On Thu, Dec 19, 2013 at 09:23:44PM -0500, Michael H. Warfield wrote: > On Thu, 2013-12-19 at 22:17 +0100, Stéphane Graber wrote: > > On Thu, Dec 19, 2013 at 11:36:08AM -0500, Michael H. Warfield wrote: > > > Fix version checking and deal with pam_loginuid in CentOS template. > > > > > > This deals with a reported issue when running and building containers > > > on a CentOS host system. > > > > > > Fixed various typos in version checking when running on a CentOS system. > > > Added logic for differences between point releases (6.5) and rolling (6). > > > Added version detection logic when running on RHEL systems as well. > > > Fixed cpe detection string (CentOS is not adhering to their own > > > registration). > > > Added logic to disable the pam_loginuid.so binary in containers. > > > > > > Signed-off-by: Michael H. Warfield <[email protected]> > > > --- > > > templates/lxc-centos.in | 68 > > > ++++++++++++++++++++++++++++++++++++++++++++----- > > > 1 file changed, 62 insertions(+), 6 deletions(-) > > > > > > diff --git a/templates/lxc-centos.in b/templates/lxc-centos.in > > > index 95802dc..7d47715 100644 > > > --- a/templates/lxc-centos.in > > > +++ b/templates/lxc-centos.in > > > @@ -54,17 +54,34 @@ fi > > > if [ "${CPE_NAME}" = "" -a -e /etc/system-release-cpe ] > > > then > > > CPE_NAME=$(head -n1 /etc/system-release-cpe) > > > - CPE_URI=$(expr ${CPE_NAME} : '\([^:]*:[^:*]\)') > > > + CPE_URI=$(expr ${CPE_NAME} : '\([^:]*:[^:]*\)') > > > if [ "${CPE_URI}" != "cpe:/o" ] > > > then > > > CPE_NAME= > > > else > > > - echo "Host CPE ID from /etc/system-release-cpe: ${CPE_NAME}" > > > # Probably a better way to do this but sill remain posix > > > # compatible but this works, shrug... > > > # Must be nice and not introduce convenient bashisms here. > > > + # > > > + # According to the official registration at Mitre and NIST, > > > + # this should have been something like this for CentOS: > > > + # cpe:/o:centos:centos:6 > > > + # or this: > > > + # cpe:/o:centos:centos:6.5 > > > + # > > > ID=$(expr ${CPE_NAME} : '[^:]*:[^:]*:[^:]*:\([^:]*\)') > > > + # The "enterprise_linux" is a bone toss back to RHEL. > > > + # Since CentOS and RHEL are so tightly coupled, we'll > > > + # take the RHEL version if we're running on it and do the > > > + # equivalent version for CentOS. > > > + if [ ${ID} = "linux" -o ${ID} = "enterprise_linux" ] > > > + then > > > + # Instead we got this: cpe:/o:centos:linux:6 > > > + ID=$(expr ${CPE_NAME} : '[^:]*:[^:]*:\([^:]*\)') > > > + fi > > > + > > > VERSION_ID=$(expr ${CPE_NAME} : > > > '[^:]*:[^:]*:[^:]*:[^:]*:\([^:]*\)') > > > + echo "Host CPE ID from /etc/system-release-cpe: ${CPE_NAME}" > > > fi > > > fi > > > > > > @@ -72,10 +89,14 @@ if [ "${CPE_NAME}" != "" -a "${ID}" = "centos" -a > > > "${VERSION_ID}" != "" ] > > > then > > > centos_host_ver=${VERSION_ID} > > > is_centos=true > > > -elif [ -e /etc/redhat-release ] > > > +elif [ "${CPE_NAME}" != "" -a "${ID}" = "redhat" -a "${VERSION_ID}" != > > > "" ] > > > +then > > > + redhat_host_ver=${VERSION_ID} > > > + is_redhat=true > > > +elif [ -e /etc/centos-release ] > > > then > > > # Only if all other methods fail, try to parse the redhat-release > > > file. > > > - centos_host_ver=$( sed -e '/^CentOS /!d' -e > > > 's/CentOS*\srelease\s*\([0-9][0-9]*\)\s.*/\1/' < /etc/redhat-release ) > > > + centos_host_ver=$( sed -e '/^CentOS /!d' -e > > > 's/CentOS.*\srelease\s*\([0-9][0-9.]*\)\s.*/\1/' < /etc/centos-release ) > > > if [ "$centos_host_ver" != "" ] > > > then > > > is_centos=true > > > @@ -130,6 +151,32 @@ configure_centos() > > > sed -i '/^session.*pam_loginuid.so/s/^session/# session/' > > > ${rootfs_path}/etc/pam.d/login > > > sed -i '/^session.*pam_loginuid.so/s/^session/# session/' > > > ${rootfs_path}/etc/pam.d/sshd > > > > > > + if [ -f ${rootfs_path}/etc/pam.d/crond ] > > > + then > > > + sed -i '/^session.