On Thu, 2013-12-19 at 22:17 +0100, Stéphane Graber wrote: > On Thu, Dec 19, 2013 at 11:36:08AM -0500, Michael H. Warfield wrote: > > Fix version checking and deal with pam_loginuid in CentOS template. > > > > This deals with a reported issue when running and building containers > > on a CentOS host system. > > > > Fixed various typos in version checking when running on a CentOS system. > > Added logic for differences between point releases (6.5) and rolling (6). > > Added version detection logic when running on RHEL systems as well. > > Fixed cpe detection string (CentOS is not adhering to their own > > registration). > > Added logic to disable the pam_loginuid.so binary in containers. > > > > Signed-off-by: Michael H. Warfield <[email protected]> > > --- > > templates/lxc-centos.in | 68 > > ++++++++++++++++++++++++++++++++++++++++++++----- > > 1 file changed, 62 insertions(+), 6 deletions(-) > > > > diff --git a/templates/lxc-centos.in b/templates/lxc-centos.in > > index 95802dc..7d47715 100644 > > --- a/templates/lxc-centos.in > > +++ b/templates/lxc-centos.in > > @@ -54,17 +54,34 @@ fi > > if [ "${CPE_NAME}" = "" -a -e /etc/system-release-cpe ] > > then > > CPE_NAME=$(head -n1 /etc/system-release-cpe) > > - CPE_URI=$(expr ${CPE_NAME} : '\([^:]*:[^:*]\)') > > + CPE_URI=$(expr ${CPE_NAME} : '\([^:]*:[^:]*\)') > > if [ "${CPE_URI}" != "cpe:/o" ] > > then > > CPE_NAME= > > else > > - echo "Host CPE ID from /etc/system-release-cpe: ${CPE_NAME}" > > # Probably a better way to do this but sill remain posix > > # compatible but this works, shrug... > > # Must be nice and not introduce convenient bashisms here. > > + # > > + # According to the official registration at Mitre and NIST, > > + # this should have been something like this for CentOS: > > + # cpe:/o:centos:centos:6 > > + # or this: > > + # cpe:/o:centos:centos:6.5 > > + # > > ID=$(expr ${CPE_NAME} : '[^:]*:[^:]*:[^:]*:\([^:]*\)') > > + # The "enterprise_linux" is a bone toss back to RHEL. > > + # Since CentOS and RHEL are so tightly coupled, we'll > > + # take the RHEL version if we're running on it and do the > > + # equivalent version for CentOS. > > + if [ ${ID} = "linux" -o ${ID} = "enterprise_linux" ] > > + then > > + # Instead we got this: cpe:/o:centos:linux:6 > > + ID=$(expr ${CPE_NAME} : '[^:]*:[^:]*:\([^:]*\)') > > + fi > > + > > VERSION_ID=$(expr ${CPE_NAME} : > > '[^:]*:[^:]*:[^:]*:[^:]*:\([^:]*\)') > > + echo "Host CPE ID from /etc/system-release-cpe: ${CPE_NAME}" > > fi > > fi > > > > @@ -72,10 +89,14 @@ if [ "${CPE_NAME}" != "" -a "${ID}" = "centos" -a > > "${VERSION_ID}" != "" ] > > then > > centos_host_ver=${VERSION_ID} > > is_centos=true > > -elif [ -e /etc/redhat-release ] > > +elif [ "${CPE_NAME}" != "" -a "${ID}" = "redhat" -a "${VERSION_ID}" != "" ] > > +then > > + redhat_host_ver=${VERSION_ID} > > + is_redhat=true > > +elif [ -e /etc/centos-release ] > > then > > # Only if all other methods fail, try to parse the redhat-release file. > > - centos_host_ver=$( sed -e '/^CentOS /!d' -e > > 's/CentOS*\srelease\s*\([0-9][0-9]*\)\s.*/\1/' < /etc/redhat-release ) > > + centos_host_ver=$( sed -e '/^CentOS /!d' -e > > 's/CentOS.*\srelease\s*\([0-9][0-9.]*\)\s.*/\1/' < /etc/centos-release ) > > if [ "$centos_host_ver" != "" ] > > then > > is_centos=true > > @@ -130,6 +151,32 @@ configure_centos() > > sed -i '/^session.*pam_loginuid.so/s/^session/# session/' > > ${rootfs_path}/etc/pam.d/login > > sed -i '/^session.*pam_loginuid.so/s/^session/# session/' > > ${rootfs_path}/etc/pam.d/sshd > > > > + if [ -f ${rootfs_path}/etc/pam.d/crond ] > > + then > > + sed -i '/^session.*pam_loginuid.so/s/^session/# session/' > > ${rootfs_path}/etc/pam.d/crond > > + fi > > + > > + # In addition to disabling pam_loginuid in the above config files > > + # we'll also disable it by linking it to pam_permit to catch any > > + # we missed or any that get installed after the container is built. > > + # > > + # Catch either or both 32 and 64 bit archs. > > + if [ -f ${rootfs_path}/lib/security/pam_loginuid.so ] > > + then > > + ( cd ${rootfs_path}/lib/security/ > > + mv pam_loginuid.so pam_loginuid.so.disabled > > + ln -s pam_permit.so pam_loginuid.so > > + ) > > + fi > > + > > + if [ -f ${rootfs_path}/lib64/security/pam_loginuid.so ] > > + then > > + ( cd ${rootfs_path}/lib64/security/ > > + mv pam_loginuid.so pam_loginuid.so.disabled > > + ln -s pam_permit.so pam_loginuid.so > > + ) > > + fi
> So what happens next time there's a bugfix or security release of pam?
