Bug 1031153 - pam_lastlog breaks cartridge hooks
Summary: pam_lastlog breaks cartridge hooks
Keywords:
Status: CLOSED EOL
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Containers
Version: 2.2.0
Hardware: Unspecified
OS: Unspecified
low
low
Target Milestone: ---
: ---
Assignee: John W. Lamb
QA Contact: libra bugs
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-11-15 18:05 UTC by Jesse Sightler
Modified: 2017-01-13 22:44 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-01-13 22:44:47 UTC
Target Upstream Version:

Attachments (Terms of Use)
Authentication configuration file (1.55 KB, text/plain)
2013-12-05 18:40 UTC, Jesse Sightler 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)

Description Jesse Sightler 2013-11-15 18:05:27 UTC 
In the gear directory on the node, a haproxy/conf/app_haproxy_status_urls.conf file is created with the following contents (surely incorrect):
"login:
Thu
Nov
14
14:28:59
UTC
2013"

The logs on the node have a lot of lines like these (implying to me that the hooks are not being called with the correct parameters):

November 14 14:29:00 INFO oo_spawn running /sbin/runuser -s /bin/sh 5284de07e3ffca0602000039 -c "exec /usr/bin/runcon 'unconfined_u:system_r:openshift_t:s0:c0,c1000' /bin/sh -c \"/var/lib/openshift/5284de07e3ffca0602000039/haproxy/hooks/set-haproxy-status-url jbosseap mydomain 5284de07e3ffca0602000039 \'5284de07e3ffca0602000039\'\=\'http://jbosseap-mydomain.paas.chs.spawar.navy.mil/haproxy-status/'
'Last\ login:\ Thu\ Nov\ 14\ 14:28:59\ UTC\ 2013'
'\'\"": {:unsetenv_others=>true, :close_others=>true, :in=>"/dev/null", :chdir=>"/var/lib/openshift/5284de07e3ffca0602000039/haproxy", :out=>#<IO:fd 12>, :err=>#<IO:fd 8>}

This is due to pam_tally causing logins to generate an extra "Last Login" line. This line seems to get pulled into the scripts and used, even when it shouldn't be.
Comment 3 Jesse Sightler 2013-12-03 20:46:08 UTC 
Ok, it looks like I was incorrect about the root cause. The actual root case is this line enabling the lastlog module:
session 	required	/lib64/security/pam_lastlog.so showfailed

We have been able to workaround it with the following addition (added the silent flag):
session 	required	/lib64/security/pam_lastlog.so showfailed silent

This is not ideal. The command that seems to trigger the problem is runuser. While we will need a fix for this eventually, I do not believe that it is an extremely high urgency requirement for us at this time.

Do you believe that it is something that can be fit into a future release?
Comment 4 Brenton Leanhardt 2013-12-05 15:29:42 UTC 
Can you send us the related pam.d configuration file?
Comment 5 Jesse Sightler 2013-12-05 18:40:10 UTC 
Created attachment 833293 [details]
Authentication configuration file
Comment 6 Jesse Sightler 2013-12-05 18:43:09 UTC 
Attached... the line that causes the issue is:

session     required    /lib64/security/pam_lastlog.so showfailed
Comment 7 Rory Thrasher 2017-01-13 22:44:47 UTC 
OpenShift Enterprise v2 has officially reached EoL.  This product is no longer supported and bugs will be closed.

Please look into the replacement enterprise-grade container option, OpenShift Container Platform v3.  https://www.openshift.com/container-platform/

More information can be found here: https://access.redhat.com/support/policy/updates/openshift/
Note You need to log in before you can comment on or make changes to this bug.