Containerized sshd does not work with older PAM

sshd containers don't let logins on some systems with older PAM library because /proc/self/loginuid is not always readable or writeable. Examples of possible failures on such systems are erroneous cold and live migrations. This fix does not upgrade PAM but makes pam_loginuid optional for nova_ssh and keystone_ssh. More information: https://github.com/docker/docker/issues/5663 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=726661 https://git.fedorahosted.org/cgit/linux-pam.git/tree/modules/pam_loginuid/pam_loginuid.c#n61 Change-Id: Ic14255b042ceedcff536c062bdcba00502af7a87 Closes-Bug: #1651395
2016-12-20 13:53:33 +03:00 · 2016-12-20 13:53:33 +03:00 · aae9193675
parent 95bb052fe7
commit aae9193675
2 changed files with 4 additions and 1 deletions
--- a/docker/keystone/keystone-ssh/Dockerfile.j2
+++ b/docker/keystone/keystone-ssh/Dockerfile.j2
@ -22,6 +22,8 @@ RUN mkdir -p /var/run/sshd \
 {% endif %}
 {{ macros.install_packages(keystone_ssh_packages | customizable("packages")) }}

+RUN sed -ri 's/session(\s+)required(\s+)pam_loginuid.so/session\1optional\2pam_loginuid.so/' /etc/pam.d/sshd
+
 COPY extend_start.sh /usr/local/bin/kolla_extend_start
 RUN chmod 755 /usr/local/bin/kolla_extend_start

--- a/docker/nova/nova-ssh/Dockerfile.j2
+++ b/docker/nova/nova-ssh/Dockerfile.j2
@ -18,7 +18,8 @@ RUN mkdir -p /var/run/sshd \

 {{ macros.install_packages(nova_ssh_packages | customizable("packages")) }}

-RUN chsh -s /bin/bash nova
+RUN chsh -s /bin/bash nova \
+    && sed -ri 's/session(\s+)required(\s+)pam_loginuid.so/session\1optional\2pam_loginuid.so/' /etc/pam.d/sshd

 COPY extend_start.sh /usr/local/bin/kolla_extend_start
 RUN chmod 755 /usr/local/bin/kolla_extend_start