From: Eric Paris <eparis@redhat.com>
To: Andre Tomt <andre@tomt.net>
Cc: Linus Torvalds <torvalds@linux-foundation.org>,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
containers@lists.linux-foundation.org
Subject: Re: Linux 3.14-rc8 (LXC broken)
Date: Tue, 25 Mar 2014 23:02:20 -0400 [thread overview]
Message-ID: <1395802940.16116.16.camel@localhost> (raw)
In-Reply-To: <5331E8CB.3060708@tomt.net>
On Tue, 2014-03-25 at 21:36 +0100, Andre Tomt wrote:
> *testing hat on*
>
> PAM within namespaces (say, LXC) does not work anymore with 3.14-rc8,
> making login, ssh etc fail in containers unless you boot with audit=0.
>
> This is due to a change in return value to user space; and is
> appearantly a known issue as evident in this earlier post from february:
> https://www.redhat.com/archives/linux-audit/2014-February/msg00087.html
>
> Judging from the post it seems they want to ship 3.14 with this IMO
> quite serious regression? What is the namespace/container folks take on
> this?
Fair question.
Pam only worked in non-initial pid (or user) namespace if it was also in
the non-initial network namespace. We added support for the network
namespace in 3.14. So now PAM in the non-initial network namespace
functions the same as it would in the inital network namespace. aka, it
fails. This is actually what the audit userspace people think is the
right thing to happen. You configured PAM to fail if it couldn't do the
right audit things, and it's failing. Needing audit=0 is not new.
BUT given we broke (already broken [remember you configured PAM to fail
if audit didn't go well and it let you log in anyway? aka broken?])
functionality adding network namespace support I'll send a request to
Linus tomorrow to rip out our network namespace support and I'll re-add
in 3.15 when we add pid (and partial user) namespace support.
-Eric
prev parent reply other threads:[~2014-03-26 3:02 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-03-25 2:40 Linux 3.14-rc8 Linus Torvalds
2014-03-25 8:38 ` Dave Jones
2014-03-25 20:36 ` Linux 3.14-rc8 (LXC broken) Andre Tomt
2014-03-25 21:32 ` Serge Hallyn
2014-03-26 3:02 ` Eric Paris [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1395802940.16116.16.camel@localhost \
--to=eparis@redhat.com \
--cc=andre@tomt.net \
--cc=containers@lists.linux-foundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox