Bug 1031153

Summary: pam_lastlog breaks cartridge hooks
Product: OpenShift Container Platform Reporter: Jesse Sightler <jsightle>
Component: ContainersAssignee: John W. Lamb <jolamb>
Status: CLOSED EOL QA Contact: libra bugs <libra-bugs>
Severity: low Docs Contact:
Priority: low    
Version: 2.2.0CC: jolamb, jsightle, libra-onpremise-devel, rthrashe
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-01-13 22:44:47 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Attachments:
Description Flags
Authentication configuration file none

Description Jesse Sightler 2013-11-15 18:05:27 UTC
In the gear directory on the node, a haproxy/conf/app_haproxy_status_urls.conf file is created with the following contents (surely incorrect):
"login:
Thu
Nov
14
14:28:59
UTC
2013"

The logs on the node have a lot of lines like these (implying to me that the hooks are not being called with the correct parameters):

November 14 14:29:00 INFO oo_spawn running /sbin/runuser -s /bin/sh 5284de07e3ffca0602000039 -c "exec /usr/bin/runcon 'unconfined_u:system_r:openshift_t:s0:c0,c1000' /bin/sh -c \"/var/lib/openshift/5284de07e3ffca0602000039/haproxy/hooks/set-haproxy-status-url jbosseap mydomain 5284de07e3ffca0602000039 \'5284de07e3ffca0602000039\'\=\'http://jbosseap-mydomain.paas.chs.spawar.navy.mil/haproxy-status/'
'Last\ login:\ Thu\ Nov\ 14\ 14:28:59\ UTC\ 2013'
'\'\"": {:unsetenv_others=>true, :close_others=>true, :in=>"/dev/null", :chdir=>"/var/lib/openshift/5284de07e3ffca0602000039/haproxy", :out=>#<IO:fd 12>, :err=>#<IO:fd 8>}

This is due to pam_tally causing logins to generate an extra "Last Login" line. This line seems to get pulled into the scripts and used, even when it shouldn't be.

Comment 3 Jesse Sightler 2013-12-03 20:46:08 UTC
Ok, it looks like I was incorrect about the root cause. The actual root case is this line enabling the lastlog module:
session 	required	/lib64/security/pam_lastlog.so showfailed

We have been able to workaround it with the following addition (added the silent flag):
session 	required	/lib64/security/pam_lastlog.so showfailed silent

This is not ideal. The command that seems to trigger the problem is runuser. While we will need a fix for this eventually, I do not believe that it is an extremely high urgency requirement for us at this time.

Do you believe that it is something that can be fit into a future release?

Comment 4 Brenton Leanhardt 2013-12-05 15:29:42 UTC
Can you send us the related pam.d configuration file?

Comment 5 Jesse Sightler 2013-12-05 18:40:10 UTC
Created attachment 833293 [details]
Authentication configuration file

Comment 6 Jesse Sightler 2013-12-05 18:43:09 UTC
Attached... the line that causes the issue is:

session     required    /lib64/security/pam_lastlog.so showfailed

Comment 7 Rory Thrasher 2017-01-13 22:44:47 UTC
OpenShift Enterprise v2 has officially reached EoL.  This product is no longer supported and bugs will be closed.

Please look into the replacement enterprise-grade container option, OpenShift Container Platform v3.  https://www.openshift.com/container-platform/

More information can be found here: https://access.redhat.com/support/policy/updates/openshift/