[lxc-users] Crontab in fedora containers.
István Király
LaKing at D250.hu
Tue Oct 28 22:08:09 UTC 2014
Hello again.
Yes, I see now that LXC 1.0.6 is there as rpm, but that is the first time
since 0.8.0, and I started to use LXC 1.0.
I use my script called srvctl to control the creation and configuration of
containers.
https://github.com/LaKing/Fedora-scripts
It compiled with "autogen - configure - make - make install" before, but I
added the option to use yum and the rpm now.
The user addition part adds user, set password and creates a keypair.
I usually log in as root with key, .. but the problem came to light when
users su-ed to a normal user and run capistrano - a ruby deploy script.
So, I think the password should be ther, valid, not expired. Users use keys
though.
[user at crontest root]$ crontab -l
You (user) are not allowed to use this program (crontab)
See crontab(1) for more information
I will test it on another system that runs srvctl based on rpm installation.
And, .. I will be on holidays the next 12 days, ...
Greetings, ..
On Thu, Oct 23, 2014 at 7:10 PM, Michael H. Warfield <mhw at wittsend.com>
wrote:
> On Thu, 2014-10-23 at 17:17 +0200, István Király wrote:
> > Hello Mike.
> >
> >
> > Host is Fedora 20 with kernel 3.16.4-200.fc20.x86_64
> >
> >
> > LXC: 1.0.6 compiled from latest release
>
>
> Ooo??? LXC 1.0.6 is in the repositories. Any reason for not using the
> repo based LXC rpms?
>
> When you say "compiled from latest release", did you do a "configure ;
> make ; make install" or did you do a "configure ; make rpm ; yum
> localinstall" (the later is preferred for maintainability and to avoid
> library skew).
>
> > Host is fedora with SELinux disabled.
>
> Ok... That setup matches mine exactly.
> >
> > Container was created with the fedora template but in an earlier
> > version of LXC.
>
> That SHOULD be OK unless it was a very early version of LXC (like 0.8 or
> earlier).
> >
> > I'm not sure what you mean by container version. Containers are also
> > Fedora 20.
>
> That's what I meant.
> >
> > Logged in with ssh. LXC is running on the background.
>
> Matches what I'm doing... Are you logging with with a password or an
> SSH auth key? If the later, does the user have a valid, non-expired,
> password?
> >
> > I just created a new test-container, added my user and it behaves
> > exactly the same.
>
> Ok... How did you add your user? Just useradd and then run passwd to
> set the passwd? I'm seeing similar complaints when the user password is
> expired or locked but you can still connecting using ssh via an ssh auth
> key.
>
> > Without /etc/cron.allow
> > You (user) are not allowed to access to (crontab) because of pam
> > configuration.
>
> Ok... This is what's not making any sense to me. That's saying
> "because of pam configuration" and I'm trying to understand WHAT pam
> configuration. I do see a potential problem in /etc/pam.d/crond that
> could impact cron jobs running (it's the session line referencing
> pam_loginuid.so that could blow up) but that should not affect running
> "contab -e"
>
> Did you install any additional software after the container creation?
> >
> > With ALL (then newline) in /etc/cron.allow
>
> This should not be necessary in any case...
> >
> > [user at crontest ~]$ crontab -e
> > You (user) are not allowed to use this program (crontab)
> > See crontab(1) for more information
>
> What happens if you run "crontab -l"?
>
> Looking around, you might have something quirky going on with
> that /etc/pam.d/crond file after all.
>
>
> http://www.linuxquestions.org/questions/linux-security-4/failed-to-authorize-user-with-pam-permission-denied-4175492110/
>
> Could try editing the "pam_access.so" like and setting that with debug
> to find out why it's being refused. While you're in there, commend out
> this line and see if it makes a difference:
>
> session required pam_loginuid.so
>
> The whole pam loginuid thing is a problem in containers. Doesn't
> explain why I don't see it through...
>
> > Thank you very much.
> >
> Regards,
> Mike
>
> > Greetings, ...
> >
> > On Thu, Oct 23, 2014 at 2:57 PM, Michael H. Warfield
> > <mhw at wittsend.com> wrote:
> > On Thu, 2014-10-23 at 06:18 +0200, István Király wrote:
> > > Hello list, ..
> > >
> > >
> > > I noticed some strange behavior, that I could not resolve so
> > far,
> > > regarding cron and crontab.
> > >
> > >
> > > [user at container]$ crontab -e
> > > You (user) are not allowed to access to (crontab) because of
> > pam
> > > configuration.
> > >
> > >
> > > While digging in, I created /etc/cron.allow and added ALL.
> > The
> > > message changed to:
> > >
> > >
> > > You (user) are not allowed to use this program (crontab)
> > > See crontab(1) for more information
> > >
> > >
> > > Google search didn't bring me closer to a solution.
> > >
> > >
> > > On a native fedora, crontab works out of the box, even
> > without a
> > > cron.allow file.
> > >
> > >
> > > If someone has ideas / suggestions, I would look at them.
> >
> > It's working fine here with all my Fedora containers of
> > various vintage
> > (all Fedora hosts).
> >
> > 1) What is the host distro and version?
> >
> > 2) What is the container version?
> >
> > 3) If the host is Ubuntu or Debian, are you running with
> > apparmor
> > enabled and have you set lxc.aa_profile = unconfined in the
> > container
> > config?
> >
> > 4) How did you create the container (lxc-create, hand rolled,
> > fedora
> > template, download template)?
> >
> > 5) Version of LXC in the host?
> >
> > 6) How are you logged in? From lxc-start in forground? From
> > lxc-console? From ssh connection?
> >
> > > Greetings, ...
> > >
> > >
> > > --
> > > Király István
> > > +36 209 753 758
> > > LaKing at D250.hu
> >
> > Regards,
> > Mike
> > --
> > Michael H. Warfield (AI4NB) | (770) 978-7061 |
> > mhw at WittsEnd.com
> > /\/\|=mhw=|\/\/ | (678) 463-0932 |
> > http://www.wittsend.com/mhw/
> > NIC whois: MHW9 | An optimist believes we live in
> > the best of all
> > PGP Key: 0x674627FF | possible worlds. A pessimist is
> > sure of it!
> >
> >
> > _______________________________________________
> > lxc-users mailing list
> > lxc-users at lists.linuxcontainers.org
> > http://lists.linuxcontainers.org/listinfo/lxc-users
> >
> >
> >
> >
> > --
> > Király István
> > +36 209 753 758
> > LaKing at D250.hu
> >
> >
> > _______________________________________________
> > lxc-users mailing list
> > lxc-users at lists.linuxcontainers.org
> > http://lists.linuxcontainers.org/listinfo/lxc-users
>
> --
> Michael H. Warfield (AI4NB) | (770) 978-7061 | mhw at WittsEnd.com
> /\/\|=mhw=|\/\/ | (678) 463-0932 |
> http://www.wittsend.com/mhw/
> NIC whois: MHW9 | An optimist believes we live in the best of
> all
> PGP Key: 0x674627FF | possible worlds. A pessimist is sure of it!
>
>
> _______________________________________________
> lxc-users mailing list
> lxc-users at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users
>
--
Király István
+36 209 753 758
LaKing at D250.hu
<http://d250.hu>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20141028/658fc455/attachment.html>
More information about the lxc-users
mailing list