Re: Linux 3.14-rc8 (LXC broken)

Re: Linux 3.14-rc8 (LXC broken)

[Andre Tomt]

*testing hat on*

PAM within namespaces (say, LXC) does not work anymore with 3.14-rc8,
making login, ssh etc fail in containers unless you boot with audit=0.

This is due to a change in return value to user space; and is
appearantly a known issue as evident in this earlier post from february:
https://www.redhat.com/archives/linux-audit/2014-February/msg00087.html

Judging from the post it seems they want to ship 3.14 with this IMO
quite serious regression? What is the namespace/container folks take on
this?

Re: Linux 3.14-rc8 (LXC broken)

[Serge Hallyn]

Quoting Andre Tomt (andre-59NiGsLHOdY@public.gmane.org):
> *testing hat on*
> 
> PAM within namespaces (say, LXC) does not work anymore with 3.14-rc8,
> making login, ssh etc fail in containers unless you boot with audit=0.
> 
> This is due to a change in return value to user space; and is
> appearantly a known issue as evident in this earlier post from february:
> https://www.redhat.com/archives/linux-audit/2014-February/msg00087.html
> 
> Judging from the post it seems they want to ship 3.14 with this IMO
> quite serious regression? What is the namespace/container folks take on
> this?

Without looking too deeply, it seems to me that patch has no
benefit on its own, and should simply be stashed until the next
set of patches are ready.

-serge

Re: Linux 3.14-rc8 (LXC broken)

[Eric Paris]

On Tue, 2014-03-25 at 21:36 +0100, Andre Tomt wrote:
> *testing hat on*
> 
> PAM within namespaces (say, LXC) does not work anymore with 3.14-rc8,
> making login, ssh etc fail in containers unless you boot with audit=0.
> 
> This is due to a change in return value to user space; and is
> appearantly a known issue as evident in this earlier post from february:
> https://www.redhat.com/archives/linux-audit/2014-February/msg00087.html
> 
> Judging from the post it seems they want to ship 3.14 with this IMO
> quite serious regression? What is the namespace/container folks take on
> this?

Fair question.

Pam only worked in non-initial pid (or user) namespace if it was also in
the non-initial network namespace.  We added support for the network
namespace in 3.14.  So now PAM in the non-initial network namespace
functions the same as it would in the inital network namespace.  aka, it
fails.  This is actually what the audit userspace people think is the
right thing to happen.  You configured PAM to fail if it couldn't do the
right audit things, and it's failing.  Needing audit=0 is not new.

BUT given we broke (already broken [remember you configured PAM to fail
if audit didn't go well and it let you log in anyway?  aka broken?])
functionality adding network namespace support I'll send a request to
Linus tomorrow to rip out our network namespace support and I'll re-add
in 3.15 when we add pid (and partial user) namespace support.

-Eric