[FIXED] ubuntu 14.04 container with ssh login issues

[fruitl00p]

after booting a container that starts a script which in the background runs a service ssh start i'm unable to login remotely.
(the logs showing:

Accepted publickey for root from [ip adres removed] port 46953 ssh2: RSA [fingerpint adres removed]
May  8 00:42:17 231403377f9b sshd[62]: pam_loginuid(sshd:session): Cannot open /proc/self/loginuid: Read-only file system
May  8 00:42:17 231403377f9b sshd[62]: pam_loginuid(sshd:session): set_loginuid failed
May  8 00:42:17 231403377f9b sshd[62]: pam_unix(sshd:session): session opened for user root by (uid=0)
May  8 00:42:17 231403377f9b sshd[62]: pam_env(sshd:session): Unable to open env file: /etc/default/locale: No such file or directory
May  8 00:42:17 231403377f9b sshd[62]: error: PAM: pam_open_session(): Cannot make/remove an entry for the specified session
May  8 00:42:17 231403377f9b sshd[62]: Received disconnect from [ip adres removed]: 11: disconnected by user

BUT after running sed '/pam_loginuid.so/s/^/#/g' -i /etc/pam.d/* inside the container everything works.

docker info:

Containers: 3
Images: 28
Storage Driver: aufs
 Root Dir: /var/lib/docker/aufs
 Dirs: 34
Execution Driver: native-0.2
Kernel Version: 3.13.0-24-generic
WARNING: No swap limit support

docker version:

Client version: 0.11.0
Client API version: 1.11
Go version (client): go1.2.1
Git commit (client): 15209c3
Server version: 0.11.0
Server API version: 1.11
Git commit (server): 15209c3
Go version (server): go1.2.1
Last stable version: 0.11.0

(this is based on a clean install on EC2 using the get.docker.io userdata way)
I havnt had this issue on an 0.10 docker version running via the devicemapper storage driver... Does that have anything to do with this?

[fruitl00p]

Hmm... after a good nights sleep, this seems to be related to #5529

[fruitl00p]

I've just restarted debugging the issue. This does seem to relate to the non writeable /proc/ for the SSH daemon.. (mentioned in #5529 )

I've now come to the conclusion that since the 0.11 (and 0.11.1) versions in order to run the SSH daemon the container itself has to be started in --privileged=true mode...

Does this have any other sideeffects? (when the app is trusted etc)

[fruitl00p]

After doing more searches and searches i found #5554 and from there i changed my docker file to include the SED command:

sed -ri 's/^session\s+required\s+pam_loginuid.so$/session optional pam_loginuid.so/' /etc/pam.d/sshd

it solves the issue: i can now run service ssh start inside the container, log in using keys and it seems to work 👍

[beanjammin]

The change to /etc/pam.d/sshd worked for me. Thanks, I'd been banging my head.

[abcfy2]

Thank you. I have the same issue and it works for me.

[tianon]

@SvenDowideit wouldn't it make sense to add this sed to the "running_ssh_service" example page, and update it to explicitly use 14.04 now?

[ejo]

+1 to @tianon's comment above... I threw many hours at this last night, even suspected pam problems at one point but others were so skeptical I looked no farther in that direction and kept chasing other leads. The example at http://docs.docker.io/examples/running_ssh_service/ really should be updated and confirmed to work for 14.04.

[andyg5000]

+1 to @fruitl00p fix

[crosbymichael]

Fixed by #5903

[gdevillele]

I just had this issue, but I also have it with ubuntu:13.10 container image

[fruitl00p]

@Gaetan- It's not the container that's the issue, its the elevated security features in docker 0.11 before the fix of #5903 :)

[gdevillele]

Oh! ok, thank you, I did not understand all that very well ;)
So I'll wait for next docker release!

[peterwillcn]

sed -ri 's/^session\s+required\s+pam_loginuid.so$/session optional pam_loginuid.so/' /etc/pam.d/sshd

[qris]

I posted an explanation for this issue, which affects most Linux distributions as guests, but not Ubuntu >= Wily (15.10), on LXC issue 661.