Nothing worse that what happens already. We've got a problem here and
the crond package highlighted it. Was Dwight's suggestion. Currently,
that module will not function in a container and it's documented in a
RedHat bug. Maybe, next time they up date it, someone will have a
solution.
> In dpkg we've got dpkg-divert that can be used for those cases, what's
> the rpm equivalent to that feature (tell the package manager to write
> /path/a to /path/b and leave /path/a to the local administrator)?
That's a good question. I wasn't aware of that. Normally, we've got
epohs and all to block packages. I'll have to give that some thought.
ITMT, this is the best the two of us have come up with. I'm open to
suggestions...
> > +
> > # configure the network using the dhcp
> > cat <<EOF > ${rootfs_path}/etc/sysconfig/network-scripts/ifcfg-eth0
> > DEVICE=eth0
> > @@ -543,15 +590,24 @@ fi
> > if [ -z "$release" ]; then
> > if [ "$is_centos" -a "$centos_host_ver" ]; then
> > release=$centos_host_ver
> > + elif [ "$is_redhat" -a "$redhat_host_ver" ]; then
> > + # This is needed to clean out bullshit like 6workstation and
> > 6server.
> > + release=$(expr $redhat_host_ver : '\([0-9.]*\)')
> > else
> > - echo "This is not a centos host and release missing, defaulting to
> > 6 use -R|--release to specify release"
> > + echo "This is not a CentOS or Redhat host and release is missing,
> > defaulting to 6 use -R|--release to specify release"
> > release=6
> > fi
> > fi
> >
> > # CentOS 7 and above should run systemd. We need autodev enabled to keep
> > # systemd from causing problems.
> > -if [ $release -gt 6 ]; then
> > +#
> > +# There is some ambiguity here due to the differnce between versioning
> > +# of point specific releases such as 6.5 and the rolling release 6. We
> > +# only want the major number here if it's a point release...
> > +
> > +mrelease=$(expr $release : '\([0-9]*\)')
> > +if [ $mrelease -gt 6 ]; then
> > auto_dev="1"
> > else
> > auto_dev="0"
> > --
> > 1.8.3.1
> >
> >
> >
> >
> > --
> > Michael H. Warfield (AI4NB) | (770) 978-7061 | [email protected]
> > /\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/
> > NIC whois: MHW9 | An optimist believes we live in the best of
> > all
> > PGP Key: 0x674627FF | possible worlds. A pessimist is sure of it!
> >
>
>
>
> > _______________________________________________
> > lxc-devel mailing list
> > [email protected]
> > http://lists.linuxcontainers.org/listinfo/lxc-devel
>
>
> _______________________________________________
> lxc-devel mailing list
> [email protected]
> http://lists.linuxcontainers.org/listinfo/lxc-devel
--
Michael H. Warfield (AI4NB) | (770) 978-7061 | [email protected]
/\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/
NIC whois: MHW9 | An optimist believes we live in the best of all
PGP Key: 0x674627FF | possible worlds. A pessimist is sure of it!
signature.asc
Description: This is a digitally signed message part
_______________________________________________ lxc-devel mailing list [email protected] http://lists.linuxcontainers.org/listinfo/lxc-devel
