New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
audit_write capability required to create containers properly #6770
Comments
Hi,wleese! |
So "docker run -it -p 2222:22 centos /bin/bash" and then "yum install openssh-server -y; service sshd start; service sshd stop; /usr/sbin/sshd -e -d" will fail. "docker run --privileged=true -it -p 2222:22 centos /bin/bash" and then "yum install openssh-server -y; service sshd start; service sshd stop; /usr/sbin/sshd -e -d" will succeed. |
Hi, @wleese ! |
@Jingtian1989 please don't hijack this issue for other Docker issues, create a new one instead - thanks. |
@wleese I upgrade the docker to v1.1.1 and run with |
This is quite a bit more severe than the title implies; I'd really like someone to change the title, please. In Fedora 20, if I run "yum update" on a fresh F20 image, in my containers no forms of user alteration work, they all fail out with something like this: ==> /var/log/secure <== This is true of sshd, sudo, and runuser, at least. runuser means that none of the init scripts I have in my host work. Essentially, all of a sudden, nothing works. --privileged=true does fix the problem, but it also is not the way I want to run docker. Is there a way to give it only audit write access? If not, does anyone know where this problem is even happening? It's not in sshd, that's for sure. I don't think it's PAM, either, because commenting out all the lines in /etc/pam.d/sshd still gives the same behaviour. Ah. Looks like both sshd and runuser link directly to libaudit. So it might work if we did: auditctl -e 0 However, we can't, because we don't have audit control capabilities. If we could do that before the capabilities were divested, that might work?, but I've no idea how. |
This is still not working on Ubuntu hosts without previleged access. Client version: 1.1.1 |
Seriously, can someone with appropriate access change the title and/or acknowledge the importance here? It affects way more than sshd and way more than Ubuntu! (see my earlier post) |
This has been fixed by #7179 and the fix is going to be included in the next release. |
RHEL6 patches up openssh-5.1p to disallow logins when the audit subsystem cannot be used (linux cap audit_write).
For some reason this causes no issue building a rhel6 container on a rhel6 host, but when doing so on an ubuntu 14.04 host the sshd daemon fails as expected:
running the same instructions with -privileged works fine.
Confirming the audit subsystem in available in Ubuntu host:
wleese@wleese-Latitude-D430:~/openssh-5.3p1-94.el6.src$ grep audit /boot/config-$(uname -r) -i
CONFIG_AUDIT_ARCH=y
CONFIG_AUDIT=y
CONFIG_HAVE_ARCH_AUDITSYSCALL=y
CONFIG_AUDITSYSCALL=y
CONFIG_AUDIT_WATCH=y
CONFIG_AUDIT_TREE=y
CONFIG_NETFILTER_XT_TARGET_AUDIT=m
CONFIG_SECURITY_TOMOYO_MAX_AUDIT_LOG=1024
CONFIG_INTEGRITY_AUDIT=y
Confirming the subsystem is available on the rhel6 host:
[root@mag-lab06 ~]# grep audit /boot/config-$(uname -r) -i
CONFIG_AUDIT_ARCH=y
CONFIG_AUDIT=y
CONFIG_AUDITSYSCALL=y
CONFIG_AUDIT_TREE=y
CONFIG_NETFILTER_XT_TARGET_AUDIT=m
CONFIG_IMA_AUDIT=y
Both Docker 1.0.0, lxc backend, rhel6 devicemapper and ubuntu aufs storage
Again, not quite sure what causes different behaviour between rhel6 and ubuntu hosts. It seems to me that when building a rhel6 based container with SSHD the privileged argument is always needed, but perhaps some changes introduced to lxc only just started applying proper security :)
The text was updated successfully, but these errors were encountered: