A bit like we did for I3e0e86026f5a4a78473bed824cd1682d3a020cd5 we
should remove the nss-systemd lookup from containers. The reasons for
this are as follows:
1) Just like for I3e0e86026f5a4a78473bed824cd1682d3a020cd5
when this nss module is triggered it tries to talk to dbus.
It triggers a bunch of selinux denials and it makes little sense
to open all containers to talk to dbus.
In particular, if a container is run as non-privileged and bind-mounts
/run from the host, we will hit selinux denials like the following:
2) It just makes little sense in a kolla-world to have containers
talk to dbus/systemd and it saves us some time when a lookup triggers
the systemd module for whatever reason. Especially because the
nss-systemd module does a few things which are not useful in a container
(ensures that the root and nobody users and groups remain resolvable,
SystemD's DynamicUser= feature, provide Lookup API via Varlink)
The sed regex gives us the wanted results:
$ diff -u /etc/nsswitch.conf.orig /etc/nsswitch.conf
--- /etc/nsswitch.conf.orig 2020-06-17 08:13:20.108520894 +0000
+++ /etc/nsswitch.conf 2020-06-17 08:13:27.627069541 +0000
@@ -19,8 +19,8 @@
# passwd: sss files # from profile
# hosts: files dns # from user file
Reviewed: https:/ /review. opendev. org/741214 /git.openstack. org/cgit/ openstack/ tripleo- common/ commit/ ?id=38a3a5d14cb 91d4b85af66b9f1 5197a36322ccbc
Committed: https:/
Submitter: Zuul
Branch: stable/train
commit 38a3a5d14cb91d4 b85af66b9f15197 a36322ccbc
Author: Michele Baldessari <email address hidden>
Date: Wed Jun 17 10:39:19 2020 +0200
Drop systemd support from nsswitch.conf
A bit like we did for I3e0e86026f5a4a 78473bed824cd16 82d3a020cd5 we 78473bed824cd16 82d3a020cd5
should remove the nss-systemd lookup from containers. The reasons for
this are as follows:
1) Just like for I3e0e86026f5a4a
when this nss module is triggered it tries to talk to dbus.
It triggers a bunch of selinux denials and it makes little sense
to open all containers to talk to dbus.
In particular, if a container is run as non-privileged and bind-mounts
/run from the host, we will hit selinux denials like the following:
type=USER_AVC msg=audit( 1592337775. 860:74119) : pid=1284 uid=81 auid=4294967295 ses=4294967295 subj=system_ u:system_ r:system_ dbusd_t: s0-s0:c0. c1023 msg='avc: denied { send_msg } for msgtype=method_call interface= org.freedesktop .DBus member=Hello dest=org. freedesktop. DBus spid=406228 scontext= system_ u:system_ r:container_ t:s0:c162, c886 tcontext= system_ u:system_ r:system_ dbusd_t: s0-s0:c0. c1023 tclass=dbus permissive=0 exe="/usr/ bin/dbus- daemon" sauid=81 hostname=? addr=? terminal= ?'UID=" dbus" AUID="unset" SAUID="dbus"
2) It just makes little sense in a kolla-world to have containers
talk to dbus/systemd and it saves us some time when a lookup triggers
the systemd module for whatever reason. Especially because the
nss-systemd module does a few things which are not useful in a container
(ensures that the root and nobody users and groups remain resolvable,
SystemD's DynamicUser= feature, provide Lookup API via Varlink)
The sed regex gives us the wanted results: conf.orig /etc/nsswitch.conf conf.orig 2020-06-17 08:13:20.108520894 +0000
$ diff -u /etc/nsswitch.
--- /etc/nsswitch.
+++ /etc/nsswitch.conf 2020-06-17 08:13:27.627069541 +0000
@@ -19,8 +19,8 @@
# passwd: sss files # from profile
# hosts: files dns # from user file
-passwd: sss files systemd
-group: sss files systemd
+passwd: sss files
+group: sss files
netgroup: sss files
automount: sss files
services: sss files
NB: This is the tcib versionb of the kolla change at I81e5b7abf4571f ece13a029e25911 e9e4dece673
Related-Bug: #1883849
Change-Id: I29d3a2ed0bdfce 412ebef549c2905 3754763e555 cd2f915a39e7e99 a95958606c) 3a6448087a07960 bb38d019b6)
(cherry picked from commit db71bdb684ac347
(cherry picked from commit fa9d0097322ac46