[lxc-users] Crontab in fedora containers.
Michael H. Warfield
mhw at WittsEnd.com
Wed Oct 29 00:32:17 UTC 2014
On Tue, 2014-10-28 at 23:08 +0100, István Király wrote:
> Hello again.
>
>
>
> Yes, I see now that LXC 1.0.6 is there as rpm, but that is the first
> time since 0.8.0, and I started to use LXC 1.0.
>
>
> I use my script called srvctl to control the creation and
> configuration of containers.
> https://github.com/LaKing/Fedora-scripts
>
>
>
> It compiled with "autogen - configure - make - make install" before,
> but I added the option to use yum and the rpm now.
>
>
> The user addition part adds user, set password and creates a keypair.
> I usually log in as root with key, .. but the problem came to light
> when users su-ed to a normal user and run capistrano - a ruby deploy
> script.
> So, I think the password should be ther, valid, not expired. Users use
> keys though.
>
>
> [user at crontest root]$ crontab -l
> You (user) are not allowed to use this program (crontab)
> See crontab(1) for more information
> I will test it on another system that runs srvctl based on rpm
> installation.
I don't know this "srvctl" script. First principle... Do it the stock
way and make it work, and then make changes. I just went through 2 full
days of this trying to get a Raspberry Pi QEMU emulation working with
bridged networking (OT - Off Topic - and not to the point) where I had
to go back to the basics and incrementally work my way to how I THOUGHT
it would work to find out what I was fscking up (I was missing a simple
-net nic,... stanza in this OT case).
Using stock, create a container using "lxc-create -n {whatever} -t
fedora" and work from there. Do not use your custom script. If that
then works, then divide and conquer what are the differences between
what your script is doing and what stock is doing.
>
> And, .. I will be on holidays the next 12 days, ...
Ah... I'm just coming off and so much to catch up on. Enjoy!
>
> Greetings, ..
Regards,
Mike
>
> On Thu, Oct 23, 2014 at 7:10 PM, Michael H. Warfield
> <mhw at wittsend.com> wrote:
> On Thu, 2014-10-23 at 17:17 +0200, István Király wrote:
> > Hello Mike.
> >
> >
> > Host is Fedora 20 with kernel 3.16.4-200.fc20.x86_64
> >
> >
> > LXC: 1.0.6 compiled from latest release
>
>
> Ooo??? LXC 1.0.6 is in the repositories. Any reason for not
> using the
> repo based LXC rpms?
>
> When you say "compiled from latest release", did you do a
> "configure ;
> make ; make install" or did you do a "configure ; make rpm ;
> yum
> localinstall" (the later is preferred for maintainability and
> to avoid
> library skew).
>
> > Host is fedora with SELinux disabled.
>
> Ok... That setup matches mine exactly.
> >
> > Container was created with the fedora template but in an
> earlier
> > version of LXC.
>
> That SHOULD be OK unless it was a very early version of LXC
> (like 0.8 or
> earlier).
> >
> > I'm not sure what you mean by container version. Containers
> are also
> > Fedora 20.
>
> That's what I meant.
> >
> > Logged in with ssh. LXC is running on the background.
>
> Matches what I'm doing... Are you logging with with a
> password or an
> SSH auth key? If the later, does the user have a valid,
> non-expired,
> password?
> >
> > I just created a new test-container, added my user and it
> behaves
> > exactly the same.
>
> Ok... How did you add your user? Just useradd and then run
> passwd to
> set the passwd? I'm seeing similar complaints when the user
> password is
> expired or locked but you can still connecting using ssh via
> an ssh auth
> key.
>
> > Without /etc/cron.allow
> > You (user) are not allowed to access to (crontab) because of
> pam
> > configuration.
>
> Ok... This is what's not making any sense to me. That's
> saying
> "because of pam configuration" and I'm trying to understand
> WHAT pam
> configuration. I do see a potential problem
> in /etc/pam.d/crond that
> could impact cron jobs running (it's the session line
> referencing
> pam_loginuid.so that could blow up) but that should not affect
> running
> "contab -e"
>
> Did you install any additional software after the container
> creation?
> >
> > With ALL (then newline) in /etc/cron.allow
>
> This should not be necessary in any case...
> >
> > [user at crontest ~]$ crontab -e
> > You (user) are not allowed to use this program (crontab)
> > See crontab(1) for more information
>
> What happens if you run "crontab -l"?
>
> Looking around, you might have something quirky going on with
> that /etc/pam.d/crond file after all.
