Red Hat Bugzilla – Bug 869790
pam_namespace grabs too many users
Last modified: 2015-05-14 19:01:16 EDT
Description of problem:
The polyinstantiation of directories for OpenShift grabs too many users on different Fedoras and more robust installations of RHEL leading to unpredictable behaviour.
For example, GDM doesn't work on Fedora 16.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Run OpenShift on a Fedora 16 box with selinux enabled and graphical login
Graphical login fails to even start.
Graphical login starts.
See if we can use security context rather than usernames to narrow down the polyinstantiation to just OpenShift users. It would be a huge list of usernames otherwise and we'll constantly have to add to it.
The only options available for pam_namespace are to either list the users not affected, or list the users affected, but not both. There's no groups or context selector.
If we switched to explicitly listing gear users, on C9 that would be a list of 3000 users in the namespace configuration files. I'm running some tests to see if that's viable but its starting to look unwieldy.
Proposed solution for the live CD is list all non-gear usernames in each file in /etc/security/namespace.d when the CD is built. It will be around 30 or 40 names.
This doesn't solve the general class of problem with our polyinstantiation setup stepping on other users; but it will solve it in the specific case where it came up.
Sending to Krishna to fix the live CD build.
we may want to create a gear group and only poly-inst that group. In prod we use the wheel group to exclude users, but really we should only be including the correct users.
poly-inst of groups is not currently possible as pam_namespace does support specifying a group. Will require an upstream change AFAIK.
Mike, how are you excluding the wheel group?
My read of the source for pam_namespace.so is that you can only specify a list of accounts to exclude, a list of accounts to include, but not both or groups.
Ideally, we should only list the Openshift gear accounts for these namespaces. On certain exec nodes, that would be 3000 usernames.
verified with the latest build of origin. UI can now come up.