869790 – pam_namespace grabs too many users

Bug 869790 - pam_namespace grabs too many users

Summary: pam_namespace grabs too many users

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	OKD
Classification:	Red Hat
Component:	Containers
Sub Component:
Version:	2.x
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	---
Target Release:	---
Assignee:	Krishna Raman
QA Contact:	libra bugs
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2012-10-24 19:55 UTC by Rob Millner
Modified:	2015-05-14 23:01 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2012-12-19 19:27:47 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Rob Millner 2012-10-24 19:55:12 UTC

Description of problem:
The polyinstantiation of directories for OpenShift grabs too many users on different Fedoras and more robust installations of RHEL leading to unpredictable behaviour.

For example, GDM doesn't work on Fedora 16.

Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1. Run OpenShift on a Fedora 16 box with selinux enabled and graphical login

  
Actual results:

Graphical login fails to even start.


Expected results:

Graphical login starts.

Additional info:

See if we can use security context rather than usernames to narrow down the polyinstantiation to just OpenShift users.  It would be a huge list of usernames otherwise and we'll constantly have to add to it.

Comment 1 Rob Millner 2012-10-24 22:59:46 UTC

The only options available for pam_namespace are to either list the users not affected, or list the users affected, but not both.  There's no groups or context selector.

If we switched to explicitly listing gear users, on C9 that would be a list of 3000 users in the namespace configuration files.  I'm running some tests to see if that's viable but its starting to look unwieldy.

Proposed solution for the live CD is list all non-gear usernames in each file in /etc/security/namespace.d when the CD is built.  It will be around 30 or 40 names.

This doesn't solve the general class of problem with our polyinstantiation setup stepping on other users; but it will solve it in the specific case where it came up.

Sending to Krishna to fix the live CD build.

Comment 2 Mike McGrath 2012-10-31 16:35:31 UTC

we may want to create a gear group and only poly-inst that group.  In prod we use the wheel group to exclude users, but really we should only be including the correct users.

Comment 3 Krishna Raman 2012-10-31 18:06:47 UTC

https://github.com/openshift/origin-server/pull/794

Comment 4 Krishna Raman 2012-10-31 18:21:14 UTC

poly-inst of groups is not currently possible as pam_namespace does support specifying a group. Will require an upstream change AFAIK.

Comment 5 Rob Millner 2012-10-31 18:32:30 UTC

Mike, how are you excluding the wheel group?  

My read of the source for pam_namespace.so is that you can only specify a list of accounts to exclude, a list of accounts to include, but not both or groups.

Ideally, we should only list the Openshift gear accounts for these namespaces.  On certain exec nodes, that would be 3000 usernames.

Comment 6 Peter Ruan 2012-11-08 17:44:59 UTC

verified with the latest build of origin.  UI can now come up.

Note You need to log in before you can comment on or make changes to this bug.