Red Hat Bugzilla – Bug 1053485
Changing GID_MIN in login.defs prevents app creation
Last modified: 2017-03-08 12:38 EST
Description of problem: If login.defs in the node is modified and GID_MIN is set to a high value app creation fails. Version-Release number of selected component (if applicable): rubygem-openshift-origin-node-1.17.5-2.el6op.noarch rubygem-openshift-origin-container-selinux-0.4.1-2.el6op.noarch How reproducible: Always Steps to Reproduce: 1. edit /etc/login.defs in the node, set GID_MIN to 1001 2. try 'rhc app create ...' from a client Actual results: (output from 'rhc app create test php' Creating application 'test' ... Unable to complete the requested operation due to: An invalid exit code (1) was returned from the server mynode01.example.com. This indicates an unexpected problem during the execution of your request.. Reference ID: 340d74edb25352bde139b1054f6165f8 Expected results: App creation works. Additional info: Initially the home dir of the gear seems to be created with the correct gid: # ls -laZ /var/lib/openshift/5* drwx------. 52d6614585937af84a000058 1001 system_u:object_r:openshift_var_lib_t:s0 . drwxr-xr-x. root root system_u:object_r:openshift_var_lib_t:s0 .. but then it's chown'd: # ls -laZ /var/lib/openshift/5* drwxr-x---. root 1000 system_u:object_r:openshift_var_lib_t:s0:c0,c1000 . drwxr-xr-x. root root system_u:object_r:openshift_var_lib_t:s0 .. # ls -laZ /var/lib/openshift/5* drwxr-x---. root 1000 system_u:object_r:openshift_var_lib_t:s0:c0,c1000 . drwxr-xr-x. root root system_u:object_r:openshift_var_lib_t:s0 .. drwxr-xr-x. root root system_u:object_r:openshift_var_lib_t:s0 app-root drwxr-x---. root 1000 system_u:object_r:openshift_var_lib_t:s0:c0,c1000 .env drwxr-x---. 52d6614585937af84a000058 1000 system_u:object_r:openshift_var_lib_t:s0:c0,c1000 .gem d---------. root root system_u:object_r:openshift_var_lib_t:s0 .sandbox drwxr-x---. root 1000 system_u:object_r:ssh_home_t:s0:c0,c1000 .ssh d---------. root root system_u:object_r:openshift_var_lib_t:s0 .tmp which leads to lack of permissions for ssh-keygen, resulting in the failure.
Created attachment 871493 [details] possible patch AFAICT the cause of this problem is that the selinux container assumes that useradd will create a group with gid==uid, which is not necessarily true. e.g. a GID_MIN higher than the lowest available uid would trigger that problem. Attaching a sample change that first creates the group and specifies the gid in the useradd invocation, which fixes the problem in my test env.
(In reply to Josep 'Pep' Turro Mauri from comment #0) > Steps to Reproduce: > 1. edit /etc/login.defs in the node, set GID_MIN to 1001 > 2. try 'rhc app create ...' from a client A simpler reproducer, on a fresh node install this should reproduce the problem: # sed -i.bak -e 's/^GID_MIN.*/GID_MIN 10000/' /etc/login.defs # oo-devel-node app-create -c testing123 --with-namespace deleteme --with-app-uuid testing123 --with-app-name testing123 results in: Shell command '/sbin/runuser -s /bin/sh testing123 -c "exec /usr/bin/runcon 'unconfined_u:system_r:openshift_t:s0:c0,c1000' /bin/sh -c \"/usr/bin/ssh-keygen -N '' -f /var/lib/openshift/testing123/.openshift_ssh/id_rsa\""' returned an error. rc=1 Generating public/private rsa key pair. Saving the key failed: /var/lib/openshift/testing123/.openshift_ssh/id_rsa. open /var/lib/openshift/testing123/.openshift_ssh/id_rsa failed: Permission denied.
This change looks reasonable. I'll sync with upstream to see what their thoughts are and if there was any reason the code assumed uid==gid. On a related note, it definitely seems like we need an oo-diagnostics check to make sure UID_MIN/MAX and GID_MIN/MAX in /etc/login.defs are compatible with GEAR_MIN/MAX_UID in /etc/openshift/node.conf. That seems like another way for things to be misconfigured.
I'm digging into this a bit more. It seems like there are other places in the code that expect uid==gid.
Actually the patch proposed in comment #1 just makes sure that the expected gid is applied - so in practice it actually makes sure that uid == gid and the code that assumes this will just work. However there's a different (but related) problem: 'next_uid' only checks local passwd/groupo files for duplicity so you get into similar problems if the system has external user info configured (e.g. NIS, LDAP). Just reproduced it, will create a separate bug.
You're correct. I was confused at first because of a DNS problem in my environment that was causing ssh logins to fail on my patched Node. I was assuming there was something wrong with the patch.
I'm submitting this PR upstream @ https://github.com/openshift/origin-server/pull/4933.
Commit pushed to master at https://github.com/openshift/origin-server https://github.com/openshift/origin-server/commit/2dc7732175c19c7f27362f909fc687127872ce8b Bug 1053485 - Changing GID_MIN in login.defs prevents app creation This patch was originally submitted by Josep 'Pep' Turro Mauri <pep@redhat.com>
Retest this bug with rubygem-openshift-origin-container-selinux-0.7.1-1.git.0.4244282.el6op.noarch on puddle 2.1/2014-03-14.1. It still failed with sshkey permission issue, checked the code, the related patch has not been merged in, so assign back this bug.
Verify this bug on puddle 2.1/2014-03-17.2. Setup an ose env with htpasswd authentication enabled, modify the GID_MIN to 6000 in login.defs on node. Could create app and ssh into the app successfully.