[lxc-users] Crontab in fedora containers.

Michael H. Warfield mhw at WittsEnd.com
Thu Oct 23 17:10:03 UTC 2014


On Thu, 2014-10-23 at 17:17 +0200, István Király wrote:
> Hello Mike.
> 
> 
> Host is Fedora 20 with kernel 3.16.4-200.fc20.x86_64
> 
> 
> LXC: 1.0.6 compiled from latest release


Ooo???  LXC 1.0.6 is in the repositories.  Any reason for not using the
repo based LXC rpms?

When you say "compiled from latest release", did you do a "configure ;
make ; make install" or did you do a "configure ; make rpm ; yum
localinstall" (the later is preferred for maintainability and to avoid
library skew).

> Host is fedora with SELinux disabled.

Ok...  That setup matches mine exactly.
> 
> Container was created with the fedora template but in an earlier
> version of LXC.

That SHOULD be OK unless it was a very early version of LXC (like 0.8 or
earlier).
> 
> I'm not sure what you mean by container version. Containers are also
> Fedora 20.

That's what I meant.
> 
> Logged in with ssh. LXC is running on the background.

Matches what I'm doing...  Are you logging with with a password or an
SSH auth key?  If the later, does the user have a valid, non-expired,
password?
> 
> I just created a new test-container, added my user and it behaves
> exactly the same.

Ok...  How did you add your user?  Just useradd and then run passwd to
set the passwd?  I'm seeing similar complaints when the user password is
expired or locked but you can still connecting using ssh via an ssh auth
key.

> Without /etc/cron.allow
> You (user) are not allowed to access to (crontab) because of pam
> configuration.

Ok...  This is what's not making any sense to me.  That's saying
"because of pam configuration" and I'm trying to understand WHAT pam
configuration.  I do see a potential problem in /etc/pam.d/crond that
could impact cron jobs running (it's the session line referencing
pam_loginuid.so that could blow up) but that should not affect running
"contab -e"

Did you install any additional software after the container creation?
> 
> With ALL (then newline) in /etc/cron.allow

This should not be necessary in any case...
> 
> [user at crontest ~]$ crontab -e
> You (user) are not allowed to use this program (crontab)
> See crontab(1) for more information

What happens if you run "crontab -l"?

Looking around, you might have something quirky going on with
that /etc/pam.d/crond file after all.

http://www.linuxquestions.org/questions/linux-security-4/failed-to-authorize-user-with-pam-permission-denied-4175492110/

Could try editing the "pam_access.so" like and setting that with debug
to find out why it's being refused.  While you're in there, commend out
this line and see if it makes a difference:

session    required   pam_loginuid.so

The whole pam loginuid thing is a problem in containers.  Doesn't
explain why I don't see it through...

> Thank you very much.
> 
Regards,
Mike

> Greetings, ...
> 
> On Thu, Oct 23, 2014 at 2:57 PM, Michael H. Warfield
> <mhw at wittsend.com> wrote:
>         On Thu, 2014-10-23 at 06:18 +0200, István Király wrote:
>         > Hello list, ..
>         >
>         >
>         > I noticed some strange behavior, that I could not resolve so
>         far,
>         > regarding cron and crontab.
>         >
>         >
>         > [user at container]$ crontab -e
>         > You (user) are not allowed to access to (crontab) because of
>         pam
>         > configuration.
>         >
>         >
>         > While digging in, I created /etc/cron.allow  and added ALL.
>         The
>         > message changed to:
>         >
>         >
>         > You (user) are not allowed to use this program (crontab)
>         > See crontab(1) for more information
>         >
>         >
>         > Google search didn't bring me closer to a solution.
>         >
>         >
>         > On a native fedora, crontab works out of the box, even
>         without a
>         > cron.allow file.
>         >
>         >
>         > If someone has ideas / suggestions, I would look at them.
>         
>         It's working fine here with all my Fedora containers of
>         various vintage
>         (all Fedora hosts).
>         
>         1) What is the host distro and version?
>         
>         2) What is the container version?
>         
>         3) If the host is Ubuntu or Debian, are you running with
>         apparmor
>         enabled and have you set lxc.aa_profile = unconfined in the
>         container
>         config?
>         
>         4) How did you create the container (lxc-create, hand rolled,
>         fedora
>         template, download template)?
>         
>         5) Version of LXC in the host?
>         
>         6) How are you logged in?  From lxc-start in forground?  From
>         lxc-console?  From ssh connection?
>         
>         > Greetings, ...
>         >
>         >
>         > --
>         > Király István
>         > +36 209 753 758
>         > LaKing at D250.hu
>         
>         Regards,
>         Mike
>         --
>         Michael H. Warfield (AI4NB) | (770) 978-7061 |
>         mhw at WittsEnd.com
>            /\/\|=mhw=|\/\/          | (678) 463-0932 |
>         http://www.wittsend.com/mhw/
>            NIC whois: MHW9          | An optimist believes we live in
>         the best of all
>          PGP Key: 0x674627FF        | possible worlds.  A pessimist is
>         sure of it!
>         
>         
>         _______________________________________________
>         lxc-users mailing list
>         lxc-users at lists.linuxcontainers.org
>         http://lists.linuxcontainers.org/listinfo/lxc-users
> 
> 
> 
> 
> -- 
> Király István
> +36 209 753 758
> LaKing at D250.hu
> 
> 
> _______________________________________________
> lxc-users mailing list
> lxc-users at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users

-- 
Michael H. Warfield (AI4NB) | (770) 978-7061 |  mhw at WittsEnd.com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of it!

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 465 bytes
Desc: This is a digitally signed message part
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20141023/8ab45830/attachment-0001.sig>


More information about the lxc-users mailing list