[lxc-devel] [PATCH 1/3] Fix version checking and deal with pam_loginuid in CentOS template.

Stéphane Graber stgraber at ubuntu.com
Wed Dec 25 16:20:46 UTC 2013 

On Thu, Dec 19, 2013 at 09:23:44PM -0500, Michael H. Warfield wrote:
> On Thu, 2013-12-19 at 22:17 +0100, Stéphane Graber wrote: 
> > On Thu, Dec 19, 2013 at 11:36:08AM -0500, Michael H. Warfield wrote:
> > > Fix version checking and deal with pam_loginuid in CentOS template.
> > > 
> > > This deals with a reported issue when running and building containers
> > > on a CentOS host system.
> > > 
> > > Fixed various typos in version checking when running on a CentOS system.
> > > Added logic for differences between point releases (6.5) and rolling (6).
> > > Added version detection logic when running on RHEL systems as well.
> > > Fixed cpe detection string (CentOS is not adhering to their own registration).
> > > Added logic to disable the pam_loginuid.so binary in containers.
> > > 
> > > Signed-off-by: Michael H. Warfield <mhw at WittsEnd.com>
> > > ---
> > >  templates/lxc-centos.in | 68 ++++++++++++++++++++++++++++++++++++++++++++-----
> > >  1 file changed, 62 insertions(+), 6 deletions(-)
> > > 
> > > diff --git a/templates/lxc-centos.in b/templates/lxc-centos.in
> > > index 95802dc..7d47715 100644
> > > --- a/templates/lxc-centos.in
> > > +++ b/templates/lxc-centos.in
> > > @@ -54,17 +54,34 @@ fi
> > >  if [ "${CPE_NAME}" = "" -a -e /etc/system-release-cpe ]
> > >  then
> > >      CPE_NAME=$(head -n1 /etc/system-release-cpe)
> > > -    CPE_URI=$(expr ${CPE_NAME} : '\([^:]*:[^:*]\)')
> > > +    CPE_URI=$(expr ${CPE_NAME} : '\([^:]*:[^:]*\)')
> > >      if [ "${CPE_URI}" != "cpe:/o" ]
> > >      then
> > >          CPE_NAME=
> > >      else
> > > -        echo "Host CPE ID from /etc/system-release-cpe: ${CPE_NAME}"
> > >          # Probably a better way to do this but sill remain posix
> > >          # compatible but this works, shrug...
> > >          # Must be nice and not introduce convenient bashisms here.
> > > +        #
> > > +        # According to the official registration at Mitre and NIST,
> > > +        # this should have been something like this for CentOS:
> > > +        #    cpe:/o:centos:centos:6
> > > +        # or this:
> > > +        #    cpe:/o:centos:centos:6.5
> > > +        #
> > >          ID=$(expr ${CPE_NAME} : '[^:]*:[^:]*:[^:]*:\([^:]*\)')
> > > +        # The "enterprise_linux" is a bone toss back to RHEL.
> > > +        # Since CentOS and RHEL are so tightly coupled, we'll
> > > +        # take the RHEL version if we're running on it and do the
> > > +        # equivalent version for CentOS.
> > > +        if [ ${ID} = "linux" -o ${ID} = "enterprise_linux" ]
> > > +        then
> > > +                # Instead we got this: cpe:/o:centos:linux:6
> > > +                ID=$(expr ${CPE_NAME} : '[^:]*:[^:]*:\([^:]*\)')
> > > +        fi
> > > +
> > >          VERSION_ID=$(expr ${CPE_NAME} : '[^:]*:[^:]*:[^:]*:[^:]*:\([^:]*\)')
> > > +        echo "Host CPE ID from /etc/system-release-cpe: ${CPE_NAME}"
> > >      fi
> > >  fi
> > >  
> > > @@ -72,10 +89,14 @@ if [ "${CPE_NAME}" != "" -a "${ID}" = "centos" -a "${VERSION_ID}" != "" ]
> > >  then
> > >      centos_host_ver=${VERSION_ID}
> > >      is_centos=true
> > > -elif [ -e /etc/redhat-release ]
> > > +elif [ "${CPE_NAME}" != "" -a "${ID}" = "redhat" -a "${VERSION_ID}" != "" ]
> > > +then
> > > +    redhat_host_ver=${VERSION_ID}
> > > +    is_redhat=true
> > > +elif [ -e /etc/centos-release ]
> > >  then
> > >      # Only if all other methods fail, try to parse the redhat-release file.
> > > -    centos_host_ver=$( sed -e '/^CentOS /!d' -e 's/CentOS*\srelease\s*\([0-9][0-9]*\)\s.*/\1/' < /etc/redhat-release )
> > > +    centos_host_ver=$( sed -e '/^CentOS /!d' -e 's/CentOS.*\srelease\s*\([0-9][0-9.]*\)\s.*/\1/' < /etc/centos-release )
> > >      if [ "$centos_host_ver" != "" ]
> > >      then
> > >          is_centos=true
> > > @@ -130,6 +151,32 @@ configure_centos()
> > >      sed -i '/^session.*pam_loginuid.so/s/^session/# session/' ${rootfs_path}/etc/pam.d/login
> > >      sed -i '/^session.*pam_loginuid.so/s/^session/# session/' ${rootfs_path}/etc/pam.d/sshd
> > >  
> > > +    if [ -f ${rootfs_path}/etc/pam.d/crond ]
> > > +    then
> > > +        sed -i '/^session.*pam_loginuid.so/s/^session/# session/' ${rootfs_path}/etc/pam.d/crond
> > > +    fi
> > > +
> > > +    # In addition to disabling pam_loginuid in the above config files
> > > +    # we'll also disable it by linking it to pam_permit to catch any
> > > +    # we missed or any that get installed after the container is built.
> > > +    #
> > > +    # Catch either or both 32 and 64 bit archs.
> > > +    if [ -f ${rootfs_path}/lib/security/pam_loginuid.so ]
> > > +    then
> > > +        ( cd ${rootfs_path}/lib/security/
> > > +        mv pam_loginuid.so pam_loginuid.so.disabled
> > > +        ln -s pam_permit.so pam_loginuid.so
> > > +        )
> > > +    fi
> > > +
> > > +    if [ -f ${rootfs_path}/lib64/security/pam_loginuid.so ]
> > > +    then
> > > +        ( cd ${rootfs_path}/lib64/security/
> > > +        mv pam_loginuid.so pam_loginuid.so.disabled
> > > +        ln -s pam_permit.so pam_loginuid.so
> > > +        )
> > > +    fi
> 
> > So what happens next time there's a bugfix or security release of pam?
> 
> Nothing worse that what happens already.  We've got a problem here and
> the crond package highlighted it.  Was Dwight's suggestion.  Currently,
> that module will not function in a container and it's documented in a
> RedHat bug.  Maybe, next time they up date it, someone will have a
> solution.
> 
> > In dpkg we've got dpkg-divert that can be used for those cases, what's
> > the rpm equivalent to that feature (tell the package manager to write
> > /path/a to /path/b and leave /path/a to the local administrator)?
> 
> That's a good question.  I wasn't aware of that.  Normally, we've got
> epohs and all to block packages.  I'll have to give that some thought.
> ITMT, this is the best the two of us have come up with.  I'm open to
> suggestions...
> 

