[lxc-users] Crontab in fedora containers.

István Király LaKing at D250.hu
Tue Oct 28 22:08:09 UTC 2014


Hello again.

Yes, I see now that LXC 1.0.6 is there as rpm, but that is the first time
since 0.8.0, and I started to use LXC 1.0.

I use my script called srvctl to control the creation and configuration of
containers.
https://github.com/LaKing/Fedora-scripts

It compiled with "autogen - configure - make - make install" before, but I
added the option to use yum and the rpm now.

The user addition part adds user, set password and creates a keypair.
I usually log in as root with key, .. but the problem came to light when
users su-ed to a normal user and run capistrano - a ruby deploy script.
So, I think the password should be ther, valid, not expired. Users use keys
though.

[user at crontest root]$ crontab -l
You (user) are not allowed to use this program (crontab)
See crontab(1) for more information


I will test it on another system that runs srvctl based on rpm installation.

And, .. I will be on holidays the next 12 days, ...

Greetings, ..

On Thu, Oct 23, 2014 at 7:10 PM, Michael H. Warfield <mhw at wittsend.com>
wrote:

> On Thu, 2014-10-23 at 17:17 +0200, István Király wrote:
> > Hello Mike.
> >
> >
> > Host is Fedora 20 with kernel 3.16.4-200.fc20.x86_64
> >
> >
> > LXC: 1.0.6 compiled from latest release
>
>
> Ooo???  LXC 1.0.6 is in the repositories.  Any reason for not using the
> repo based LXC rpms?
>
> When you say "compiled from latest release", did you do a "configure ;
> make ; make install" or did you do a "configure ; make rpm ; yum
> localinstall" (the later is preferred for maintainability and to avoid
> library skew).
>
> > Host is fedora with SELinux disabled.
>
> Ok...  That setup matches mine exactly.
> >
> > Container was created with the fedora template but in an earlier
> > version of LXC.
>
> That SHOULD be OK unless it was a very early version of LXC (like 0.8 or
> earlier).
> >
> > I'm not sure what you mean by container version. Containers are also
> > Fedora 20.
>
> That's what I meant.
> >
> > Logged in with ssh. LXC is running on the background.
>
> Matches what I'm doing...  Are you logging with with a password or an
> SSH auth key?  If the later, does the user have a valid, non-expired,
> password?
> >
> > I just created a new test-container, added my user and it behaves
> > exactly the same.
>
> Ok...  How did you add your user?  Just useradd and then run passwd to
> set the passwd?  I'm seeing similar complaints when the user password is
> expired or locked but you can still connecting using ssh via an ssh auth
> key.
>
> > Without /etc/cron.allow
> > You (user) are not allowed to access to (crontab) because of pam
> > configuration.
>
> Ok...  This is what's not making any sense to me.  That's saying
> "because of pam configuration" and I'm trying to understand WHAT pam
> configuration.  I do see a potential problem in /etc/pam.d/crond that
> could impact cron jobs running (it's the session line referencing
> pam_loginuid.so that could blow up) but that should not affect running
> "contab -e"
>
> Did you install any additional software after the container creation?
> >
> > With ALL (then newline) in /etc/cron.allow
>
> This should not be necessary in any case...
> >
> > [user at crontest ~]$ crontab -e
> > You (user) are not allowed to use this program (crontab)
> > See crontab(1) for more information
>
> What happens if you run "crontab -l"?
>
> Looking around, you might have something quirky going on with
> that /etc/pam.d/crond file after all.
>
>
> http://www.linuxquestions.org/questions/linux-security-4/failed-to-authorize-user-with-pam-permission-denied-4175492110/
>
> Could try editing the "pam_access.so" like and setting that with debug
> to find out why it's being refused.  While you're in there, commend out
> this line and see if it makes a difference:
>
> session    required   pam_loginuid.so
>
> The whole pam loginuid thing is a problem in containers.  Doesn't
> explain why I don't see it through...
>
> > Thank you very much.
> >
> Regards,
> Mike
>
> > Greetings, ...
> >
> > On Thu, Oct 23, 2014 at 2:57 PM, Michael H. Warfield
> > <mhw at wittsend.com> wrote:
> >         On Thu, 2014-10-23 at 06:18 +0200, István Király wrote:
> >         > Hello list, ..
> >         >
> >         >
> >         > I noticed some strange behavior, that I could not resolve so
> >         far,
> >         > regarding cron and crontab.
> >         >
> >         >
> >         > [user at container]$ crontab -e
> >         > You (user) are not allowed to access to (crontab) because of
> >         pam
> >         > configuration.
> >         >
> >         >
> >         > While digging in, I created /etc/cron.allow  and added ALL.
> >         The
> >         > message changed to:
> >         >
> >         >
> >         > You (user) are not allowed to use this program (crontab)
> >         > See crontab(1) for more information
> >         >
> >         >
> >         > Google search didn't bring me closer to a solution.
> >         >
> >         >
> >         > On a native fedora, crontab works out of the box, even
> >         without a
> >         > cron.allow file.
> >         >
> >         >
> >         > If someone has ideas / suggestions, I would look at them.
> >
> >         It's working fine here with all my Fedora containers of
> >         various vintage
> >         (all Fedora hosts).
> >
> >         1) What is the host distro and version?
> >
> >         2) What is the container version?
> >
> >         3) If the host is Ubuntu or Debian, are you running with
> >         apparmor
> >         enabled and have you set lxc.aa_profile = unconfined in the
> >         container
> >         config?
> >
> >         4) How did you create the container (lxc-create, hand rolled,
> >         fedora
> >         template, download template)?
> >
> >         5) Version of LXC in the host?
> >
> >         6) How are you logged in?  From lxc-start in forground?  From
> >         lxc-console?  From ssh connection?
> >
> >         > Greetings, ...
> >         >
> >         >
> >         > --
> >         > Király István
> >         > +36 209 753 758
> >         > LaKing at D250.hu
> >
> >         Regards,
> >         Mike
> >         --
> >         Michael H. Warfield (AI4NB) | (770) 978-7061 |
> >         mhw at WittsEnd.com
> >            /\/\|=mhw=|\/\/          | (678) 463-0932 |
> >         http://www.wittsend.com/mhw/
> >            NIC whois: MHW9          | An optimist believes we live in
> >         the best of all
> >          PGP Key: 0x674627FF        | possible worlds.  A pessimist is
> >         sure of it!
> >
> >
> >         _______________________________________________
> >         lxc-users mailing list
> >         lxc-users at lists.linuxcontainers.org
> >         http://lists.linuxcontainers.org/listinfo/lxc-users
> >
> >
> >
> >
> > --
> > Király István
> > +36 209 753 758
> > LaKing at D250.hu
> >
> >
> > _______________________________________________
> > lxc-users mailing list
> > lxc-users at lists.linuxcontainers.org
> > http://lists.linuxcontainers.org/listinfo/lxc-users
>
> --
> Michael H. Warfield (AI4NB) | (770) 978-7061 |  mhw at WittsEnd.com
>    /\/\|=mhw=|\/\/          | (678) 463-0932 |
> http://www.wittsend.com/mhw/
>    NIC whois: MHW9          | An optimist believes we live in the best of
> all
>  PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of it!
>
>
> _______________________________________________
> lxc-users mailing list
> lxc-users at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users
>



-- 
Király István
+36 209 753 758
LaKing at D250.hu
<http://d250.hu>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20141028/658fc455/attachment.html>


More information about the lxc-users mailing list