Drop systemd support from nsswitch.conf on RHEL-based distros

mbaldessari · yoctozepto · commit 7038e3ff03c6 · 2020-07-06T14:45:10.000Z
A bit like we did for I3e0e86026f5a4a78473bed824cd1682d3a020cd5 we should remove the nss-systemd lookup from containers. The reasons for this are as follows: 1) Just like for I3e0e86026f5a4a78473bed824cd1682d3a020cd5 when this nss module is triggered it tries to talk to dbus. It triggers a bunch of selinux denials and it makes little sense to open all containers to talk to dbus. In particular, if a container is run as non-privileged and bind-mounts /run from the host, we will hit selinux denials like the following: type=USER_AVC msg=audit(1592337775.860:74119): pid=1284 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.DBus member=Hello dest=org.freedesktop.DBus spid=406228 scontext=system_u:system_r:container_t:s0:c162,c886 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=dbus permissive=0 exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'UID="dbus" AUID="unset" SAUID="dbus" 2) It just makes little sense in a kolla-world to have containers talk to dbus/systemd and it saves us some time when a lookup triggers the systemd module for whatever reason. Especially because the nss-systemd module does a few things which are not useful in a container (ensures that the root and nobody users and groups remain resolvable, SystemD's DynamicUser= feature, provide Lookup API via Varlink) The sed regex gives us the wanted results: $ diff -u /etc/nsswitch.conf.orig /etc/nsswitch.conf --- /etc/nsswitch.conf.orig 2020-06-19 07:18:10.974580755 +0000 +++ /etc/nsswitch.conf 2020-06-19 07:20:12.260230103 +0000 @@ -53,9 +53,9 @@ # group: db files # In order of likelihood of use to accelerate lookup. -passwd: sss files systemd +passwd: sss files shadow: files sss -group: sss files systemd +group: sss files hosts: files dns myhostname services: files sss netgroup: sss Related-Bug: #1883849 Change-Id: I81e5b7abf4571fece13a029e25911e9e4dece673 (cherry picked from commit dc2ddfa)
diff --git a/docker/base/Dockerfile.j2 b/docker/base/Dockerfile.j2
@@ -404,7 +404,8 @@ RUN sed -i \
 {% endif %}
 
 {% if base_distro == 'centos' or base_distro == 'rhel' %}
-RUN sed -ri '/-session(\s+)optional(\s+)pam_systemd.so/d' /etc/pam.d/system-auth
+RUN sed -ri '/-session(\s+)optional(\s+)pam_systemd.so/d' /etc/pam.d/system-auth \
+    && sed -ri '/^[^#]/ s/systemd//g' /etc/nsswitch.conf
 {% endif %}
 
 COPY set_configs.py /usr/local/bin/kolla_set_configs
diff --git a/releasenotes/notes/disable-systemd-nss-on-rhel-based-distros-5d586fcdb9a82da7.yaml b/releasenotes/notes/disable-systemd-nss-on-rhel-based-distros-5d586fcdb9a82da7.yaml
@@ -0,0 +1,7 @@
+---
+fixes:
+  - |
+    Drop systemd support from nsswitch.conf on RHEL-based distros. This avoids
+    unneeded systemd nss lookups inside containers and it also avoids possible
+    selinux denials when a container bind mounts /run and makes the dbus socket
+    available inside the container only to be denied by selinux on the host.