I don't know RedHat enough to give suggestions, so long as you're aware
of the problem, I'm fine with the change. I really wish all distros
would have the same policy as Ubuntu where we want clean installs
(identical to those done on hardware) to work in LXC and have
dist-uprades working too but I know it's a bit unrealistic at this
point...


Anyway:
Acked-by: Stéphane Graber <stgraber at ubuntu.com>

> > > +
> > >     # configure the network using the dhcp
> > >      cat <<EOF > ${rootfs_path}/etc/sysconfig/network-scripts/ifcfg-eth0
> > >  DEVICE=eth0
> > > @@ -543,15 +590,24 @@ fi
> > >  if [ -z "$release" ]; then
> > >      if [ "$is_centos" -a "$centos_host_ver" ]; then
> > >          release=$centos_host_ver
> > > +    elif [ "$is_redhat" -a "$redhat_host_ver" ]; then
> > > +        # This is needed to clean out bullshit like 6workstation and 6server.
> > > +        release=$(expr $redhat_host_ver : '\([0-9.]*\)')
> > >      else
> > > -        echo "This is not a centos host and release missing, defaulting to 6 use -R|--release to specify release"
> > > +        echo "This is not a CentOS or Redhat host and release is missing, defaulting to 6 use -R|--release to specify release"
> > >          release=6
> > >      fi
> > >  fi
> > >  
> > >  # CentOS 7 and above should run systemd.  We need autodev enabled to keep
> > >  # systemd from causing problems.
> > > -if [ $release -gt 6 ]; then
> > > +#
> > > +# There is some ambiguity here due to the differnce between versioning
> > > +# of point specific releases such as 6.5 and the rolling release 6.  We
> > > +# only want the major number here if it's a point release...
> > > +
> > > +mrelease=$(expr $release : '\([0-9]*\)')
> > > +if [ $mrelease -gt 6 ]; then
> > >      auto_dev="1"
> > >  else
> > >      auto_dev="0"
> > > -- 
> > > 1.8.3.1
> > > 
> > > 
> > > 
> > > 
> > > -- 
> > > Michael H. Warfield (AI4NB) | (770) 978-7061 |  mhw at WittsEnd.com
> > >    /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
> > >    NIC whois: MHW9          | An optimist believes we live in the best of all
> > >  PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of it!
> > > 
> > 
> > 
> > 
> > > _______________________________________________
> > > lxc-devel mailing list
> > > lxc-devel at lists.linuxcontainers.org
> > > http://lists.linuxcontainers.org/listinfo/lxc-devel
> > 
> > 
> > _______________________________________________
> > lxc-devel mailing list
> > lxc-devel at lists.linuxcontainers.org
> > http://lists.linuxcontainers.org/listinfo/lxc-devel
> 
> -- 
> Michael H. Warfield (AI4NB) | (770) 978-7061 |  mhw at WittsEnd.com
>    /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
>    NIC whois: MHW9          | An optimist believes we live in the best of all
>  PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of it!
> 



> _______________________________________________
> lxc-devel mailing list
> lxc-devel at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-devel


-- 
Stéphane Graber
Ubuntu developer
http://www.ubuntu.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20131225/1dcf375d/attachment.pgp>

More information about the lxc-devel mailing list