Hi everyone
I'm trying to create system with RO root filesystem, so i'm using /etc/sysconfig/readonly-root along wih /etc/rwtab and /etc/statetab.
Apart of numerous problems with services running on RO filesystem (which i'm constantly resolving adding entries to /etc/statetab) one thing popped up. I'm unable to add user or change his password. Error is 'cannot lock /etc/passwd; try again later.'.
After research it turns up (at least on Fedora, but i assume same on CentOS) some files being created in /etc. For example /etc/shadow.<pid>, and some others with PID in name. Obviously it's impossible on RO filesystem...
Is there any workaround (apart of remounting whole filesystem RW)?
Hello Marcin,
On 2018-09-04, Marcin Trendota moonwolf.rh@gmail.com wrote:
I'm trying to create system with RO root filesystem, so i'm using /etc/sysconfig/readonly-root along wih /etc/rwtab and /etc/statetab.
Apart of numerous problems with services running on RO filesystem (which i'm constantly resolving adding entries to /etc/statetab) one thing popped up. I'm unable to add user or change his password. Error is 'cannot lock /etc/passwd; try again later.'.
After research it turns up (at least on Fedora, but i assume same on CentOS) some files being created in /etc. For example /etc/shadow.<pid>, and some others with PID in name. Obviously it's impossible on RO filesystem...
Is there any workaround (apart of remounting whole filesystem RW)?
Have you looked at this article?
https://warewolf.github.io/blog/2013/10/12/setting-up-a-read-only-rootfs-fed...
Unfortunately it doesn't really provide a local workaround, but if you have something like LDAP available already that might be a way to go.
If not (and assuming you've added /etc/passwd and friends to /etc/statetab*), one very crude option might be to manipulate the files by hand. For /etc/passwd and /etc/group (if necessary) this is easy, since it's just a plain text file with human-readable text. For /etc/shadow this is slightly more complicated, since you need to generate the password hash. For that you can use mkpasswd:
https://www.aychedee.com/2012/03/14/etc_shadow-password-hash-formats/
Obviously doing this makes adding a user a nonatomic operation, so you need to take care manipulating passwd and shadow in this way. (I don't know if mkpasswd is available from a yum repo, but the included python should be there.)
--keith
W dniu 05.09.2018 o 07:34, Keith Keller pisze:
Is there any workaround (apart of remounting whole filesystem RW)?
Have you looked at this article? https://warewolf.github.io/blog/2013/10/12/setting-up-a-read-only-rootfs-fed... Unfortunately it doesn't really provide a local workaround, but if you have something like LDAP available already that might be a way to go.
I'm trying to keep it as simple as i can, so LDAP is last resort. But i'll consider it.
If not (and assuming you've added /etc/passwd and friends to /etc/statetab*), one very crude option might be to manipulate the files by hand. For /etc/passwd and /etc/group (if necessary) this is easy, since it's just a plain text file with human-readable text. For /etc/shadow this is slightly more complicated, since you need to generate the password hash. For that you can use mkpasswd: https://www.aychedee.com/2012/03/14/etc_shadow-password-hash-formats/ Obviously doing this makes adding a user a nonatomic operation, so you need to take care manipulating passwd and shadow in this way. (I don't know if mkpasswd is available from a yum repo, but the included python should be there.)
Thanks for suggestion, i'll give it a try.
--keith
-
Keith Keller -
Marcin Trendota