Linux 3.14-rc8 (LXC broken)
Eric Paris
eparis at redhat.com
Wed Mar 26 03:02:20 UTC 2014
On Tue, 2014-03-25 at 21:36 +0100, Andre Tomt wrote:
> *testing hat on*
>
> PAM within namespaces (say, LXC) does not work anymore with 3.14-rc8,
> making login, ssh etc fail in containers unless you boot with audit=0.
>
> This is due to a change in return value to user space; and is
> appearantly a known issue as evident in this earlier post from february:
> https://www.redhat.com/archives/linux-audit/2014-February/msg00087.html
>
> Judging from the post it seems they want to ship 3.14 with this IMO
> quite serious regression? What is the namespace/container folks take on
> this?
Fair question.
Pam only worked in non-initial pid (or user) namespace if it was also in
the non-initial network namespace. We added support for the network
namespace in 3.14. So now PAM in the non-initial network namespace
functions the same as it would in the inital network namespace. aka, it
fails. This is actually what the audit userspace people think is the
right thing to happen. You configured PAM to fail if it couldn't do the
right audit things, and it's failing. Needing audit=0 is not new.
BUT given we broke (already broken [remember you configured PAM to fail
if audit didn't go well and it let you log in anyway? aka broken?])
functionality adding network namespace support I'll send a request to
Linus tomorrow to rip out our network namespace support and I'll re-add
in 3.15 when we add pid (and partial user) namespace support.
-Eric
More information about the Containers
mailing list