tripleo

Bug #1883849
Comment #5

Comment 5 for bug 1883849

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-07-03: Related fix merged to tripleo-common (master)

Reviewed: https://review.opendev.org/736134
Committed: https://git.openstack.org/cgit/openstack/tripleo-common/commit/?id=db71bdb684ac347cd2f915a39e7e99a95958606c
Submitter: Zuul
Branch: master

commit db71bdb684ac347cd2f915a39e7e99a95958606c
Author: Michele Baldessari <email address hidden>
Date: Wed Jun 17 10:39:19 2020 +0200

Drop systemd support from nsswitch.conf

    A bit like we did for I3e0e86026f5a4a78473bed824cd1682d3a020cd5 we
    should remove the nss-systemd lookup from containers. The reasons for
    this are as follows:
    1) Just like for I3e0e86026f5a4a78473bed824cd1682d3a020cd5
    when this nss module is triggered it tries to talk to dbus.
    It triggers a bunch of selinux denials and it makes little sense
    to open all containers to talk to dbus.
    In particular, if a container is run as non-privileged and bind-mounts
    /run from the host, we will hit selinux denials like the following:

type=USER_AVC msg=audit(1592337775.860:74119): pid=1284 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.DBus member=Hello dest=org.freedesktop.DBus spid=406228 scontext=system_u:system_r:container_t:s0:c162,c886 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=dbus permissive=0 exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'UID="dbus" AUID="unset" SAUID="dbus"

    2) It just makes little sense in a kolla-world to have containers
    talk to dbus/systemd and it saves us some time when a lookup triggers
    the systemd module for whatever reason. Especially because the
    nss-systemd module does a few things which are not useful in a container
    (ensures that the root and nobody users and groups remain resolvable,
    SystemD's DynamicUser= feature, provide Lookup API via Varlink)

    The sed regex gives us the wanted results:
    $ diff -u /etc/nsswitch.conf.orig /etc/nsswitch.conf
    --- /etc/nsswitch.conf.orig 2020-06-17 08:13:20.108520894 +0000
    +++ /etc/nsswitch.conf 2020-06-17 08:13:27.627069541 +0000
    @@ -19,8 +19,8 @@
     # passwd: sss files # from profile
     # hosts: files dns # from user file

    -passwd: sss files systemd
    -group: sss files systemd
    +passwd: sss files
    +group: sss files
     netgroup: sss files
     automount: sss files
     services: sss files

NB: This is the tcib versionb of the kolla change at I81e5b7abf4571fece13a029e25911e9e4dece673
Related-Bug: #1883849

Change-Id: I29d3a2ed0bdfce412ebef549c29053754763e555

Reviewed:  https://review.opendev.org/736134
Committed: https://git.openstack.org/cgit/openstack/tripleo-common/commit/?id=db71bdb684ac347cd2f915a39e7e99a95958606c
Submitter: Zuul
Branch:    master

commit db71bdb684ac347cd2f915a39e7e99a95958606c
Author: Michele Baldessari <michele@acksyn.org>
Date:   Wed Jun 17 10:39:19 2020 +0200

Drop systemd support from nsswitch.conf
    
    A bit like we did for I3e0e86026f5a4a78473bed824cd1682d3a020cd5 we
    should remove the nss-systemd lookup from containers. The reasons for
    this are as follows:
    1) Just like for I3e0e86026f5a4a78473bed824cd1682d3a020cd5
    when this nss module is triggered it tries to talk to dbus.
    It triggers a bunch of selinux denials and it makes little sense
    to open all containers to talk to dbus.
    In particular, if a container is run as non-privileged and bind-mounts
    /run from the host, we will hit selinux denials like the following:
    
      type=USER_AVC msg=audit(1592337775.860:74119): pid=1284 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.freedesktop.DBus member=Hello dest=org.freedesktop.DBus spid=406228 scontext=system_u:system_r:container_t:s0:c162,c886 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=dbus permissive=0  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'UID="dbus" AUID="unset" SAUID="dbus"
    
    2) It just makes little sense in a kolla-world to have containers
    talk to dbus/systemd and it saves us some time when a lookup triggers
    the systemd module for whatever reason. Especially because the
    nss-systemd module does a few things which are not useful in a container
    (ensures that the root and nobody users and groups remain resolvable,
    SystemD's DynamicUser= feature, provide Lookup API via Varlink)
    
    The sed regex gives us the wanted results:
    $ diff -u /etc/nsswitch.conf.orig /etc/nsswitch.conf
    --- /etc/nsswitch.conf.orig     2020-06-17 08:13:20.108520894 +0000
    +++ /etc/nsswitch.conf  2020-06-17 08:13:27.627069541 +0000
    @@ -19,8 +19,8 @@
     #     passwd: sss files # from profile
     #     hosts: files dns  # from user file
    
    -passwd:     sss files systemd
    -group:      sss files systemd
    +passwd:     sss files
    +group:      sss files
     netgroup:   sss files
     automount:  sss files
     services:   sss files
    
    NB: This is the tcib versionb of the kolla change at I81e5b7abf4571fece13a029e25911e9e4dece673
    Related-Bug: #1883849
    
    Change-Id: I29d3a2ed0bdfce412ebef549c29053754763e555