[lxc-devel] [PATCH 1/3] Fix version checking and deal with pam_loginuid in CentOS template.
Stéphane Graber
stgraber at ubuntu.com
Wed Dec 25 16:20:46 UTC 2013
On Thu, Dec 19, 2013 at 09:23:44PM -0500, Michael H. Warfield wrote:
> On Thu, 2013-12-19 at 22:17 +0100, Stéphane Graber wrote:
> > On Thu, Dec 19, 2013 at 11:36:08AM -0500, Michael H. Warfield wrote:
> > > Fix version checking and deal with pam_loginuid in CentOS template.
> > >
> > > This deals with a reported issue when running and building containers
> > > on a CentOS host system.
> > >
> > > Fixed various typos in version checking when running on a CentOS system.
> > > Added logic for differences between point releases (6.5) and rolling (6).
> > > Added version detection logic when running on RHEL systems as well.
> > > Fixed cpe detection string (CentOS is not adhering to their own registration).
> > > Added logic to disable the pam_loginuid.so binary in containers.
> > >
> > > Signed-off-by: Michael H. Warfield <mhw at WittsEnd.com>
> > > ---
> > > templates/lxc-centos.in | 68 ++++++++++++++++++++++++++++++++++++++++++++-----
> > > 1 file changed, 62 insertions(+), 6 deletions(-)
> > >
> > > diff --git a/templates/lxc-centos.in b/templates/lxc-centos.in
> > > index 95802dc..7d47715 100644
> > > --- a/templates/lxc-centos.in
> > > +++ b/templates/lxc-centos.in
> > > @@ -54,17 +54,34 @@ fi
> > > if [ "${CPE_NAME}" = "" -a -e /etc/system-release-cpe ]
> > > then
> > > CPE_NAME=$(head -n1 /etc/system-release-cpe)
> > > - CPE_URI=$(expr ${CPE_NAME} : '\([^:]*:[^:*]\)')
> > > + CPE_URI=$(expr ${CPE_NAME} : '\([^:]*:[^:]*\)')
> > > if [ "${CPE_URI}" != "cpe:/o" ]
> > > then
> > > CPE_NAME=
> > > else
> > > - echo "Host CPE ID from /etc/system-release-cpe: ${CPE_NAME}"
> > > # Probably a better way to do this but sill remain posix
> > > # compatible but this works, shrug...
> > > # Must be nice and not introduce convenient bashisms here.
> > > + #
> > > + # According to the official registration at Mitre and NIST,
> > > + # this should have been something like this for CentOS:
> > > + # cpe:/o:centos:centos:6
> > > + # or this:
> > > + # cpe:/o:centos:centos:6.5
> > > + #
> > > ID=$(expr ${CPE_NAME} : '[^:]*:[^:]*:[^:]*:\([^:]*\)')
> > > + # The "enterprise_linux" is a bone toss back to RHEL.
> > > + # Since CentOS and RHEL are so tightly coupled, we'll
> > > + # take the RHEL version if we're running on it and do the
> > > + # equivalent version for CentOS.
> > > + if [ ${ID} = "linux" -o ${ID} = "enterprise_linux" ]
> > > + then
> > > + # Instead we got this: cpe:/o:centos:linux:6
> > > + ID=$(expr ${CPE_NAME} : '[^:]*:[^:]*:\([^:]*\)')
> > > + fi
> > > +
> > > VERSION_ID=$(expr ${CPE_NAME} : '[^:]*:[^:]*:[^:]*:[^:]*:\([^:]*\)')
> > > + echo "Host CPE ID from /etc/system-release-cpe: ${CPE_NAME}"
> > > fi
> > > fi
> > >
> > > @@ -72,10 +89,14 @@ if [ "${CPE_NAME}" != "" -a "${ID}" = "centos" -a "${VERSION_ID}" != "" ]
> > > then
> > > centos_host_ver=${VERSION_ID}
> > > is_centos=true
> > > -elif [ -e /etc/redhat-release ]
> > > +elif [ "${CPE_NAME}" != "" -a "${ID}" = "redhat" -a "${VERSION_ID}" != "" ]
> > > +then
> > > + redhat_host_ver=${VERSION_ID}
> > > + is_redhat=true
> > > +elif [ -e /etc/centos-release ]
> > > then
> > > # Only if all other methods fail, try to parse the redhat-release file.
> > > - centos_host_ver=$( sed -e '/^CentOS /!d' -e 's/CentOS*\srelease\s*\([0-9][0-9]*\)\s.*/\1/' < /etc/redhat-release )
> > > + centos_host_ver=$( sed -e '/^CentOS /!d' -e 's/CentOS.*\srelease\s*\([0-9][0-9.]*\)\s.*/\1/' < /etc/centos-release )
> > > if [ "$centos_host_ver" != "" ]
> > > then
> > > is_centos=true
> > > @@ -130,6 +151,32 @@ configure_centos()
> > > sed -i '/^session.*pam_loginuid.so/s/^session/# session/' ${rootfs_path}/etc/pam.d/login
> > > sed -i '/^session.*pam_loginuid.so/s/^session/# session/' ${rootfs_path}/etc/pam.d/sshd
> > >
> > > + if [ -f ${rootfs_path}/etc/pam.d/crond ]
> > > + then
> > > + sed -i '/^session.*pam_loginuid.so/s/^session/# session/' ${rootfs_path}/etc/pam.d/crond
> > > + fi
> > > +
> > > + # In addition to disabling pam_loginuid in the above config files
> > > + # we'll also disable it by linking it to pam_permit to catch any
> > > + # we missed or any that get installed after the container is built.
