[lxc-users] User authentication in containers via libnss-mysql
Andre Nathan
andre at digirati.com.br
Tue Sep 9 20:46:08 UTC 2014
Hello
I'm facing a strange problem which I'm not sure is related to LXC, but
since this used to work in 0.7.5 in Ubuntu 12.04 I figured I'd ask.
I'm running Ubuntu 14.04 with LXC 1.0.4-0ubuntu0.1. I'm running a
container whose filesystem is populated via bind-mounts from the host.
The container starts up fine but for some reason calls to getpwnam()
block forever in a futex() call before being able to access the
libnss-mysql-bg configuration. Local users are found as expected, and
everything works fine from an lxc-attach session, but not from
lxc-console when logged in as a normal user.
Has anyone ever seen something like that?
Here's the end of an strace on the "getent" command:
set_robust_list(0x7f35dd87da20, 24) = 0
futex(0x7fff58cc3d30, FUTEX_WAIT_BITSET_PRIVATE|FUTEX_CLOCK_REALTIME, 1,
NULL, 7f35dd87d740) = -1 EAGAIN (Resource temporarily unavailable)
rt_sigaction(SIGRTMIN, {0x7f35dc0509f0, [], SA_RESTORER|SA_SIGINFO,
0x7f35dc05a340}, NULL, 8) = 0
rt_sigaction(SIGRT_1, {0x7f35dc050a80, [],
SA_RESTORER|SA_RESTART|SA_SIGINFO, 0x7f35dc05a340}, NULL, 8) = 0
rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0
getrlimit(RLIMIT_STACK, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0
geteuid() = 7363
getegid() = 7363
socket(PF_LOCAL, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0) = 3
connect(3, {sa_family=AF_LOCAL, sun_path="/var/run/nscd/socket"}, 110) =
-1 ENOENT (No such file or directory)
close(3) = 0
socket(PF_LOCAL, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0) = 3
connect(3, {sa_family=AF_LOCAL, sun_path="/var/run/nscd/socket"}, 110) =
-1 ENOENT (No such file or directory)
close(3) = 0
open("/etc/group", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0444, st_size=39, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0)
= 0x7f35dd87c000
read(3, "root:x:0:\nandre:x:7363:\nwww-data"..., 4096) = 39
read(3, "", 4096) = 0
close(3) = 0
munmap(0x7f35dd87c000, 4096) = 0
futex(0x7f35dcdc4200, FUTEX_WAIT_PRIVATE, 2, NULL
An strace for the same command ran from lxc-attach is very different:
futex(0x7ffff595f9b0, FUTEX_WAIT_BITSET_PRIVATE|FUTEX_CLOCK_REALTIME, 1,
NULL, 7f116f142740) = -1 EAGAIN (Resource temporarily unavailable)
rt_sigaction(SIGRTMIN, {0x7f116d9159f0, [], SA_RESTORER|SA_SIGINFO,
0x7f116d91f340}, NULL, 8) = 0
rt_sigaction(SIGRT_1, {0x7f116d915a80, [],
SA_RESTORER|SA_RESTART|SA_SIGINFO, 0x7f116d91f340}, NULL, 8) = 0
rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0
getrlimit(RLIMIT_STACK, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0
geteuid() = 0
futex(0x7f116df490d0, FUTEX_WAKE_PRIVATE, 2147483647) = 0
futex(0x7f116e6891e0, FUTEX_WAKE_PRIVATE, 2147483647) = 0
open("/etc/libnss-mysql.cfg", O_RDONLY) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=1371, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0)
= 0x7f116f141000
read(3, "[server]\nhost 10.0.0.1\n"..., 4096) = 1371
...
