From aae9193675ed214f7a4455708409532ea1665255 Mon Sep 17 00:00:00 2001
From: Vladislav Belogrudov <vladislav.belogrudov@oracle.com>
Date: Tue, 20 Dec 2016 13:53:33 +0300
Subject: [PATCH] Containerized sshd does not work with older PAM

sshd containers don't let logins on some systems with older
PAM library because /proc/self/loginuid is not always readable
or writeable. Examples of possible failures on such systems are
erroneous cold and live migrations.

This fix does not upgrade PAM but makes pam_loginuid optional
for nova_ssh and keystone_ssh.

More information:
  https://github.com/docker/docker/issues/5663
  https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=726661
  https://git.fedorahosted.org/cgit/linux-pam.git/tree/modules/pam_loginuid/pam_loginuid.c#n61

Change-Id: Ic14255b042ceedcff536c062bdcba00502af7a87
Closes-Bug: #1651395
---
 docker/keystone/keystone-ssh/Dockerfile.j2 | 2 ++
 docker/nova/nova-ssh/Dockerfile.j2         | 3 ++-
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/docker/keystone/keystone-ssh/Dockerfile.j2 b/docker/keystone/keystone-ssh/Dockerfile.j2
index 5b52879816..3848e801dd 100644
--- a/docker/keystone/keystone-ssh/Dockerfile.j2
+++ b/docker/keystone/keystone-ssh/Dockerfile.j2
@@ -22,6 +22,8 @@ RUN mkdir -p /var/run/sshd \
 {% endif %}
 {{ macros.install_packages(keystone_ssh_packages | customizable("packages")) }}
 
+RUN sed -ri 's/session(\s+)required(\s+)pam_loginuid.so/session\1optional\2pam_loginuid.so/' /etc/pam.d/sshd
+
 COPY extend_start.sh /usr/local/bin/kolla_extend_start
 RUN chmod 755 /usr/local/bin/kolla_extend_start
 
diff --git a/docker/nova/nova-ssh/Dockerfile.j2 b/docker/nova/nova-ssh/Dockerfile.j2
index 2ec3b5a5b7..3b4ded4127 100644
--- a/docker/nova/nova-ssh/Dockerfile.j2
+++ b/docker/nova/nova-ssh/Dockerfile.j2
@@ -18,7 +18,8 @@ RUN mkdir -p /var/run/sshd \
 
 {{ macros.install_packages(nova_ssh_packages | customizable("packages")) }}
 
-RUN chsh -s /bin/bash nova
+RUN chsh -s /bin/bash nova \
+    && sed -ri 's/session(\s+)required(\s+)pam_loginuid.so/session\1optional\2pam_loginuid.so/' /etc/pam.d/sshd
 
 COPY extend_start.sh /usr/local/bin/kolla_extend_start
 RUN chmod 755 /usr/local/bin/kolla_extend_start