Bug 1024706

Summary:

Message of the day doesn't appear for root user in devenv

Product:

OpenShift Online

Reporter:

weiwei jiang <wjiang>

Component:

Assignee:

Jordan Liggitt <jliggitt>

Status:

CLOSED WONTFIX

QA Contact:

libra bugs <libra-bugs>

Severity:

low

Docs Contact:

Priority:

low

Version:

2.x

CC:

jliggitt, mlamouri, wsun

Target Milestone:

---

Keywords:

Reopened

Target Release:

---

Hardware:

Unspecified

OS:

Unspecified

Whiteboard:

Fixed In Version:

Doc Type:

Bug Fix

Doc Text:

Story Points:

---

Clone Of:

Environment:

Last Closed:

2013-11-20 13:36:06 UTC

Type:

Bug

Regression:

---

Mount Type:

---

Documentation:

---

CRM:

Verified Versions:

Category:

---

oVirt Team:

---

RHEL 7.3 requirements from Atomic Host:

Cloudforms Team:

---

Target Upstream Version:

Attachments:

Description	Flags
the script which help setup a kerberos server	none

Description weiwei jiang 2013-10-30 09:43:36 UTC

Created attachment 817373 [details]
the script which help setup a kerberos server

Description of problem:
when ssh in the app with kerberos ticket, duplicate messages show up.

# rhc ssh app
Connecting to 5270cf47e97c04dfc1000008.rhcloud.com ...
Last login: Wed Oct 30 05:25:36 2013 from 10.238.185.170

*********************************************************************

You are accessing a service that is for use only by authorized users.  
If you do not have authorization, discontinue use at once. 
Any use of the services is subject to the applicable terms of the 
agreement which can be found at: 
https://openshift.redhat.com/app/legal

*********************************************************************





    *********************************************************************

    You are accessing a service that is for use only by authorized users.  
    If you do not have authorization, discontinue use at once. 
    Any use of the services is subject to the applicable terms of the 
    agreement which can be found at: 
    https://www.openshift.com/legal

    *********************************************************************

    Welcome to OpenShift shell

    This shell will assist you in managing OpenShift applications.

    !!! IMPORTANT !!! IMPORTANT !!! IMPORTANT !!!
    Shell access is quite powerful and it is possible for you to
    accidentally damage your application.  Proceed with care!
    If worse comes to worst, destroy your application with "rhc app delete"
    and recreate it
    !!! IMPORTANT !!! IMPORTANT !!! IMPORTANT !!!

    Type "help" for more info.


Version-Release number of selected component (if applicable):
devenv_3966

How reproducible:
always

Steps to Reproduce:
1.run attachment script on instance
2.create an app
3.remove all other type sshkeys
4.add a krb5-principal type sshkey
5.change the selinux context
chcon -t krb5_home_t /var/lib/openshift/$gear_id/.k5login
6.initialize a ticket for the krb5-principal sshkey content
6.ssh into the app

Actual results:
# rhc ssh app
Connecting to 5270cf47e97c04dfc1000008.rhcloud.com ...
Last login: Wed Oct 30 05:25:36 2013 from 10.238.185.170

*********************************************************************

You are accessing a service that is for use only by authorized users.  
If you do not have authorization, discontinue use at once. 
Any use of the services is subject to the applicable terms of the 
agreement which can be found at: 
https://openshift.redhat.com/app/legal

*********************************************************************





    *********************************************************************

    You are accessing a service that is for use only by authorized users.  
    If you do not have authorization, discontinue use at once. 
    Any use of the services is subject to the applicable terms of the 
    agreement which can be found at: 
    https://www.openshift.com/legal

    *********************************************************************

    Welcome to OpenShift shell

    This shell will assist you in managing OpenShift applications.

    !!! IMPORTANT !!! IMPORTANT !!! IMPORTANT !!!
    Shell access is quite powerful and it is possible for you to
    accidentally damage your application.  Proceed with care!
    If worse comes to worst, destroy your application with "rhc app delete"
    and recreate it
    !!! IMPORTANT !!! IMPORTANT !!! IMPORTANT !!!

