You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
master
stable/zed
stable/xena
stable/yoga
stable/wallaby
stable/victoria
stable/ussuri
victoria-eol
ussuri-eol
15.0.0
15.0.0.0rc2
14.8.0
13.8.0
15.0.0.0rc1
14.7.0
13.7.0
wallaby-em
14.6.0
13.6.0
12.7.0
14.5.0
13.5.0
12.6.0
14.4.0
13.4.0
12.5.0
14.3.0
13.3.0
12.4.0
train-eol
14.2.0
13.2.0
12.3.0
14.1.0
13.1.0
12.2.0
14.0.0
14.0.0.0rc2
victoria-em
11.3.0
14.0.0.0rc1
11.2.1
13.0.1
12.1.0
11.2.0
stein-eol
rocky-eol
ussuri-em
10.4.0
13.0.0
13.0.0.0rc3
13.0.0.0rc2
13.0.0.0rc1
queens-eol
11.1.0
10.3.0
12.0.1
12.0.0
12.0.0.0rc2
train-em
9.4.0
12.0.0.0rc1
9.3.1
11.0.0
9.3.0
10.2.0
11.0.0.0rc2
stein-em
8.0.5
11.0.0.0rc1
10.1.0
9.2.0
8.0.4
10.0.0
10.0.0.0rc2
9.1.1
10.0.0.0rc1
9.1.0
8.0.3
rocky-em
7.1.1
9.0.1
8.0.2
7.1.0
9.0.0
9.0.0.0rc2
9.0.0.0rc1
queens-em
6.2.4
pike-eol
ocata-eol
8.0.1
7.0.4
6.2.3
8.0.0
8.0.0.0rc2
7.0.3
6.2.2
pike-em
ocata-em
5.0.5
7.0.2
6.2.1
8.0.0.0rc1
6.2.0
7.0.1
6.1.1
5.0.4
8.0.0.0b1
7.0.0
7.0.0.0rc3
7.0.0.0rc2
7.0.0.0rc1
7.0.0.0b3
5.0.3
6.1.0
4.0.5
7.0.0.0b2
newton-eol2
4.0.4
5.0.2
6.0.0
6.0.0.0rc2
6.0.0.0rc1
6.0.0.0b3
5.0.1
4.0.3
6.0.0.0b2
newton-eol
5.0.0
5.0.0.0rc2
5.0.0.0rc1
5.0.0.0b3
mitaka-eol
4.0.2
5.0.0.0b2
4.0.1
3.0.3
2.0.3
4.0.0
4.0.0.0rc2
4.0.0.0rc1
4.0.0.0b3
3.0.2
4.0.0.0b2
liberty-eol
4.0.0.0b1
3.0.1
3.0.0
3.0.0.0rc3
3.0.0.0rc2
3.0.0.0rc1
3.0.0.0b3
1.1.2
2.0.2
3.0.0.0b2
2.0.1
1.1.1
3.0.0.0b1
1.1.0
2.0.0
liberty-early-demise
2.0.0.0rc4
2.0.0.0rc3
juno-eol
icehouse-eol
kilo-eol
2.0.0.0rc2
2.0.0.0rc1
2.0.0.0b3
2.0.0.0b2
2.0.0.0b1
1.0.0-liberty
liberty-rc2
liberty-rc1
liberty-3
liberty-2
liberty-1
k3
version-m2
version-m1
${ noResults }
Michele Baldessari
dc2ddfa975
A bit like we did for I3e0e86026f5a4a78473bed824cd1682d3a020cd5 we
should remove the nss-systemd lookup from containers. The reasons for
this are as follows:
1) Just like for I3e0e86026f5a4a78473bed824cd1682d3a020cd5
when this nss module is triggered it tries to talk to dbus.
It triggers a bunch of selinux denials and it makes little sense
to open all containers to talk to dbus.
In particular, if a container is run as non-privileged and bind-mounts
/run from the host, we will hit selinux denials like the following:
type=USER_AVC msg=audit(1592337775.860:74119): pid=1284 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.DBus member=Hello dest=org.freedesktop.DBus spid=406228 scontext=system_u:system_r:container_t:s0:c162,c886 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=dbus permissive=0 exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'UID="dbus" AUID="unset" SAUID="dbus"
2) It just makes little sense in a kolla-world to have containers
talk to dbus/systemd and it saves us some time when a lookup triggers
the systemd module for whatever reason. Especially because the
nss-systemd module does a few things which are not useful in a container
(ensures that the root and nobody users and groups remain resolvable,
SystemD's DynamicUser= feature, provide Lookup API via Varlink)
The sed regex gives us the wanted results:
$ diff -u /etc/nsswitch.conf.orig /etc/nsswitch.conf
--- /etc/nsswitch.conf.orig 2020-06-19 07:18:10.974580755 +0000
+++ /etc/nsswitch.conf 2020-06-19 07:20:12.260230103 +0000
@@ -53,9 +53,9 @@
# group: db files
# In order of likelihood of use to accelerate lookup.
-passwd: sss files systemd
+passwd: sss files
shadow: files sss
-group: sss files systemd
+group: sss files
hosts: files dns myhostname
services: files sss
netgroup: sss
Related-Bug: #1883849
Change-Id: I81e5b7abf4571fece13a029e25911e9e4dece673
|
3 years ago | |
|---|---|---|
| .. | ||
| notes | Drop systemd support from nsswitch.conf on RHEL-based distros | 3 years ago |
| source | Merge "Switch to newer openstackdocstheme and reno versions" | 3 years ago |