A bit like we did for I3e0e86026f5a4a78473bed824cd1682d3a020cd5 we
should remove the nss-systemd lookup from containers. The reasons for
this are as follows:
1) Just like for I3e0e86026f5a4a78473bed824cd1682d3a020cd5
when this nss module is triggered it tries to talk to dbus.
It triggers a bunch of selinux denials and it makes little sense
to open all containers to talk to dbus.
In particular, if a container is run as non-privileged and bind-mounts
/run from the host, we will hit selinux denials like the following:
type=USER_AVC msg=audit(1592337775.860:74119): pid=1284 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.DBus member=Hello dest=org.freedesktop.DBus spid=406228 scontext=system_u:system_r:container_t:s0:c162,c886 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=dbus permissive=0 exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'UID="dbus" AUID="unset" SAUID="dbus"
2) It just makes little sense in a kolla-world to have containers
talk to dbus/systemd and it saves us some time when a lookup triggers
the systemd module for whatever reason. Especially because the
nss-systemd module does a few things which are not useful in a container
(ensures that the root and nobody users and groups remain resolvable,
SystemD's DynamicUser= feature, provide Lookup API via Varlink)
The sed regex gives us the wanted results:
$ diff -u /etc/nsswitch.conf.orig /etc/nsswitch.conf
--- /etc/nsswitch.conf.orig 2020-06-19 07:18:10.974580755 +0000
+++ /etc/nsswitch.conf 2020-06-19 07:20:12.260230103 +0000
@@ -53,9 +53,9 @@
# group: db files
# In order of likelihood of use to accelerate lookup.
-passwd: sss files systemd
+passwd: sss files
shadow: files sss
-group: sss files systemd
+group: sss files
hosts: files dns myhostname
services: files sss
netgroup: sss
Related-Bug: #1883849
Change-Id: I81e5b7abf4571fece13a029e25911e9e4dece673
dc2ddfa975