Bug 869790 - pam_namespace grabs too many users
pam_namespace grabs too many users
Status: CLOSED CURRENTRELEASE
Product: OpenShift Origin
Classification: Red Hat
Component: Containers (Show other bugs)
2.x
Unspecified Unspecified
high Severity high
: ---
: ---
Assigned To: Krishna Raman
libra bugs
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-10-24 15:55 EDT by Rob Millner
Modified: 2015-05-14 19:01 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-12-19 14:27:47 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Rob Millner 2012-10-24 15:55:12 EDT
Description of problem:
The polyinstantiation of directories for OpenShift grabs too many users on different Fedoras and more robust installations of RHEL leading to unpredictable behaviour.

For example, GDM doesn't work on Fedora 16.

Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1. Run OpenShift on a Fedora 16 box with selinux enabled and graphical login

  
Actual results:

Graphical login fails to even start.


Expected results:

Graphical login starts.

Additional info:

See if we can use security context rather than usernames to narrow down the polyinstantiation to just OpenShift users.  It would be a huge list of usernames otherwise and we'll constantly have to add to it.
Comment 1 Rob Millner 2012-10-24 18:59:46 EDT
The only options available for pam_namespace are to either list the users not affected, or list the users affected, but not both.  There's no groups or context selector.

If we switched to explicitly listing gear users, on C9 that would be a list of 3000 users in the namespace configuration files.  I'm running some tests to see if that's viable but its starting to look unwieldy.

Proposed solution for the live CD is list all non-gear usernames in each file in /etc/security/namespace.d when the CD is built.  It will be around 30 or 40 names.

This doesn't solve the general class of problem with our polyinstantiation setup stepping on other users; but it will solve it in the specific case where it came up.

Sending to Krishna to fix the live CD build.
Comment 2 Mike McGrath 2012-10-31 12:35:31 EDT
we may want to create a gear group and only poly-inst that group.  In prod we use the wheel group to exclude users, but really we should only be including the correct users.
Comment 3 Krishna Raman 2012-10-31 14:06:47 EDT
https://github.com/openshift/origin-server/pull/794
Comment 4 Krishna Raman 2012-10-31 14:21:14 EDT
poly-inst of groups is not currently possible as pam_namespace does support specifying a group. Will require an upstream change AFAIK.
Comment 5 Rob Millner 2012-10-31 14:32:30 EDT
Mike, how are you excluding the wheel group?  

My read of the source for pam_namespace.so is that you can only specify a list of accounts to exclude, a list of accounts to include, but not both or groups.

Ideally, we should only list the Openshift gear accounts for these namespaces.  On certain exec nodes, that would be 3000 usernames.
Comment 6 Peter Ruan 2012-11-08 12:44:59 EST
verified with the latest build of origin.  UI can now come up.

Note You need to log in before you can comment on or make changes to this bug.