -s pam_permit.so pam_loginuid.so
> > + )
> > + fi
> > +
> > + if [ -f ${rootfs_path}/lib64/security/pam_loginuid.so ]
> > + then
> > + ( cd ${rootfs_path}/lib64/security/
> > + mv pam_loginuid.so pam_loginuid.so.disabled
> > + ln -s pam_permit.so pam_loginuid.so
> > + )
> > + fi
> So what happens next time there's a bugfix or security release of pam?
Nothing worse that what happens already. We've got a problem here and
the crond package highlighted it. Was Dwight's suggestion. Currently,
that module will not function in a container and it's documented in a
RedHat bug. Maybe, next time they up date it, someone will have a
solution.
> In dpkg we've got dpkg-divert that can be used for those cases, what's
> the rpm equivalent to that feature (tell the package manager to write
> /path/a to /path/b and leave /path/a to the local administrator)?
That's a good question. I wasn't aware of that. Normally, we've got
epohs and all to block packages. I'll have to give that some thought.
ITMT, this is the best the two of us have come up with. I'm open to
suggestions...
> > +
> > # configure the network using the dhcp
> > cat <<EOF > ${rootfs_path}/etc/sysconfig/network-scripts/ifcfg-eth0
> > DEVICE=eth0
> > @@ -543,15 +590,24 @@ fi
> > if [ -z "$release" ]; then
> > if [ "$is_centos" -a "$centos_host_ver" ]; then
> > release=$centos_host_ver
> > + elif [ "$is_redhat" -a "$redhat_host_ver" ]; then
> > + # This is needed to clean out bullshit like 6workstation and 6server.
> > + release=$(expr $redhat_host_ver : '\([0-9.]*\)')
> > else
> > - echo "This is not a centos host and release missing, defaulting to 6 use -R|--release to specify release"
> > + echo "This is not a CentOS or Redhat host and release is missing, defaulting to 6 use -R|--release to specify release"
> > release=6
> > fi
> > fi
> >
> > # CentOS 7 and above should run systemd. We need autodev enabled to keep
> > # systemd from causing problems.
> > -if [ $release -gt 6 ]; then
> > +#
> > +# There is some ambiguity here due to the differnce between versioning
> > +# of point specific releases such as 6.5 and the rolling release 6. We
> > +# only want the major number here if it's a point release...
> > +
> > +mrelease=$(expr $release : '\([0-9]*\)')
> > +if [ $mrelease -gt 6 ]; then
> > auto_dev="1"
> > else
> > auto_dev="0"
> > --
> > 1.8.3.1
> >
> >
> >
> >
> > --
> > Michael H. Warfield (AI4NB) | (770) 978-7061 | mhw at WittsEnd.com
> > /\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/
> > NIC whois: MHW9 | An optimist believes we live in the best of all
> > PGP Key: 0x674627FF | possible worlds. A pessimist is sure of it!
> >
>
>
>
> > _______________________________________________
> > lxc-devel mailing list
> > lxc-devel at lists.linuxcontainers.org
> > http://lists.linuxcontainers.org/listinfo/lxc-devel
>
>
> _______________________________________________
> lxc-devel mailing list
> lxc-devel at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-devel
--
Michael H. Warfield (AI4NB) | (770) 978-7061 | mhw at WittsEnd.com
/\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/
NIC whois: MHW9 | An optimist believes we live in the best of all
PGP Key: 0x674627FF | possible worlds. A pessimist is sure of it!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 482 bytes
Desc: This is a digitally signed message part
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20131219/8c303912/attachment.pgp>
More information about the lxc-devel
mailing list