audit_write capability required to create containers properly

[wleese]

RHEL6 patches up openssh-5.1p to disallow logins when the audit subsystem cannot be used (linux cap audit_write).

wleese@wleese-Latitude-D430:~/openssh-5.3p1-94.el6.src$ grep linux_audit_write_entry *                              
openssh-5.3p1-audit.patch:+             fatal("linux_audit_write_entry failed: %s", strerror(errno));
openssh-5.3p1-audit.patch:+             fatal("linux_audit_write_entry failed: %s", strerror(errno));

For some reason this causes no issue building a rhel6 container on a rhel6 host, but when doing so on an ubuntu 14.04 host the sshd daemon fails as expected:

wleese@wleese-Latitude-D430:~/git$ docker run -it -p 2222:22 centos /bin/bash    
bash-4.1# yum install openssh-server -y
[snip]
Installed:
  openssh-server.x86_64 0:5.3p1-94.el6                                                                                                                                              

Dependency Installed:
  ethtool.x86_64 2:3.5-1.4.el6_5                 fipscheck.x86_64 0:1.2.0-7.el6         fipscheck-lib.x86_64 0:1.2.0-7.el6        initscripts.x86_64 0:9.03.40-2.el6.centos.1     
  iproute.x86_64 0:2.6.32-32.el6_5               iptables.x86_64 0:1.4.7-11.el6         iputils.x86_64 0:20071127-17.el6_4.2      openssh.x86_64 0:5.3p1-94.el6                   
  policycoreutils.x86_64 0:2.0.83-19.39.el6      upstart.x86_64 0:0.6.5-13.el6_5.3     

Complete!
bash-4.1# service sshd start
Generating SSH1 RSA host key:                              [  OK  ]
Generating SSH2 RSA host key:                              [  OK  ]
Generating SSH2 DSA host key:                              [  OK  ]
Starting sshd:                                             [  OK  ]

bash-4.1# service sshd stop
[snip]

bash-4.1# /usr/sbin/sshd -e -d
debug1: sshd version OpenSSH_5.3p1
debug1: read PEM private key done: type RSA
debug1: private host key: #0 type 1 RSA
debug1: read PEM private key done: type DSA
debug1: private host key: #1 type 2 DSA
debug1: rexec_argv[0]='/usr/sbin/sshd'
debug1: rexec_argv[1]='-e'
debug1: rexec_argv[2]='-d'
Set /proc/self/oom_score_adj from 0 to -1000
debug1: Bind to port 22 on 0.0.0.0.
Server listening on 0.0.0.0 port 22.
debug1: Bind to port 22 on ::.
Server listening on :: port 22.
debug1: Server will not fork when running in debugging mode.
debug1: rexec start in 5 out 5 newsock 5 pipe -1 sock 8
debug1: sshd version OpenSSH_5.3p1
debug1: read PEM private key done: type RSA
debug1: private host key: #0 type 1 RSA
debug1: read PEM private key done: type DSA
debug1: private host key: #1 type 2 DSA
debug1: inetd sockets after dupping: 3, 3
Connection from 172.17.42.1 port 40772
debug1: Client protocol version 2.0; client software version OpenSSH_6.6.1p1 Ubuntu-5build1
debug1: match: OpenSSH_6.6.1p1 Ubuntu-5build1 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.3
cannot write into audit
cannot write into audit
debug1: permanently_set_uid: 74/74
debug1: list_hostkey_types: ssh-rsa,ssh-dss
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: client->server aes128-ctr hmac-md5 none
cannot write into audit
debug1: do_cleanup
cannot write into audit
cannot write into audit
linux_audit_write_entry failed: Operation not permitted
bash-4.1# debug1: do_cleanup

running the same instructions with -privileged works fine.

