[lxc-devel] [PATCH 4/4] oracle template: fix pam login failures under user namespace

Dwight Engen dwight.engen at oracle.com
Tue Nov 19 22:11:41 UTC 2013


On Tue, 19 Nov 2013 17:00:50 -0500
"Michael H. Warfield" <mhw at WittsEnd.com> wrote:

> On Mon, 2013-11-18 at 12:28 -0500, Dwight Engen wrote: 
> > Signed-off-by: Dwight Engen <dwight.engen at oracle.com>
> > ---
> >  templates/lxc-oracle.in | 9 +++++++++
> >  1 file changed, 9 insertions(+)
> > 
> > diff --git a/templates/lxc-oracle.in b/templates/lxc-oracle.in
> > index e86f261..8770e70 100644
> > --- a/templates/lxc-oracle.in
> > +++ b/templates/lxc-oracle.in
> > @@ -72,6 +72,10 @@ container_rootfs_configure()
> >      fi
> >      sed -i
> > 's|session[ \t]*required[ \t]*pam_selinux.so[ \t]*close|#session
> > required pam_selinux.so close|' $container_rootfs/etc/pam.d/login
> > sed -i
> > 's|session[ \t]*required[ \t]*pam_selinux.so[ \t]*open|#session
> > required pam_selinux.so open|' $container_rootfs/etc/pam.d/login +
> > +    # setting /proc/$$/loginuid doesn't work under user namespace,
> > which
> > +    # prevents logins from working
> > +    sed -i 's|session[ \t]*required[ \t]*pam_loginuid.so|#session
> > required pam_loginuid.so|' $container_rootfs/etc/pam.d/sshd sed -i
> > 's|session[ \t]*required[ \t]*pam_loginuid.so|#session required
> > pam_loginuid.so|' $container_rootfs/etc/pam.d/login if [ -f
> > $container_rootfs/usr/sbin/selinuxenabled ]; then @@ -83,6 +87,11
> > @@ container_rootfs_configure() sed -i
> > 's|cat /proc/self/attr/current|cat /proc/self/attr/current
> > 2>/dev/null|' $container_rootfs/etc/rc.sysinit sed -i
> > 2>'s|cat /proc/self/attr/current|cat /proc/self/attr/current
> > 2>2>/dev/null|' $container_rootfs/etc/rc.d/rc.sysinit 
> > +    # on ol4 pam_limits prevents logins when using user namespaces
> > +    if [ $container_release_major = "4" ]; then
> > +        sed -i
> > 's|session[ \t]*required[ \t]*/lib/security/\$ISA/pam_limits.so|#session
> > required /lib/security/$ISA/pam_limits.so|'
> > $container_rootfs/etc/pam.d/system-auth
> > +    fi
> > +
> >      # configure the network to use dhcp. we set DHCP_HOSTNAME so
> > the guest # will report its name and be resolv'able by the hosts
> > dnsmasq cat <<EOF >
> > $container_rootfs/etc/sysconfig/network-scripts/ifcfg-eth0 -- 
> > 1.8.3.1
> 
> Crap.  I need to do this in the Fedora template as well.
> 
> Thanks!

Yeah, hopefully this will eventually get fixed and the loginuid can be
set by pam in a container, but today is not that day. See
https://bugzilla.redhat.com/show_bug.cgi?id=893751 for more.
 
> Regards,
> Mike




More information about the lxc-devel mailing list