[lxc-devel] [PATCH 4/4] oracle template: fix pam login failures under user namespace

Michael H. Warfield mhw at WittsEnd.com
Tue Nov 19 22:00:50 UTC 2013


On Mon, 2013-11-18 at 12:28 -0500, Dwight Engen wrote: 
> Signed-off-by: Dwight Engen <dwight.engen at oracle.com>
> ---
>  templates/lxc-oracle.in | 9 +++++++++
>  1 file changed, 9 insertions(+)
> 
> diff --git a/templates/lxc-oracle.in b/templates/lxc-oracle.in
> index e86f261..8770e70 100644
> --- a/templates/lxc-oracle.in
> +++ b/templates/lxc-oracle.in
> @@ -72,6 +72,10 @@ container_rootfs_configure()
>      fi
>      sed -i 's|session[ \t]*required[ \t]*pam_selinux.so[ \t]*close|#session required pam_selinux.so close|' $container_rootfs/etc/pam.d/login
>      sed -i 's|session[ \t]*required[ \t]*pam_selinux.so[ \t]*open|#session required pam_selinux.so open|' $container_rootfs/etc/pam.d/login
> +
> +    # setting /proc/$$/loginuid doesn't work under user namespace, which
> +    # prevents logins from working
> +    sed -i 's|session[ \t]*required[ \t]*pam_loginuid.so|#session required pam_loginuid.so|' $container_rootfs/etc/pam.d/sshd
>      sed -i 's|session[ \t]*required[ \t]*pam_loginuid.so|#session required pam_loginuid.so|' $container_rootfs/etc/pam.d/login
>  
>      if [ -f $container_rootfs/usr/sbin/selinuxenabled ]; then
> @@ -83,6 +87,11 @@ container_rootfs_configure()
>      sed -i 's|cat /proc/self/attr/current|cat /proc/self/attr/current 2>/dev/null|' $container_rootfs/etc/rc.sysinit
>      sed -i 's|cat /proc/self/attr/current|cat /proc/self/attr/current 2>/dev/null|' $container_rootfs/etc/rc.d/rc.sysinit
>  
> +    # on ol4 pam_limits prevents logins when using user namespaces
> +    if [ $container_release_major = "4" ]; then
> +        sed -i 's|session[ \t]*required[ \t]*/lib/security/\$ISA/pam_limits.so|#session required /lib/security/$ISA/pam_limits.so|' $container_rootfs/etc/pam.d/system-auth
> +    fi
> +
>      # configure the network to use dhcp. we set DHCP_HOSTNAME so the guest
>      # will report its name and be resolv'able by the hosts dnsmasq
>      cat <<EOF > $container_rootfs/etc/sysconfig/network-scripts/ifcfg-eth0
> -- 
> 1.8.3.1

Crap.  I need to do this in the Fedora template as well.

Thanks!

Regards,
Mike
-- 
Michael H. Warfield (AI4NB) | (770) 978-7061 |  mhw at WittsEnd.com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of it!

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 482 bytes
Desc: This is a digitally signed message part
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20131119/73b005ce/attachment.pgp>


More information about the lxc-devel mailing list