Bug 1053485 – Changing GID_MIN in login.defs prevents app creation

Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.

Bug 1053485 - Changing GID_MIN in login.defs prevents app creation

Summary:	Changing GID_MIN in login.defs prevents app creation

Status:	CLOSED ERRATA

Aliases:	None

Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Containers (Show other bugs)
Sub Component:
Version:	2.0.0
Hardware:	All Linux

Priority	medium Severity medium
Target Milestone:	---
Target Release:	---
Assigned To:	Brenton Leanhardt
QA Contact:	libra bugs
Docs Contact:

URL:
Whiteboard:
Keywords:

Depends On:
Blocks:
	Show dependency tree / graph

Reported:	2014-01-15 05:29 EST by Josep 'Pep' Turro Mauri
Modified:	2017-03-08 12 EST (History)
CC List:	3 users (show)

See Also:
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2014-05-15 10:41:02 EDT
Type:	Bug
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
possible patch (1.20 KB, patch) 2014-03-06 09:35 EST, Josep 'Pep' Turro Mauri	no flags	Details \| Diff
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description Josep 'Pep' Turro Mauri 2014-01-15 05:29:42 EST

Description of problem:
If login.defs in the node is modified and GID_MIN is set to a high value app creation fails.

Version-Release number of selected component (if applicable):
rubygem-openshift-origin-node-1.17.5-2.el6op.noarch
rubygem-openshift-origin-container-selinux-0.4.1-2.el6op.noarch

How reproducible:
Always

Steps to Reproduce:
1. edit /etc/login.defs in the node, set GID_MIN to 1001
2. try 'rhc app create ...' from a client

Actual results: (output from 'rhc app create test php'

Creating application 'test' ... 
Unable to complete the requested operation due to: An invalid exit code (1) was returned from the server mynode01.example.com.  This indicates an unexpected problem during the execution of your request..
Reference ID: 340d74edb25352bde139b1054f6165f8

Expected results:
App creation works.

Additional info:

Initially the home dir of the gear seems to be created with the correct gid:
# ls -laZ /var/lib/openshift/5*
drwx------. 52d6614585937af84a000058 1001 system_u:object_r:openshift_var_lib_t:s0 .
drwxr-xr-x. root                     root system_u:object_r:openshift_var_lib_t:s0 ..

but then it's chown'd:

# ls -laZ /var/lib/openshift/5*
drwxr-x---. root 1000 system_u:object_r:openshift_var_lib_t:s0:c0,c1000 .
drwxr-xr-x. root root system_u:object_r:openshift_var_lib_t:s0 ..

# ls -laZ /var/lib/openshift/5*
drwxr-x---. root                     1000 system_u:object_r:openshift_var_lib_t:s0:c0,c1000 .
drwxr-xr-x. root                     root system_u:object_r:openshift_var_lib_t:s0 ..
drwxr-xr-x. root                     root system_u:object_r:openshift_var_lib_t:s0 app-root
drwxr-x---. root                     1000 system_u:object_r:openshift_var_lib_t:s0:c0,c1000 .env
drwxr-x---. 52d6614585937af84a000058 1000 system_u:object_r:openshift_var_lib_t:s0:c0,c1000 .gem
d---------. root                     root system_u:object_r:openshift_var_lib_t:s0 .sandbox
drwxr-x---. root                     1000 system_u:object_r:ssh_home_t:s0:c0,c1000 .ssh
d---------. root                     root system_u:object_r:openshift_var_lib_t:s0 .tmp

which leads to lack of permissions for ssh-keygen, resulting in the failure.

Comment 1 Josep 'Pep' Turro Mauri 2014-03-06 09:35:30 EST

Created attachment 871493 [details]
possible patch

AFAICT the cause of this problem is that the selinux container assumes that useradd will create a group with gid==uid, which is not necessarily true. e.g. a GID_MIN higher than the lowest available uid would trigger that problem.