[and from here on it queries the authentication db just fine]
My container configuration looks like this:
lxc.utsname = andre
lxc.start.auto = 1
lxc.network.type = veth
lxc.network.link = br0
lxc.network.flags = up
lxc.network.ipv4 = 172.16.5.95/16 172.16.255.255
lxc.network.name = eth0
lxc.network.type = veth
lxc.network.link = br1
lxc.network.flags = up
lxc.network.ipv4 = 172.17.5.95/16 172.17.255.255
lxc.network.name = eth1
lxc.tty = 1
lxc.pts = 1024
lxc.rootfs = /var/lib/lxc/andre/rootfs
lxc.mount = /var/lib/lxc/andre/fstab
lxc.cgroup.devices.deny = a
# /dev/null and zero
lxc.cgroup.devices.allow = c 1:3 rwm
lxc.cgroup.devices.allow = c 1:5 rwm
# consoles
lxc.cgroup.devices.allow = c 5:1 rwm
lxc.cgroup.devices.allow = c 5:0 rwm
#lxc.cgroup.devices.allow = c 4:0 rwm
#lxc.cgroup.devices.allow = c 4:1 rwm
# /dev/{,u}random
lxc.cgroup.devices.allow = c 1:9 rwm
lxc.cgroup.devices.allow = c 1:8 rwm
lxc.cgroup.devices.allow = c 136:* rwm
lxc.cgroup.devices.allow = c 5:2 rwm
# rtc
lxc.cgroup.devices.allow = c 254:0 rm
# capabilities
lxc.cap.keep = chown dac_override fowner kill net_admin setgid setuid
sys_boot
# apparmor
lxc.aa_profile = unconfined
The fstab file is this one:
/bin /var/lib/lxc/andre/rootfs/bin ext4 bind,ro 0 0
/lib /var/lib/lxc/andre/rootfs/lib ext4 bind,ro 0 0
/lib64 /var/lib/lxc/andre/rootfs/lib64 ext4 bind,ro 0 0
/sbin /var/lib/lxc/andre/rootfs/sbin ext4 bind,ro 0 0
/usr /var/lib/lxc/andre/rootfs/usr ext4 bind,ro 0 0
/etc/hostname /var/lib/lxc/andre/rootfs/etc/hostname none bind,ro 0 0
/etc/environment /var/lib/lxc/andre/rootfs/etc/environment none bind,ro 0 0
/etc/resolv.conf /var/lib/lxc/andre/rootfs/etc/resolv.conf none bind,ro 0 0
/etc/network/if-down.d /var/lib/lxc/andre/rootfs/etc/network/if-down.d
none bind,ro 0 0
/etc/network/if-post-down.d
/var/lib/lxc/andre/rootfs/etc/network/if-post-down.d none bind,ro 0 0
/etc/network/if-pre-up.d
/var/lib/lxc/andre/rootfs/etc/network/if-pre-up.d none bind,ro 0 0
/etc/network/if-up.d /var/lib/lxc/andre/rootfs/etc/network/if-up.d none
bind,ro 0 0
/etc/default/locale /var/lib/lxc/andre/rootfs/etc/default/locale none
bind,ro 0 0
/etc/login.defs /var/lib/lxc/andre/rootfs/etc/login.defs none bind,ro 0 0
/etc/pam.conf /var/lib/lxc/andre/rootfs/etc/pam.conf none bind,ro 0 0
/etc/pam.d /var/lib/lxc/andre/rootfs/etc/pam.d none bind,ro 0 0
/etc/security /var/lib/lxc/andre/rootfs/etc/security none bind,ro 0 0
/etc/nsswitch.conf /var/lib/lxc/andre/rootfs/etc/nsswitch.conf none
bind,ro 0 0
/etc/libnss-mysql.cfg /var/lib/lxc/andre/rootfs/etc/libnss-mysql.cfg
none bind,ro 0 0
/etc/libnss-mysql-root.cfg
/var/lib/lxc/andre/rootfs/etc/libnss-mysql-root.cfg none bind,ro 0 0
/etc/alternatives /var/lib/lxc/andre/rootfs/etc/alternatives none
bind,ro 0 0
proc /var/lib/lxc/andre/rootfs/proc proc ro,nodev,noexec,nosuid 0 0
devpts /var/lib/lxc/andre/rootfs/dev/pts devpts defaults 0 0
Thanks in advance,
Andre
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20140909/009d932b/attachment-0001.sig>
More information about the lxc-users
mailing list