[GitHub] [ozone-docker-runner] smengcl edited a comment on pull request #10: HDDS-6264. Bump centos to 8.4.2105 and some dependencies in ozone-runner

Sat, 05 Feb 2022 07:15:34 -0800 


smengcl edited a comment on pull request #10:
URL: 
https://github.com/apache/ozone-docker-runner/pull/10#issuecomment-1030642660


   The root cause for issue (2) is that centos 8.4's 
`openssh-server-8.0p1-10.el8.x86_64` package installed by ozone repo's 
`compose/ozonscripts/Dockerfile` has `pam_nologin.so` listed as required in 
`/etc/pam.d/sshd`:
   
   ```bash
   [root@d6aa10d75824 /]# cat /etc/pam.d/sshd
   #%PAM-1.0
   auth       substack     password-auth
   auth       include      postlogin
   account    required     pam_sepermit.so
   account    required     pam_nologin.so
   account    include      password-auth
   password   include      password-auth
   # pam_selinux.so close should be the first session rule
   session    required     pam_selinux.so close
   session    required     pam_loginuid.so
   # pam_selinux.so open should only be followed by sessions to be executed in 
the user context
   session    required     pam_selinux.so open env_params
   session    required     pam_namespace.so
   session    optional     pam_keyinit.so force revoke
   session    optional     pam_motd.so
   session    include      password-auth
   session    include      postlogin
   [root@d6aa10d75824 /]# rpm -q --whatprovides /etc/pam.d/sshd
   openssh-server-8.0p1-10.el8.x86_64
   ```
   
   Therefore, when `/opt/hadoop/sbin/start-ozone.sh` script starts to ssh (as 
non-root user) into other containers, the ssh server in other containers checks 
the existence of `/run/nologin`, which should have been removed by some systemd 
service startup but it hasn't, and eventually rejects ssh login.
   
   The solution is to add a line in Ozone repo's 
`compose/ozonscripts/Dockerfile` to either:
   1) Remove `/run/nologin`; or
   2) Remote the line `account    required     pam_nologin.so` from 
`/etc/pam.d/sshd`


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscr...@ozone.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@ozone.apache.org
For additional commands, e-mail: issues-h...@ozone.apache.org

Reply via email to