On Mon, May 13, 2019 at 08:01:14PM +1000, Jonathan Molyneux wrote: > Hi Everyone, > > Having an issue when running docker containers under a lxc container not > being able to /proc/self/loginuid blocking ssh logins due to > pam_loginuid.so. > > My setup / environment is: > > OS Version/build: > > debian 9.9 (up to date) running kernel 4.9.168-1 with aufs-dkms. > > lxc 2.0.7-2+deb9u2 > > App version: > Docker version 18.09.6, build 481bc77 > > Docker run from inside an lxc container running with the config: > > lxc.include = /usr/share/lxc/config/debian.common.conf > > lxc.include = /usr/share/lxc/config/nesting.conf > > Steps to reproduce: > pam_loginuid.so (write to loginuid) works when testing from: > > the host > > inside docker run directly on the host > > inside a lxc container
When you say "works when testing from lxc container", what exactly do you mean there? Please see https://github.com/lxc/lxc/issues/661 and https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=726661 So I think the question is - what is *in* the docker containers, and does it have the pam upstream fix required to know when to skip writing to loginuid? > But won't allow writes when run from docker inside the lxc container. > For example when cron triggers a job for the user www-data (uid 33) > You end up seeing the following: > > [pid 1693] openat(AT_FDCWD, "/proc/self/loginuid", O_RDWR|O_NOFOLLOW) = 6 > > [pid 1693] read(6, "0", 24) = 1 > > [pid 1693] read(6, "", 23) = 0 > > [pid 1693] lseek(6, 0, SEEK_SET) = 0 > > [pid 1693] ftruncate(6, 0) = 0 > > [pid 1693] write(6, "33", 2) = -1 EPERM (Operation not > permitted) > > Where as you should be seeing: > > [pid 30378] openat(AT_FDCWD, "/proc/self/loginuid", O_RDWR|O_NOFOLLOW) = 6 > > [pid 30378] read(6, "4294967295", 24) = 10 > > [pid 30378] read(6, "", 14) = 0 > > [pid 30378] lseek(6, 0, SEEK_SET) = 0 > > [pid 30378] ftruncate(6, 0) = 0 > > [pid 30378] write(6, "33", 2) = 2 > > Have been able to reproduce the issue using both debian:9.9 and ubuntu:18.04 > images. > > Have tried many tweaks to lxc and apparmor to no avail (mostly stripping > away at the restrictions, have also run aa_profile > unconfined/lxc-container-default-with-mounting), mostly as I can't seem to > reproduce the issue in a lxc container and no changes have had any effect on > the docker containers either. > > Any thoughts on ideas on where to go next ? > > PS > > This may not be an LXC issue, but I'm out of ideas on how to proceed. > > _______________________________________________ > lxc-users mailing list > lxc-users@lists.linuxcontainers.org > http://lists.linuxcontainers.org/listinfo/lxc-users _______________________________________________ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users