*pam_loginuid.so/s/^session/# session/' > > > ${rootfs_path}/etc/pam.d/crond > > > + fi > > > + > > > + # In addition to disabling pam_loginuid in the above config files > > > + # we'll also disable it by linking it to pam_permit to catch any > > > + # we missed or any that get installed after the container is built. > > > + # > > > + # Catch either or both 32 and 64 bit archs. > > > + if [ -f ${rootfs_path}/lib/security/pam_loginuid.so ] > > > + then > > > + ( cd ${rootfs_path}/lib/security/ > > > + mv pam_loginuid.so pam_loginuid.so.disabled > > > + ln -s pam_permit.so pam_loginuid.so > > > + ) > > > + fi > > > + > > > + if [ -f ${rootfs_path}/lib64/security/pam_loginuid.so ] > > > + then > > > + ( cd ${rootfs_path}/lib64/security/ > > > + mv pam_loginuid.so pam_loginuid.so.disabled > > > + ln -s pam_permit.so pam_loginuid.so > > > + ) > > > + fi > > > So what happens next time there's a bugfix or security release of pam? > > Nothing worse that what happens already. We've got a problem here and > the crond package highlighted it. Was Dwight's suggestion. Currently, > that module will not function in a container and it's documented in a > RedHat bug. Maybe, next time they up date it, someone will have a > solution. > > > In dpkg we've got dpkg-divert that can be used for those cases, what's > > the rpm equivalent to that feature (tell the package manager to write > > /path/a to /path/b and leave /path/a to the local administrator)? > > That's a good question. I wasn't aware of that. Normally, we've got > epohs and all to block packages. I'll have to give that some thought. > ITMT, this is the best the two of us have come up with. I'm open to > suggestions... >
I don't know RedHat enough to give suggestions, so long as you're aware of the problem, I'm fine with the change. I really wish all distros would have the same policy as Ubuntu where we want clean installs (identical to those done on hardware) to work in LXC and have dist-uprades working too but I know it's a bit unrealistic at this point... Anyway: Acked-by: Stéphane Graber <[email protected]> > > > + > > > # configure the network using the dhcp > > > cat <<EOF > ${rootfs_path}/etc/sysconfig/network-scripts/ifcfg-eth0 > > > DEVICE=eth0 > > > @@ -543,15 +590,24 @@ fi > > > if [ -z "$release" ]; then > > > if [ "$is_centos" -a "$centos_host_ver" ]; then > > > release=$centos_host_ver > > > + elif [ "$is_redhat" -a "$redhat_host_ver" ]; then > > > + # This is needed to clean out bullshit like 6workstation and > > > 6server. > > > + release=$(expr $redhat_host_ver : '\([0-9.]*\)') > > > else > > > - echo "This is not a centos host and release missing, defaulting > > > to 6 use -R|--release to specify release" > > > + echo "This is not a CentOS or Redhat host and release is > > > missing, defaulting to 6 use -R|--release to specify release" > > > release=6 > > > fi > > > fi > > > > > > # CentOS 7 and above should run systemd. We need autodev enabled to keep > > > # systemd from causing problems. > > > -if [ $release -gt 6 ]; then > > > +# > > > +# There is some ambiguity here due to the differnce between versioning > > > +# of point specific releases such as 6.5 and the rolling release 6. We > > > +# only want the major number here if it's a point release... > > > + > > > +mrelease=$(expr $release : '\([0-9]*\)') > > > +if [ $mrelease -gt 6 ]; then > > > auto_dev="1" > > > else > > > auto_dev="0" > > > -- > > > 1.8.3.1 > > > > > > > > > > > > > > > -- > > > Michael H. Warfield (AI4NB) | (770) 978-7061 | [email protected] > > > /\/\|=mhw=|\/\/ | (678) 463-0932 | > > > http://www.wittsend.com/mhw/ > > > NIC whois: MHW9 | An optimist believes we live in the best of > > > all > > > PGP Key: 0x674627FF | possible worlds. A pessimist is sure of it! > > > > > > > > > > > > _______________________________________________ > > > lxc-devel mailing list > > > [email protected] > > > http://lists.linuxcontainers.org/listinfo/lxc-devel > > > > > > _______________________________________________ > > lxc-devel mailing list > > [email protected] > > http://lists.linuxcontainers.org/listinfo/lxc-devel > > -- > Michael H. Warfield (AI4NB) | (770) 978-7061 | [email protected] > /\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/ > NIC whois: MHW9 | An optimist believes we live in the best of all > PGP Key: 0x674627FF | possible worlds. A pessimist is sure of it! > > _______________________________________________ > lxc-devel mailing list > [email protected] > http://lists.linuxcontainers.org/listinfo/lxc-devel -- Stéphane Graber Ubuntu developer http://www.ubuntu.com
signature.asc
Description: Digital signature
_______________________________________________ lxc-devel mailing list [email protected] http://lists.linuxcontainers.org/listinfo/lxc-devel