>
> http://www.linuxquestions.org/questions/linux-security-4/failed-to-authorize-user-with-pam-permission-denied-4175492110/
>
> Could try editing the "pam_access.so" like and setting that
> with debug
> to find out why it's being refused. While you're in there,
> commend out
> this line and see if it makes a difference:
>
> session required pam_loginuid.so
>
> The whole pam loginuid thing is a problem in containers.
> Doesn't
> explain why I don't see it through...
>
> > Thank you very much.
> >
> Regards,
> Mike
>
> > Greetings, ...
> >
> > On Thu, Oct 23, 2014 at 2:57 PM, Michael H. Warfield
> > <mhw at wittsend.com> wrote:
> > On Thu, 2014-10-23 at 06:18 +0200, István Király
> wrote:
> > > Hello list, ..
> > >
> > >
> > > I noticed some strange behavior, that I could not
> resolve so
> > far,
> > > regarding cron and crontab.
> > >
> > >
> > > [user at container]$ crontab -e
> > > You (user) are not allowed to access to (crontab)
> because of
> > pam
> > > configuration.
> > >
> > >
> > > While digging in, I created /etc/cron.allow and
> added ALL.
> > The
> > > message changed to:
> > >
> > >
> > > You (user) are not allowed to use this program
> (crontab)
> > > See crontab(1) for more information
> > >
> > >
> > > Google search didn't bring me closer to a
> solution.
> > >
> > >
> > > On a native fedora, crontab works out of the box,
> even
> > without a
> > > cron.allow file.
> > >
> > >
> > > If someone has ideas / suggestions, I would look
> at them.
> >
> > It's working fine here with all my Fedora containers
> of
> > various vintage
> > (all Fedora hosts).
> >
> > 1) What is the host distro and version?
> >
> > 2) What is the container version?
> >
> > 3) If the host is Ubuntu or Debian, are you running
> with
> > apparmor
> > enabled and have you set lxc.aa_profile = unconfined
> in the
> > container
> > config?
> >
> > 4) How did you create the container (lxc-create,
> hand rolled,
> > fedora
> > template, download template)?
> >
> > 5) Version of LXC in the host?
> >
> > 6) How are you logged in? From lxc-start in
> forground? From
> > lxc-console? From ssh connection?
> >
> > > Greetings, ...
> > >
> > >
> > > --
> > > Király István
> > > +36 209 753 758
> > > LaKing at D250.hu
> >
> > Regards,
> > Mike
> > --
> > Michael H. Warfield (AI4NB) | (770) 978-7061 |
> > mhw at WittsEnd.com
> > /\/\|=mhw=|\/\/ | (678) 463-0932 |
> > http://www.wittsend.com/mhw/
> > NIC whois: MHW9 | An optimist believes
> we live in
> > the best of all
> > PGP Key: 0x674627FF | possible worlds. A
> pessimist is
> > sure of it!
> >
> >
> > _______________________________________________
> > lxc-users mailing list
> > lxc-users at lists.linuxcontainers.org
> > http://lists.linuxcontainers.org/listinfo/lxc-users
> >
> >
> >
> >
> > --
> > Király István
> > +36 209 753 758
> > LaKing at D250.hu
> >
> >
> > _______________________________________________
> > lxc-users mailing list
> > lxc-users at lists.linuxcontainers.org
> > http://lists.linuxcontainers.org/listinfo/lxc-users
>
> --
> Michael H. Warfield (AI4NB) | (770) 978-7061 |
> mhw at WittsEnd.com
> /\/\|=mhw=|\/\/ | (678) 463-0932 |
> http://www.wittsend.com/mhw/
> NIC whois: MHW9 | An optimist believes we live in
> the best of all
> PGP Key: 0x674627FF | possible worlds. A pessimist is
> sure of it!
>
>
>
> _______________________________________________
> lxc-users mailing list
> lxc-users at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users
>
>
>
>
> --
> Király István
> +36 209 753 758
> LaKing at D250.hu
>
>
> _______________________________________________
> lxc-users mailing list
> lxc-users at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users
--
Michael H. Warfield (AI4NB) | (770) 978-7061 | mhw at WittsEnd.com
/\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/
NIC whois: MHW9 | An optimist believes we live in the best of all
PGP Key: 0x674627FF | possible worlds. A pessimist is sure of it!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 465 bytes
Desc: This is a digitally signed message part
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20141028/688bcf00/attachment.sig>
More information about the lxc-users
mailing list