Bug 1796486

Summary:	ssh breaks with docker version 1.13.1-108
Product:	Red Hat Enterprise Linux 7	Reporter:	Suhaas Bhat <subhat>
Component:	docker	Assignee:	Daniel Walsh <dwalsh>
Status:	CLOSED CURRENTRELEASE	QA Contact:	atomic-bugs <atomic-bugs>
Severity:	high	Docs Contact:
Priority:	unspecified
Version:	7.7	CC:	ajia, amurdaca, anrussel, dornelas, jnovy, lsm5, pasik, tcrider, tsweeney, wwurzbac
Target Milestone:	rc	Keywords:	Extras
Target Release:	---
Hardware:	x86_64
OS:	Linux
Whiteboard:
Fixed In Version:	docker-1.13.1-109.gitcccb291.el7_7	Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2020-02-02 03:23:21 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:
Bug Depends On:	1797119
Bug Blocks:	1186913

Description Suhaas Bhat 2020-01-30 14:47:46 UTC

Description of problem:
We are not able to ssh to/between pods using the latest docker version package 
1.13.1-108

But older versions such as 1.13.1-104 and 1.13.1-103 appear to work just fine

Version-Release number of selected component (if applicable):
docker-1.13.1-108.git4ef4b30.el7.x86_64

How reproducible:
Fully reproducible

* Test on fresh install fully updated ocp3.11 cluster:
If I  rsh in to the mycluster-backrest-shared-repo-xxxxxx pod
And from there I attempt to ssh into the other pod mycluster-xxxxxx.
The results is a "Permission denied (publickey,keyboard-interactive)"

- Details:
sh-4.2$ ssh postgres@mycluster -v
OpenSSH_7.4p1, OpenSSL 1.0.2k-fips  26 Jan 2017
debug1: Reading configuration data /home/pgbackrest/.ssh/config
debug1: /home/pgbackrest/.ssh/config line 1: Applying options for *
...
...
debug1: Next authentication method: keyboard-interactive
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: No more authentication methods to try.
Permission denied (publickey,keyboard-interactive)

* Test with downgraded docker
sh-4.2$ hostname
mycluster-backrest-shared-repo-5f4f56d667-4kvmm
sh-4.2$ ssh postgres@mycluster -v
OpenSSH_7.4p1, OpenSSL 1.0.2k-fips  26 Jan 2017
debug1: Reading configuration data /home/pgbackrest/.ssh/config
debug1: /home/pgbackrest/.ssh/config line 1: Applying options for *
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 58: Applying options for *
...
...
Authenticated to mycluster ([x.x.x.x]:2022).
debug1: channel 0: new [client-session]
debug1: Requesting no-more-sessions
debug1: Entering interactive session.
debug1: pledge: network
debug1: client_input_global_request: rtype hostkeys-00 want_reply 0
debug1: Sending environment.
-bash-4.2$ hostname
mycluster-7fb9f74d95-lmst7

Additionally, we did do some additional testing/troubleshooting today, and did find a change that appears to address the issue we are seeing, and therefore results in SSH working properly once again with Docker version 1.13.1-108  Specifically, we noticed that 'UsePAM' was set to 'no' in our SSHD configuration, so we went ahead and changed it to 'yes' (i.e. we updated our 'sshd_config' file with the following setting):

UsePAM yes

With this change in place, SSHD connections started working fine across all version of Docker we were testing with (1.13.1-108, 1.13.1-104 and 1.13.1-103).  Further, based on the following message in the 'sshd_config' configuration file, it appears as though this setting should be set to 'yes' to avoid unintended consequences.



Actual results:
ssh does not work without UsePAM set to yes ( Although it is not supported without setting to "yes" ) which was working fine on previous docker versions

Comment 3 Tom Sweeney 2020-01-30 23:47:15 UTC

I've a suspicion this is a runc issue related to https://bugzilla.redhat.com/show_bug.cgi?id=1796451 and https://bugzilla.redhat.com/show_bug.cgi?id=1795881

Comment 9 Tom Sweeney 2020-05-06 13:52:54 UTC

Jindrich or Lokesh, can you address this comment https://bugzilla.redhat.com/show_bug.cgi?id=1796486#c8 please?