Drop systemd support from nsswitch.conf
A bit like we did for I3e0e86026f5a4a78473bed824cd1682d3a020cd5 we
should remove the nss-systemd lookup from containers. The reasons for
this are as follows:
1) Just like for I3e0e86026f5a4a78473bed824cd1682d3a020cd5
when this nss module is triggered it tries to talk to dbus.
It triggers a bunch of selinux denials and it makes little sense
to open all containers to talk to dbus.
In particular, if a container is run as non-privileged and bind-mounts
/run from the host, we will hit selinux denials like the following:
type=USER_AVC msg=audit(1592337775.860:74119): pid=1284 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.DBus member=Hello dest=org.freedesktop.DBus spid=406228 scontext=system_u:system_r:container_t:s0:c162,c886 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=dbus permissive=0 exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'UID="dbus" AUID="unset" SAUID="dbus"
2) It just makes little sense in a kolla-world to have containers
talk to dbus/systemd and it saves us some time when a lookup triggers
the systemd module for whatever reason. Especially because the
nss-systemd module does a few things which are not useful in a container
(ensures that the root and nobody users and groups remain resolvable,
SystemD's DynamicUser= feature, provide Lookup API via Varlink)
The sed regex gives us the wanted results:
$ diff -u /etc/nsswitch.conf.orig /etc/nsswitch.conf
--- /etc/nsswitch.conf.orig 2020-06-17 08:13:20.108520894 +0000
+++ /etc/nsswitch.conf 2020-06-17 08:13:27.627069541 +0000
@@ -19,8 +19,8 @@
# passwd: sss files # from profile
# hosts: files dns # from user file
-passwd: sss files systemd
-group: sss files systemd
+passwd: sss files
+group: sss files
netgroup: sss files
automount: sss files
services: sss files
NB: This is the tcib versionb of the kolla change at I81e5b7abf4571fece13a029e25911e9e4dece673
Related-Bug: #1883849
Change-Id: I29d3a2ed0bdfce412ebef549c29053754763e555
(cherry picked from commit db71bdb684
)
This commit is contained in:
parent
e21372fcc9
commit
5af8278c59
|
@ -23,6 +23,7 @@ tcib_actions:
|
|||
- copy: /usr/share/tripleo-common/container-images/kolla/base/sudoers /etc/sudoers
|
||||
- run: chmod 440 /etc/sudoers
|
||||
- run: sed -ri '/-session(\s+)optional(\s+)pam_systemd.so/d' /etc/pam.d/system-auth
|
||||
- run: sed -ri '/^(passwd:|group:)/ s/systemd//g' /etc/nsswitch.conf
|
||||
- run: dnf install -y {{ tcib_packages['common'] | join(' ') }}
|
||||
- run: mkdir -p /openstack
|
||||
- run: dnf update -y && dnf clean all && rm -rf /var/cache/dnf
|
||||
|
|
Loading…
Reference in New Issue