Bug 1002914 - Latest kernel doesn't allow to login in the containers
Latest kernel doesn't allow to login in the containers
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: lxc (Show other bugs)
20
Unspecified Unspecified
unspecified Severity high
: ---
: ---
Assigned To: Thomas Moschny
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-08-30 04:41 EDT by Enrique
Modified: 2014-09-02 02:46 EDT (History)
7 users (show)

See Also:
Fixed In Version: lxc-1.0.5-3.fc20
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-09-01 23:54:32 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Enrique 2013-08-30 04:41:46 EDT
Description of problem:

 With the latest kernel update in the F18 (kernel-3.10.9-100.fc18.x86_64), it is not possible to login in the containers created with lxc, either via ssh or with lxc-console. The messages in /var/log/secure of the container shows:

Aug 29 19:36:49 localhost login: pam_loginuid(login:session): set_loginuid failed
Aug 29 19:36:49 localhost login: pam_unix(login:session): session opened for user root by LOGIN(uid=0)
Aug 29 19:36:50 localhost login: Cannot make/remove an entry for the specified session

 There is a workaround (http://www.linuxweblog.com/blogs/sandip/20090203/setloginuid-failed-opening-loginuid) that can be applied to the containers, though.

 It seems that the new kernel introduces a change in LOGINUID configuration:
 CONFIG_AUDIT_LOGINUID_IMMUTABLE=y

Version-Release number of selected component (if applicable):

kernel-3.10.9-100.fc18.x86_64
lxc-0.9.0-1.fc18.x86_64
Comment 1 Thomas Moschny 2013-09-04 14:33:29 EDT
Thanks for reporting.

Does the issue persist with the latest 0.9.0 package in testing (I guess so...)?

lxc-0.9.0-2.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/lxc-0.9.0-2.fc18

It would be nice to have a patch for the lxc-fedora template, which we then could send upstream.
Comment 2 Stefan Hajnoczi 2013-09-07 02:57:20 EDT
I have the same issue with lxc 0.8.0-2.fc19.

In the Debian template it can be worked around like this:

(lxc)# sed -i "s/^session    required     pam_loginuid.so/#session    required     pam_loginuid.so/" /etc/pam.d/sshd
Comment 3 pavel.nedr 2013-11-12 05:52:22 EST
Yes, it is still impossible to login in any fedora* (I tryed F20, F19, F18) container.
lxc: 
Название: lxc
Архитектура: x86_64
Версия: 0.9.0
Выпуск: 2.fc20

$ uname -a
Linux bb.lan 3.11.7-300.fc20.x86_64 #1 SMP Mon Nov 4 15:07:39 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux

It is very, very sad.
Comment 4 Fedora End Of Life 2013-12-21 10:36:38 EST
This message is a reminder that Fedora 18 is nearing its end of life.
Approximately 4 (four) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 18. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '18'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 18's end of life.

Thank you for reporting this issue and we are sorry that we may not be 
able to fix it before Fedora 18 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior to Fedora 18's end of life.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.
Comment 5 Enrique 2014-01-15 18:00:33 EST
 In a Fedora 20 host, creating a Fedora 20 guest the issue still persists.
Comment 6 Jakub Jelen 2014-03-20 13:05:35 EDT
I've noticed that this issue should be fixed in v3.13-rc1

As mentioned in commit

    http://o.cs.uvic.ca:20810/perl/cid.pl?cid=83fa6bbe4c4541ae748b550b4ec391f8a0acfe94

CONFIG_AUDIT_LOGINUID_IMMUTABLE=y was removed. Could you please retest it on the latest Fedora?
Comment 7 Enrique 2014-05-07 07:37:09 EDT
 Hi,
 I have tried with the latest upgrades of F20 and the problem has been fixed.
 Thank you very much for the support!

 Regards,
 Enrique
Comment 8 Michael H. Warfield 2014-06-04 14:23:28 EDT
I'm the current upstream maintainer of the lxc-fedora and lxc-centos templates (template lxc-fedora.in file) among other features and aspects, including the systemd support.

Upstream LXC is currently at 1.0.3 (soon to be 1.0.4).  I implemented code in the 1.0.0 template that commented out the pam.d/* lines like this:

- session    required     pam_loginuid.so
+ # session    required     pam_loginuid.so

It sounds like this may no longer be necessary but it also sounds like this also needs a rebase up to our latest release.  Nobody from the Fedora Project communicated with us on it and it's been "fixed" in the template post 0.9.0 and pre 1.0.0 for quite some time.  I may not be able to "unfix" the workaround in the template any time soon due to backward compatibility with the kernels that still have that option.

A rebase should wait for the 1.0.4 release at this point, which should be out within a week or so.

Regards,
Mike Warfield
/\/\|=mhw=|\/\/
Comment 9 Thomas Moschny 2014-06-04 14:45:38 EDT
LXC in Fedora has not been updated yet, as there were still a lot of issues. If that has changed now, good. Will update Fedora packages to 1.0.4 then.
Comment 10 Michael H. Warfield 2014-06-04 15:04:57 EDT
I've commented on a number of open bugzilla issues that are fixed.  Is there a comprehensive listed of open issues?  Almost all of them should fall in my lap.  I sent you a related private message.
Comment 11 Fedora Update System 2014-08-08 06:26:19 EDT
lxc-1.0.5-2.el6 has been submitted as an update for Fedora EPEL 6.
https://admin.fedoraproject.org/updates/lxc-1.0.5-2.el6
Comment 12 Fedora Update System 2014-08-08 06:26:36 EDT
lxc-1.0.5-2.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/lxc-1.0.5-2.fc19
Comment 13 Fedora Update System 2014-08-08 06:26:52 EDT
lxc-1.0.5-2.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/lxc-1.0.5-2.fc20
Comment 14 Fedora Update System 2014-08-08 20:07:43 EDT
Package lxc-1.0.5-2.el6:
* should fix your issue,
* was pushed to the Fedora EPEL 6 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=epel-testing lxc-1.0.5-2.el6'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-EPEL-2014-2167/lxc-1.0.5-2.el6
then log in and leave karma (feedback).
Comment 15 Fedora Update System 2014-09-01 23:54:32 EDT
lxc-1.0.5-3.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 16 Fedora Update System 2014-09-02 02:40:13 EDT
lxc-1.0.5-3.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 17 Fedora Update System 2014-09-02 02:46:31 EDT
lxc-1.0.5-3.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.