[systemd-devel] systemd-nspawn/LXC containers & pam login failure

Lennart Poettering lennart at poettering.net
Thu May 9 06:56:27 PDT 2013


On Thu, 09.05.13 14:38, Daniel P. Berrange (berrange at redhat.com) wrote:

> 
> On Thu, May 09, 2013 at 03:32:09PM +0200, Lennart Poettering wrote:
> > On Thu, 09.05.13 11:38, Daniel P. Berrange (berrange at redhat.com) wrote:
> > 
> > > Following the suggestion in the systemd-nspawn manpage I populated
> > > a mini Fedora 19 chroot, on a Fedora 19 host
> > > 
> > >   # yum -y --releasever=19 --nogpg --installroot=/srv/mycontainer \
> > >         --disablerepo='*' --enablerepo=fedora \
> > >         install systemd passwd yum fedora-release vim-minimal
> > >   # chroot /srv/mycontainer passwd
> > >   # systemd-nspawn -bD /srv/mycontainer
> > > 
> > > Systemd boots up nicely & presents a login prompt, but it is impossible
> > > to actually login, PAM always denying the attempts.
> > 
> > Yeah, this is a known problem. We generally suggest to turn off audit
> > by booting with audit=0 on the kernel cmdline for now:
> > 
> > https://fedoraproject.org/wiki/Features/SystemdLightweightContainers
> > 
> > I guess I should add a comment about this to nspawn's man page too.
> > 
> > The audit folks are working on adding container awareness to the audit
> > subsystem in the kernel (which basically means that audit messages carry
> > the outside PID of PID1 of the container, so that auditd can track this
> > properly). Currently audit is completely confused by PID
> > namespacing. Also, we want them to fix for us that opening a PID
> > namespace resets loginuid in the container to -1. We have discussed this
> > several times with them, and they wanted to something about it, but so
> > far nothing happened. But we'll have another meeting about this next
> > week, so I can put some pressure on this.
> 
> Did you file any BZs against the kernel for this ?  If not I'll sort
> out some BZs to track these problems.

There's https://bugzilla.redhat.com/show_bug.cgi?id=893751

But this probably deserves two separate bugs against the kernel either
on rhbz or on upstream kernel bugzilla.

Lennart

-- 
Lennart Poettering - Red Hat, Inc.


More information about the systemd-devel mailing list