Re: Linux 3.14-rc8 (LXC broken)
On Tue, 2014-03-25 at 21:36 +0100, Andre Tomt wrote: > *testing hat on* > > PAM within namespaces (say, LXC) does not work anymore with 3.14-rc8, > making login, ssh etc fail in containers unless you boot with audit=0. > > This is due to a change in return value to user space; and is > appearantly a known issue as evident in this earlier post from february: > https://www.redhat.com/archives/linux-audit/2014-February/msg00087.html > > Judging from the post it seems they want to ship 3.14 with this IMO > quite serious regression? What is the namespace/container folks take on > this? Fair question. Pam only worked in non-initial pid (or user) namespace if it was also in the non-initial network namespace. We added support for the network namespace in 3.14. So now PAM in the non-initial network namespace functions the same as it would in the inital network namespace. aka, it fails. This is actually what the audit userspace people think is the right thing to happen. You configured PAM to fail if it couldn't do the right audit things, and it's failing. Needing audit=0 is not new. BUT given we broke (already broken [remember you configured PAM to fail if audit didn't go well and it let you log in anyway? aka broken?]) functionality adding network namespace support I'll send a request to Linus tomorrow to rip out our network namespace support and I'll re-add in 3.15 when we add pid (and partial user) namespace support. -Eric -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: Linux 3.14-rc8 (LXC broken)
Quoting Andre Tomt (an...@tomt.net): > *testing hat on* > > PAM within namespaces (say, LXC) does not work anymore with 3.14-rc8, > making login, ssh etc fail in containers unless you boot with audit=0. > > This is due to a change in return value to user space; and is > appearantly a known issue as evident in this earlier post from february: > https://www.redhat.com/archives/linux-audit/2014-February/msg00087.html > > Judging from the post it seems they want to ship 3.14 with this IMO > quite serious regression? What is the namespace/container folks take on > this? Without looking too deeply, it seems to me that patch has no benefit on its own, and should simply be stashed until the next set of patches are ready. -serge -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: Linux 3.14-rc8 (LXC broken)
*testing hat on* PAM within namespaces (say, LXC) does not work anymore with 3.14-rc8, making login, ssh etc fail in containers unless you boot with audit=0. This is due to a change in return value to user space; and is appearantly a known issue as evident in this earlier post from february: https://www.redhat.com/archives/linux-audit/2014-February/msg00087.html Judging from the post it seems they want to ship 3.14 with this IMO quite serious regression? What is the namespace/container folks take on this? -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: Linux 3.14-rc8 (LXC broken)
*testing hat on* PAM within namespaces (say, LXC) does not work anymore with 3.14-rc8, making login, ssh etc fail in containers unless you boot with audit=0. This is due to a change in return value to user space; and is appearantly a known issue as evident in this earlier post from february: https://www.redhat.com/archives/linux-audit/2014-February/msg00087.html Judging from the post it seems they want to ship 3.14 with this IMO quite serious regression? What is the namespace/container folks take on this? -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: Linux 3.14-rc8 (LXC broken)
Quoting Andre Tomt (an...@tomt.net): *testing hat on* PAM within namespaces (say, LXC) does not work anymore with 3.14-rc8, making login, ssh etc fail in containers unless you boot with audit=0. This is due to a change in return value to user space; and is appearantly a known issue as evident in this earlier post from february: https://www.redhat.com/archives/linux-audit/2014-February/msg00087.html Judging from the post it seems they want to ship 3.14 with this IMO quite serious regression? What is the namespace/container folks take on this? Without looking too deeply, it seems to me that patch has no benefit on its own, and should simply be stashed until the next set of patches are ready. -serge -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: Linux 3.14-rc8 (LXC broken)
On Tue, 2014-03-25 at 21:36 +0100, Andre Tomt wrote: *testing hat on* PAM within namespaces (say, LXC) does not work anymore with 3.14-rc8, making login, ssh etc fail in containers unless you boot with audit=0. This is due to a change in return value to user space; and is appearantly a known issue as evident in this earlier post from february: https://www.redhat.com/archives/linux-audit/2014-February/msg00087.html Judging from the post it seems they want to ship 3.14 with this IMO quite serious regression? What is the namespace/container folks take on this? Fair question. Pam only worked in non-initial pid (or user) namespace if it was also in the non-initial network namespace. We added support for the network namespace in 3.14. So now PAM in the non-initial network namespace functions the same as it would in the inital network namespace. aka, it fails. This is actually what the audit userspace people think is the right thing to happen. You configured PAM to fail if it couldn't do the right audit things, and it's failing. Needing audit=0 is not new. BUT given we broke (already broken [remember you configured PAM to fail if audit didn't go well and it let you log in anyway? aka broken?]) functionality adding network namespace support I'll send a request to Linus tomorrow to rip out our network namespace support and I'll re-add in 3.15 when we add pid (and partial user) namespace support. -Eric -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