Confirming the audit subsystem in available in Ubuntu host:

wleese@wleese-Latitude-D430:~/openssh-5.3p1-94.el6.src$ grep audit /boot/config-$(uname -r) -i
CONFIG_AUDIT_ARCH=y
CONFIG_AUDIT=y
CONFIG_HAVE_ARCH_AUDITSYSCALL=y
CONFIG_AUDITSYSCALL=y
CONFIG_AUDIT_WATCH=y
CONFIG_AUDIT_TREE=y
CONFIG_NETFILTER_XT_TARGET_AUDIT=m
CONFIG_SECURITY_TOMOYO_MAX_AUDIT_LOG=1024
CONFIG_INTEGRITY_AUDIT=y

Confirming the subsystem is available on the rhel6 host:

[root@mag-lab06 ~]# grep audit /boot/config-$(uname -r) -i
CONFIG_AUDIT_ARCH=y
CONFIG_AUDIT=y
CONFIG_AUDITSYSCALL=y
CONFIG_AUDIT_TREE=y
CONFIG_NETFILTER_XT_TARGET_AUDIT=m
CONFIG_IMA_AUDIT=y

Both Docker 1.0.0, lxc backend, rhel6 devicemapper and ubuntu aufs storage

Again, not quite sure what causes different behaviour between rhel6 and ubuntu hosts. It seems to me that when building a rhel6 based container with SSHD the privileged argument is always needed, but perhaps some changes introduced to lxc only just started applying proper security :)

[Jingtian1989]

Hi,wleese!
I meet the same problem, you mentioned aboverunning the same instructions with -privileged works fine, could you please tell me which instructions with what -privileged to solve the problem?
Thanks a lot!

[wleese]

So "docker run -it -p 2222:22 centos /bin/bash" and then "yum install openssh-server -y; service sshd start; service sshd stop; /usr/sbin/sshd -e -d" will fail.

"docker run --privileged=true -it -p 2222:22 centos /bin/bash" and then "yum install openssh-server -y; service sshd start; service sshd stop; /usr/sbin/sshd -e -d" will succeed.

[Jingtian1989]

Hi, @wleese !
Thanks for your reply. docker run --privileged=true....gives me an error message Error: Cannot start container f4febd421672239438e3e08eeb381f15d3aaacbf9f2a8e685f71a3ef105ac34d: stat /dev/.udev/db/bsg:0:0:0:0: no such file or directory. Refered to #6383 I have to update docker-io, but yum install docker-io always give me an old version 1.0.0.3 on centos6.

[wleese]

@Jingtian1989 please don't hijack this issue for other Docker issues, create a new one instead - thanks.

[Jingtian1989]

@wleese I upgrade the docker to v1.1.1 and run with --privileged=true, it works.
Thanks.

[rlpowell]

This is quite a bit more severe than the title implies; I'd really like someone to change the title, please.

In Fedora 20, if I run "yum update" on a fresh F20 image, in my containers no forms of user alteration work, they all fail out with something like this:

==> /var/log/secure <==
Jul 15 11:22:58 94675885018d sshd[510]: error: cannot write into audit [preauth]
Jul 15 11:22:58 94675885018d sshd[510]: error: cannot write into audit [preauth]
Jul 15 11:22:58 94675885018d sshd[510]: fatal: cannot write into audit
Jul 15 11:22:58 94675885018d sshd[510]: error: cannot write into audit
Jul 15 11:22:58 94675885018d sshd[510]: error: cannot write into audit
Jul 15 11:22:58 94675885018d sshd[510]: fatal: linux_audit_write_entry failed: Operation not permitted

This is true of sshd, sudo, and runuser, at least. runuser means that none of the init scripts I have in my host work.

Essentially, all of a sudden, nothing works.

--privileged=true does fix the problem, but it also is not the way I want to run docker. Is there a way to give it only audit write access? If not, does anyone know where this problem is even happening? It's not in sshd, that's for sure. I don't think it's PAM, either, because commenting out all the lines in /etc/pam.d/sshd still gives the same behaviour.

Ah. Looks like both sshd and runuser link directly to libaudit.

So it might work if we did: auditctl -e 0

However, we can't, because we don't have audit control capabilities. If we could do that before the capabilities were divested, that might work?, but I've no idea how.

[paimpozhil]

This is still not working on Ubuntu hosts without previleged access.

Client version: 1.1.1
Client API version: 1.13
Go version (client): go1.2.1
Git commit (client): bd609d2
Server version: 1.1.1
Server API version: 1.13
Go version (server): go1.2.1
Git commit (server): bd609d2

[rlpowell]

Seriously, can someone with appropriate access change the title and/or acknowledge the importance here? It affects way more than sshd and way more than Ubuntu! (see my earlier post)

[unclejack]

This has been fixed by #7179 and the fix is going to be included in the next release.