Merge "Drop systemd support from nsswitch.conf on RHEL-based distros"

openstack · Jul 6, 2020 · 22d7ffa · 22d7ffa
2 parents 70ffba8 + dc2ddfa
commit 22d7ffa
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 1 deletion.
diff --git a/docker/base/Dockerfile.j2 b/docker/base/Dockerfile.j2
@@ -416,7 +416,8 @@ RUN apt-get update \
 {% endif %}
 
 {% if base_distro == 'centos' or base_distro == 'rhel' %}
-RUN sed -ri '/-session(\s+)optional(\s+)pam_systemd.so/d' /etc/pam.d/system-auth
+RUN sed -ri '/-session(\s+)optional(\s+)pam_systemd.so/d' /etc/pam.d/system-auth \
+    && sed -ri '/^[^#]/ s/systemd//g' /etc/nsswitch.conf
 {% endif %}
 
 COPY set_configs.py /usr/local/bin/kolla_set_configs

diff --git a/releasenotes/notes/disable-systemd-nss-on-rhel-based-distros-5d586fcdb9a82da7.yaml b/releasenotes/notes/disable-systemd-nss-on-rhel-based-distros-5d586fcdb9a82da7.yaml
@@ -0,0 +1,7 @@
+---
+fixes:
+  - |
+    Drop systemd support from nsswitch.conf on RHEL-based distros. This avoids
+    unneeded systemd nss lookups inside containers and it also avoids possible
+    selinux denials when a container bind mounts /run and makes the dbus socket
+    available inside the container only to be denied by selinux on the host.