[systemd-devel] systemd-nspawn/LXC containers & pam login failure

Daniel P. Berrange berrange at redhat.com
Thu May 9 08:11:41 PDT 2013 

On Thu, May 09, 2013 at 03:32:09PM +0200, Lennart Poettering wrote:
> On Thu, 09.05.13 11:38, Daniel P. Berrange (berrange at redhat.com) wrote:
> 
> > Following the suggestion in the systemd-nspawn manpage I populated
> > a mini Fedora 19 chroot, on a Fedora 19 host
> > 
> >   # yum -y --releasever=19 --nogpg --installroot=/srv/mycontainer \
> >         --disablerepo='*' --enablerepo=fedora \
> >         install systemd passwd yum fedora-release vim-minimal
> >   # chroot /srv/mycontainer passwd
> >   # systemd-nspawn -bD /srv/mycontainer
> > 
> > Systemd boots up nicely & presents a login prompt, but it is impossible
> > to actually login, PAM always denying the attempts.
> 
> Yeah, this is a known problem. We generally suggest to turn off audit
> by booting with audit=0 on the kernel cmdline for now:
> 
> https://fedoraproject.org/wiki/Features/SystemdLightweightContainers
> 
> I guess I should add a comment about this to nspawn's man page too.
> 
> The audit folks are working on adding container awareness to the audit
> subsystem in the kernel (which basically means that audit messages carry
> the outside PID of PID1 of the container, so that auditd can track this
> properly). Currently audit is completely confused by PID
> namespacing. Also, we want them to fix for us that opening a PID
> namespace resets loginuid in the container to -1. We have discussed this
> several times with them, and they wanted to something about it, but so
> far nothing happened. But we'll have another meeting about this next
> week, so I can put some pressure on this.

Quite by accident I discovered that if you tell systemd-nspawn to
create a new network namespace, you no longer hit the EPERM issues
with sending audit messages. This is because the kernel only listens
for audit messages in the initial network namespace. libaudit catches
ECONNREFUSED  and turns into a no-op returning success, meaning that
PAM now works.

So if you use   systemd-nspawn --private-network, and make sure it
is launched by systemd itself not from yuour shell, then the standard
PAM config will 'just work'

Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|

More information about the systemd-devel mailing list