search

rstudio / helm

Helm Resources for RStudio Products
MIT License
33 stars 28 forks source link

userCreate - PAM/Sudo Issue #265

Open SOLDIERz opened 2 years ago

SOLDIERz commented 2 years ago

Hello everyone,

I'm facing an Issue with spinning up the rstudio-workbench helm chart when deploying it with the Option userCreate = true . The creation of the local user goes through but the when it come to changing the password I see an error in the logs when spinning up the pod:

+ '[' -z rstudio ']'
+ useradd -m -s /bin/bash -N -u 10000 rstudio
+ echo rstudio:rstudio
+ sudo chpasswd
sudo: unable to send audit message
sudo: pam_open_session: System error
sudo: policy plugin failed session initialization
+ deactivate
+ echo '== Exiting =='
+ rstudio-server stop

Plattform: Openshift 4.10.22

UDPATE 1:

I was able to change the password of the local "rstudio" user with usermod --password rstudio rstudio but still cant login via the web gui.

Error: Incorrect or invalid username/password

UDPATE 2:

Testing the pam login with /usr/lib/rstudio-server/bin/pamtester --verbose rstudio rstudio authenticate reveals the follwing:

pamtester: invoking pam_start(rstudio, rstudio, ...)
pamtester: performing operation - authenticate
Password: 
pamtester: System error
colearendt commented 2 years ago

Howdy @SOLDIERz ! Thanks for reaching out here! Are you running this on OpenShift, by chance?

We have seen some issues where low level SELinux setup on OpenShift interfered with PAM functioning properly inside of Workbench. I'm curious to know if that is the case here as well! There should be some knobs / configuration to disable / relax this checking within OpenShift, but I am unfortunately unfamiliar with that platform myself

SOLDIERz commented 2 years ago

Howdy @SOLDIERz ! Thanks for reaching out here! Are you running this on OpenShift, by chance?

We have seen some issues where low level SELinux setup on OpenShift interfered with PAM functioning properly inside of Workbench. I'm curious to know if that is the case here as well! There should be some knobs / configuration to disable / relax this checking within OpenShift, but I am unfortunately unfamiliar with that platform myself

Howdy @colearendt as mentioned in my initial Issue opening, yes. You can see it there under Plattform Plattform: Openshift 4.10.22

colearendt commented 2 years ago

Woops 😅 Totally missed that. Are you familiar with OpenShift's SELinux policies? Is that something you'd mind exploring to see if it resolves your issue?

SOLDIERz commented 2 years ago

As far as I see it, it is an Issue with the /usr/local/bin/startup.sh which comes pre shipped with the container image. The better way to do the chpasswd would be the following

echo "$RSW_TESTUSER:$RSW_TESTUSER_PASSWD" | chroot /home/rstudio /usr/sbin/chpasswd

Then there should be no Issue at all also with SELinux.

UPDATE 09.09.2022: By now I tested all constellations and options I have with Openshift and still facing the same Issue,