Browse Source

Drop systemd support from nsswitch.conf on RHEL-based distros

A bit like we did for I3e0e86026f5a4a78473bed824cd1682d3a020cd5 we
should remove the nss-systemd lookup from containers. The reasons for
this are as follows:
1) Just like for I3e0e86026f5a4a78473bed824cd1682d3a020cd5
when this nss module is triggered it tries to talk to dbus.
It triggers a bunch of selinux denials and it makes little sense
to open all containers to talk to dbus.
In particular, if a container is run as non-privileged and bind-mounts
/run from the host, we will hit selinux denials like the following:

  type=USER_AVC msg=audit(1592337775.860:74119): pid=1284 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.freedesktop.DBus member=Hello dest=org.freedesktop.DBus spid=406228 scontext=system_u:system_r:container_t:s0:c162,c886 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=dbus permissive=0  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'UID="dbus" AUID="unset" SAUID="dbus"

2) It just makes little sense in a kolla-world to have containers
talk to dbus/systemd and it saves us some time when a lookup triggers
the systemd module for whatever reason. Especially because the
nss-systemd module does a few things which are not useful in a container
(ensures that the root and nobody users and groups remain resolvable,
SystemD's DynamicUser= feature, provide Lookup API via Varlink)

The sed regex gives us the wanted results:
$ diff -u /etc/nsswitch.conf.orig /etc/nsswitch.conf
--- /etc/nsswitch.conf.orig     2020-06-19 07:18:10.974580755 +0000
+++ /etc/nsswitch.conf  2020-06-19 07:20:12.260230103 +0000
@@ -53,9 +53,9 @@
 # group:     db files

 # In order of likelihood of use to accelerate lookup.
-passwd:      sss files systemd
+passwd:      sss files
 shadow:     files sss
-group:       sss files systemd
+group:       sss files
 hosts:      files dns myhostname
 services:   files sss
 netgroup:   sss

Related-Bug: #1883849

Change-Id: I81e5b7abf4571fece13a029e25911e9e4dece673
(cherry picked from commit dc2ddfa975)
tags/8.0.4^0
Michele Baldessari 2 months ago
committed by Radosław Piliszek
parent
commit
7038e3ff03
2 changed files with 9 additions and 1 deletions
  1. +2
    -1
      docker/base/Dockerfile.j2
  2. +7
    -0
      releasenotes/notes/disable-systemd-nss-on-rhel-based-distros-5d586fcdb9a82da7.yaml

+ 2
- 1
docker/base/Dockerfile.j2 View File

@@ -404,7 +404,8 @@ RUN sed -i \
{% endif %}

{% if base_distro == 'centos' or base_distro == 'rhel' %}
RUN sed -ri '/-session(\s+)optional(\s+)pam_systemd.so/d' /etc/pam.d/system-auth
RUN sed -ri '/-session(\s+)optional(\s+)pam_systemd.so/d' /etc/pam.d/system-auth \
&& sed -ri '/^[^#]/ s/systemd//g' /etc/nsswitch.conf
{% endif %}

COPY set_configs.py /usr/local/bin/kolla_set_configs


+ 7
- 0
releasenotes/notes/disable-systemd-nss-on-rhel-based-distros-5d586fcdb9a82da7.yaml View File

@@ -0,0 +1,7 @@
---
fixes:
- |
Drop systemd support from nsswitch.conf on RHEL-based distros. This avoids
unneeded systemd nss lookups inside containers and it also avoids possible
selinux denials when a container bind mounts /run and makes the dbus socket
available inside the container only to be denied by selinux on the host.

Loading…
Cancel
Save