Merge "Drop systemd support from nsswitch.conf on RHEL-based distros"

2020-07-06 14:33:01 +00:00 · 2020-07-06 14:33:01 +00:00 · 22d7ffa382
parent 70ffba8241 dc2ddfa975
commit 22d7ffa382
2 changed files with 9 additions and 1 deletions
--- a/docker/base/Dockerfile.j2
+++ b/docker/base/Dockerfile.j2
@ -416,7 +416,8 @@ RUN apt-get update \
 {% endif %}

 {% if base_distro == 'centos' or base_distro == 'rhel' %}
-RUN sed -ri '/-session(\s+)optional(\s+)pam_systemd.so/d' /etc/pam.d/system-auth
+RUN sed -ri '/-session(\s+)optional(\s+)pam_systemd.so/d' /etc/pam.d/system-auth \
+    && sed -ri '/^[^#]/ s/systemd//g' /etc/nsswitch.conf
 {% endif %}

 COPY set_configs.py /usr/local/bin/kolla_set_configs
--- a/releasenotes/notes/disable-systemd-nss-on-rhel-based-distros-5d586fcdb9a82da7.yaml
+++ b/releasenotes/notes/disable-systemd-nss-on-rhel-based-distros-5d586fcdb9a82da7.yaml
@ -0,0 +1,7 @@
+---
+fixes:
+  - |
+    Drop systemd support from nsswitch.conf on RHEL-based distros. This avoids
+    unneeded systemd nss lookups inside containers and it also avoids possible
+    selinux denials when a container bind mounts /run and makes the dbus socket
+    available inside the container only to be denied by selinux on the host.