Red Hat Bugzilla – Bug 1002914
Latest kernel doesn't allow to login in the containers
Last modified: 2014-09-02 02:46:31 EDT
Description of problem:
With the latest kernel update in the F18 (kernel-3.10.9-100.fc18.x86_64), it is not possible to login in the containers created with lxc, either via ssh or with lxc-console. The messages in /var/log/secure of the container shows:
Aug 29 19:36:49 localhost login: pam_loginuid(login:session): set_loginuid failed
Aug 29 19:36:49 localhost login: pam_unix(login:session): session opened for user root by LOGIN(uid=0)
Aug 29 19:36:50 localhost login: Cannot make/remove an entry for the specified session
There is a workaround (http://www.linuxweblog.com/blogs/sandip/20090203/setloginuid-failed-opening-loginuid) that can be applied to the containers, though.
It seems that the new kernel introduces a change in LOGINUID configuration:
Version-Release number of selected component (if applicable):
Thanks for reporting.
Does the issue persist with the latest 0.9.0 package in testing (I guess so...)?
lxc-0.9.0-2.fc18 has been submitted as an update for Fedora 18.
It would be nice to have a patch for the lxc-fedora template, which we then could send upstream.
I have the same issue with lxc 0.8.0-2.fc19.
In the Debian template it can be worked around like this:
(lxc)# sed -i "s/^session required pam_loginuid.so/#session required pam_loginuid.so/" /etc/pam.d/sshd
Yes, it is still impossible to login in any fedora* (I tryed F20, F19, F18) container.
$ uname -a
Linux bb.lan 3.11.7-300.fc20.x86_64 #1 SMP Mon Nov 4 15:07:39 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux
It is very, very sad.
This message is a reminder that Fedora 18 is nearing its end of life.
Approximately 4 (four) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 18. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as WONTFIX if it remains open with a Fedora
'version' of '18'.
Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version'
to a later Fedora version prior to Fedora 18's end of life.
Thank you for reporting this issue and we are sorry that we may not be
able to fix it before Fedora 18 is end of life. If you would still like
to see this bug fixed and are able to reproduce it against a later version
of Fedora, you are encouraged change the 'version' to a later Fedora
version prior to Fedora 18's end of life.
Although we aim to fix as many bugs as possible during every release's
lifetime, sometimes those efforts are overtaken by events. Often a
more recent Fedora release includes newer upstream software that fixes
bugs or makes them obsolete.
In a Fedora 20 host, creating a Fedora 20 guest the issue still persists.
I've noticed that this issue should be fixed in v3.13-rc1
As mentioned in commit
CONFIG_AUDIT_LOGINUID_IMMUTABLE=y was removed. Could you please retest it on the latest Fedora?
I have tried with the latest upgrades of F20 and the problem has been fixed.
Thank you very much for the support!
I'm the current upstream maintainer of the lxc-fedora and lxc-centos templates (template lxc-fedora.in file) among other features and aspects, including the systemd support.
Upstream LXC is currently at 1.0.3 (soon to be 1.0.4). I implemented code in the 1.0.0 template that commented out the pam.d/* lines like this:
- session required pam_loginuid.so
+ # session required pam_loginuid.so
It sounds like this may no longer be necessary but it also sounds like this also needs a rebase up to our latest release. Nobody from the Fedora Project communicated with us on it and it's been "fixed" in the template post 0.9.0 and pre 1.0.0 for quite some time. I may not be able to "unfix" the workaround in the template any time soon due to backward compatibility with the kernels that still have that option.
A rebase should wait for the 1.0.4 release at this point, which should be out within a week or so.
LXC in Fedora has not been updated yet, as there were still a lot of issues. If that has changed now, good. Will update Fedora packages to 1.0.4 then.
I've commented on a number of open bugzilla issues that are fixed. Is there a comprehensive listed of open issues? Almost all of them should fall in my lap. I sent you a related private message.
lxc-1.0.5-2.el6 has been submitted as an update for Fedora EPEL 6.
lxc-1.0.5-2.fc19 has been submitted as an update for Fedora 19.
lxc-1.0.5-2.fc20 has been submitted as an update for Fedora 20.
* should fix your issue,
* was pushed to the Fedora EPEL 6 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=epel-testing lxc-1.0.5-2.el6'
as soon as you are able to.
Please go to the following url:
then log in and leave karma (feedback).
lxc-1.0.5-3.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.
lxc-1.0.5-3.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
lxc-1.0.5-3.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.