[lxc-devel] [PATCH 4/4] oracle template: fix pam login failures under user namespace
Michael H. Warfield
mhw at WittsEnd.com
Tue Nov 19 22:00:50 UTC 2013
On Mon, 2013-11-18 at 12:28 -0500, Dwight Engen wrote:
> Signed-off-by: Dwight Engen <dwight.engen at oracle.com>
> ---
> templates/lxc-oracle.in | 9 +++++++++
> 1 file changed, 9 insertions(+)
>
> diff --git a/templates/lxc-oracle.in b/templates/lxc-oracle.in
> index e86f261..8770e70 100644
> --- a/templates/lxc-oracle.in
> +++ b/templates/lxc-oracle.in
> @@ -72,6 +72,10 @@ container_rootfs_configure()
> fi
> sed -i 's|session[ \t]*required[ \t]*pam_selinux.so[ \t]*close|#session required pam_selinux.so close|' $container_rootfs/etc/pam.d/login
> sed -i 's|session[ \t]*required[ \t]*pam_selinux.so[ \t]*open|#session required pam_selinux.so open|' $container_rootfs/etc/pam.d/login
> +
> + # setting /proc/$$/loginuid doesn't work under user namespace, which
> + # prevents logins from working
> + sed -i 's|session[ \t]*required[ \t]*pam_loginuid.so|#session required pam_loginuid.so|' $container_rootfs/etc/pam.d/sshd
> sed -i 's|session[ \t]*required[ \t]*pam_loginuid.so|#session required pam_loginuid.so|' $container_rootfs/etc/pam.d/login
>
> if [ -f $container_rootfs/usr/sbin/selinuxenabled ]; then
> @@ -83,6 +87,11 @@ container_rootfs_configure()
> sed -i 's|cat /proc/self/attr/current|cat /proc/self/attr/current 2>/dev/null|' $container_rootfs/etc/rc.sysinit
> sed -i 's|cat /proc/self/attr/current|cat /proc/self/attr/current 2>/dev/null|' $container_rootfs/etc/rc.d/rc.sysinit
>
> + # on ol4 pam_limits prevents logins when using user namespaces
> + if [ $container_release_major = "4" ]; then
> + sed -i 's|session[ \t]*required[ \t]*/lib/security/\$ISA/pam_limits.so|#session required /lib/security/$ISA/pam_limits.so|' $container_rootfs/etc/pam.d/system-auth
> + fi
> +
> # configure the network to use dhcp. we set DHCP_HOSTNAME so the guest
> # will report its name and be resolv'able by the hosts dnsmasq
> cat <<EOF > $container_rootfs/etc/sysconfig/network-scripts/ifcfg-eth0
> --
> 1.8.3.1
Crap. I need to do this in the Fedora template as well.
Thanks!
Regards,
Mike
--
Michael H. Warfield (AI4NB) | (770) 978-7061 | mhw at WittsEnd.com
/\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/
NIC whois: MHW9 | An optimist believes we live in the best of all
PGP Key: 0x674627FF | possible worlds. A pessimist is sure of it!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 482 bytes
Desc: This is a digitally signed message part
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20131119/73b005ce/attachment.pgp>
More information about the lxc-devel
mailing list