Attaching a sample change that first creates the group and specifies the gid in the useradd invocation, which fixes the problem in my test env.

Comment 2 Josep 'Pep' Turro Mauri 2014-03-06 09:40:43 EST

(In reply to Josep 'Pep' Turro Mauri from comment #0)
> Steps to Reproduce:
> 1. edit /etc/login.defs in the node, set GID_MIN to 1001
> 2. try 'rhc app create ...' from a client

A simpler reproducer, on a fresh node install this should reproduce the problem:

# sed -i.bak -e 's/^GID_MIN.*/GID_MIN 10000/' /etc/login.defs
# oo-devel-node app-create -c testing123 --with-namespace deleteme --with-app-uuid testing123 --with-app-name testing123

results in:

Shell command '/sbin/runuser -s /bin/sh testing123 -c "exec /usr/bin/runcon 'unconfined_u:system_r:openshift_t:s0:c0,c1000' /bin/sh -c \"/usr/bin/ssh-keygen -N '' -f /var/lib/openshift/testing123/.openshift_ssh/id_rsa\""' returned an error. rc=1
Generating public/private rsa key pair.
Saving the key failed: /var/lib/openshift/testing123/.openshift_ssh/id_rsa.

open /var/lib/openshift/testing123/.openshift_ssh/id_rsa failed: Permission denied.

Comment 3 Brenton Leanhardt 2014-03-06 10:36:49 EST

This change looks reasonable.  I'll sync with upstream to see what their thoughts are and if there was any reason the code assumed uid==gid.

On a related note, it definitely seems like we need an oo-diagnostics check to make sure UID_MIN/MAX and GID_MIN/MAX in /etc/login.defs are compatible with GEAR_MIN/MAX_UID in /etc/openshift/node.conf.  That seems like another way for things to be misconfigured.

Comment 4 Brenton Leanhardt 2014-03-11 10:25:58 EDT

I'm digging into this a bit more.  It seems like there are other places in the code that expect uid==gid.

Comment 5 Josep 'Pep' Turro Mauri 2014-03-11 13:13:03 EDT

Actually the patch proposed in comment #1 just makes sure that the expected gid is applied - so in practice it actually makes sure that uid == gid and the code that assumes this will just work.

However there's a different (but related) problem: 'next_uid' only checks local passwd/groupo files for duplicity so you get into similar problems if the system has external user info configured (e.g. NIS, LDAP). Just reproduced it, will create a separate bug.

Comment 6 Brenton Leanhardt 2014-03-11 14:02:22 EDT

You're correct.  I was confused at first because of a DNS problem in my environment that was causing ssh logins to fail on my patched Node.  I was assuming there was something wrong with the patch.

Comment 7 Brenton Leanhardt 2014-03-11 14:40:12 EDT

I'm submitting this PR upstream @ https://github.com/openshift/origin-server/pull/4933.

Comment 8 openshift-github-bot 2014-03-12 18:10:37 EDT

Commit pushed to master at https://github.com/openshift/origin-server

https://github.com/openshift/origin-server/commit/2dc7732175c19c7f27362f909fc687127872ce8b
Bug 1053485 - Changing GID_MIN in login.defs prevents app creation

This patch was originally submitted by Josep 'Pep' Turro Mauri <pep@redhat.com>

Comment 10 Gaoyun Pei 2014-03-17 06:04:57 EDT

Retest this bug with rubygem-openshift-origin-container-selinux-0.7.1-1.git.0.4244282.el6op.noarch on puddle 2.1/2014-03-14.1.

It still failed with sshkey permission issue, checked the code, the related patch has not been merged in, so assign back this bug.

Comment 12 Gaoyun Pei 2014-03-18 02:24:57 EDT

Verify this bug on puddle 2.1/2014-03-17.2.

Setup an ose env with htpasswd authentication enabled, modify the GID_MIN to 6000 in login.defs on node.

Could create app and ssh into the app successfully.

Note You need to log in before you can comment on or make changes to this bug.