> > > + #
> > > + # Catch either or both 32 and 64 bit archs.
> > > + if [ -f ${rootfs_path}/lib/security/pam_loginuid.so ]
> > > + then
> > > + ( cd ${rootfs_path}/lib/security/
> > > + mv pam_loginuid.so pam_loginuid.so.disabled
> > > + ln -s pam_permit.so pam_loginuid.so
> > > + )
> > > + fi
> > > +
> > > + if [ -f ${rootfs_path}/lib64/security/pam_loginuid.so ]
> > > + then
> > > + ( cd ${rootfs_path}/lib64/security/
> > > + mv pam_loginuid.so pam_loginuid.so.disabled
> > > + ln -s pam_permit.so pam_loginuid.so
> > > + )
> > > + fi
>
> > So what happens next time there's a bugfix or security release of pam?
>
> Nothing worse that what happens already. We've got a problem here and
> the crond package highlighted it. Was Dwight's suggestion. Currently,
> that module will not function in a container and it's documented in a
> RedHat bug. Maybe, next time they up date it, someone will have a
> solution.
>
> > In dpkg we've got dpkg-divert that can be used for those cases, what's
> > the rpm equivalent to that feature (tell the package manager to write
> > /path/a to /path/b and leave /path/a to the local administrator)?
>
> That's a good question. I wasn't aware of that. Normally, we've got
> epohs and all to block packages. I'll have to give that some thought.
> ITMT, this is the best the two of us have come up with. I'm open to
> suggestions...
>
I don't know RedHat enough to give suggestions, so long as you're aware
of the problem, I'm fine with the change. I really wish all distros
would have the same policy as Ubuntu where we want clean installs
(identical to those done on hardware) to work in LXC and have
dist-uprades working too but I know it's a bit unrealistic at this
point...
Anyway:
Acked-by: Stéphane Graber <stgraber at ubuntu.com>
> > > +
> > > # configure the network using the dhcp
> > > cat <<EOF > ${rootfs_path}/etc/sysconfig/network-scripts/ifcfg-eth0
> > > DEVICE=eth0
> > > @@ -543,15 +590,24 @@ fi
> > > if [ -z "$release" ]; then
> > > if [ "$is_centos" -a "$centos_host_ver" ]; then
> > > release=$centos_host_ver
> > > + elif [ "$is_redhat" -a "$redhat_host_ver" ]; then
> > > + # This is needed to clean out bullshit like 6workstation and 6server.
> > > + release=$(expr $redhat_host_ver : '\([0-9.]*\)')
> > > else
> > > - echo "This is not a centos host and release missing, defaulting to 6 use -R|--release to specify release"
> > > + echo "This is not a CentOS or Redhat host and release is missing, defaulting to 6 use -R|--release to specify release"
> > > release=6
> > > fi
> > > fi
> > >
> > > # CentOS 7 and above should run systemd. We need autodev enabled to keep
> > > # systemd from causing problems.
> > > -if [ $release -gt 6 ]; then
> > > +#
> > > +# There is some ambiguity here due to the differnce between versioning
> > > +# of point specific releases such as 6.5 and the rolling release 6. We
> > > +# only want the major number here if it's a point release...
> > > +
> > > +mrelease=$(expr $release : '\([0-9]*\)')
> > > +if [ $mrelease -gt 6 ]; then
> > > auto_dev="1"
> > > else
> > > auto_dev="0"
> > > --
> > > 1.8.3.1
> > >
> > >
> > >
> > >
> > > --
> > > Michael H. Warfield (AI4NB) | (770) 978-7061 | mhw at WittsEnd.com
> > > /\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/
> > > NIC whois: MHW9 | An optimist believes we live in the best of all
> > > PGP Key: 0x674627FF | possible worlds. A pessimist is sure of it!
> > >
> >
> >
> >
> > > _______________________________________________
> > > lxc-devel mailing list
> > > lxc-devel at lists.linuxcontainers.org
> > > http://lists.linuxcontainers.org/listinfo/lxc-devel
> >
> >
> > _______________________________________________
> > lxc-devel mailing list
> > lxc-devel at lists.linuxcontainers.org
> > http://lists.linuxcontainers.org/listinfo/lxc-devel
>
> --
> Michael H. Warfield (AI4NB) | (770) 978-7061 | mhw at WittsEnd.com
> /\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/
> NIC whois: MHW9 | An optimist believes we live in the best of all
> PGP Key: 0x674627FF | possible worlds. A pessimist is sure of it!
>
> _______________________________________________
> lxc-devel mailing list
> lxc-devel at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-devel
--
Stéphane Graber
Ubuntu developer
http://www.ubuntu.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20131225/1dcf375d/attachment.pgp>
More information about the lxc-devel
mailing list