    Type "help" for more info.

Expected results:
It should not display duplicate messages

Additional info:

Comment 1 Mark Lamourine 2013-10-30 15:11:24 UTC

Actually, it appears that the kerberos 5 login is behaving correctly.

The first (non-indented) message comes from /etc/motd.  This is the system login message.  The second is produced by /usr/bin/rhcsh, the OpenShift "restricted shell".  These are two separate messages, that happen, in the devenv to have identical messages except for the indentation.

Logins with the SSH authorized key do not produce the system message of the day.

Comment 2 Mark Lamourine 2013-10-30 15:21:23 UTC

PR 4019 will eliminate duplicate calls to oo-trap-user

https://github.com/openshift/origin-server/pull/4019

The motd has been suppressed for SSH authorized_keys logins by the inclusion of a command= clause in the key entries.  This indicates to SSH that the command will be connected to a pipe from the client so the MOTD would be noise.

The kerberos logins do not use anything like the command= and so normal shell logins include the system MOTD as well as the rhcsh banner.  Other remote commands will not show the banner as SSH will again suppress the MOTD for inbound SSH logins which include a command to run on the server host. (ala rsync etc).

Comment 3 Mark Lamourine 2013-10-30 15:23:43 UTC

The presentation of the MOTD banner for shell logins is correct.  The apparent duplicate is because the top of the rhcsh banner is identical to the devenv /etc/motd contents.

This is the expected behavior, though we may want to change the contents of the /etc/motd to avoid the appearance of duplicate output.

Comment 4 Jordan Liggitt 2013-10-30 16:52:23 UTC

We can turn off system motd behavior for the devenv, so that rhcsh is the only way it gets output.

Comment 5 Jordan Liggitt 2013-10-30 16:58:01 UTC

Turned off system-generated message of the day in devenv, now rhcsh is the only script that will output it, which makes kerberos auth and ssh auth behave consistently.

Merged in https://github.com/openshift/li/pull/2065

Comment 6 openshift-github-bot 2013-10-30 19:42:09 UTC

Commit pushed to master at https://github.com/openshift/li

https://github.com/openshift/li/commit/7403a637ba6a14ac1592e8070f5bfe1b14b71b8d
Fix bug 1024706 - turn off message of the day for devenv

Comment 7 weiwei jiang 2013-10-31 04:56:09 UTC

Tried on devenv_3973 and it can solve this issue, but when ssh into the instance, the legal banner message is missing if fix like this.

# ssh -i libra-new.pem ec2-23-23-43-202.compute-1.amazonaws.com
[root@ip-10-244-134-36 ~]#

# rhc ssh php
Connecting to 5271dfcb0ad1743f4a000007.rhcloud.com ...

    *********************************************************************

    You are accessing a service that is for use only by authorized users.  
    If you do not have authorization, discontinue use at once. 
    Any use of the services is subject to the applicable terms of the 
    agreement which can be found at: 
    https://www.openshift.com/legal

    *********************************************************************

    Welcome to OpenShift shell

    This shell will assist you in managing OpenShift applications.

    !!! IMPORTANT !!! IMPORTANT !!! IMPORTANT !!!
    Shell access is quite powerful and it is possible for you to
    accidentally damage your application.  Proceed with care!
    If worse comes to worst, destroy your application with "rhc app delete"
    and recreate it
    !!! IMPORTANT !!! IMPORTANT !!! IMPORTANT !!!

    Type "help" for more info.


[php-y.dev.rhcloud.com 5271dfcb0ad1743f4a000007]\>

Comment 8 Jordan Liggitt 2013-11-08 15:08:46 UTC

SSHing into the devenv as root no longer displays message of the day.

SSHing into a gear works because rhcsh handles printing the message of the day

Comment 9 Jordan Liggitt 2013-11-20 13:36:06 UTC

If we want the message of the day to appear consistently for gear users using kerberos or publickey auth, this is the solution we have to use.