Im trying to get a docker container running to mange my cronjobs
im running a very simple cron as a test in a docker container using centOS 6.5 base
* * * * * /bin/echo "it works!" >> test.log
it works fine if the container is running on CoreOS host, however if I run the container on a ubuntu 13.10 host the cron is not executed. (I though the host did not effect what was running in the container)
both hosts are running docker 0.8
am I missing something obvious, or it this a bug?
thanks
short answer
add this line to your dockerfile
RUN sed -i '/session required pam_loginuid.so/c\#session required pam_loginuid.so' /etc/pam.d/crond
the long answer
from what I understand issue is related to differences in the kernal between CoreOS & Unbutu. this in-turn causes a pam security issue.
to figure it our first needed to turn on logging for cron (since we are in docker normal startup is not executed). run
service rsyslog start
service crond restart
the cron log had this error (located here /var/log/cron)
FAILED to open PAM security session (Cannot make/remove an entry for the specified session)
so then I took a look at the security log, and it had this error (located here /var/log/secure)
pam_loginuid(crond:session): set_loginuid failed
some more googling and found I needed to modify my pam cond config (found here /etc/pam.d/crond) edit this file and comment out the following line
#session required pam_loginuid.so
restart crond and all should be good
/etc/pam.d/cron. Now it's working perfectly. Many Thanks for the hint! –
Ribbonfish /etc/pam.d/cron, not /etc/pam.d/crond. Don't be surprised if sed does not work out of the box! Mine had this flavour: RUN sed -i '/session required pam_loginuid.so/c\#session required pam_loginuid.so' /etc/pam.d/cron –
Childs pam_loginuid.so. –
Childs cat /etc/pam.d/cron | grep -v pam_loginuid.so > /etc/pam.d/cron2 && mv /etc/pam.d/cron2 /etc/pam.d/cron –
Prowel sed -e '/pam_loginuid.so/ s/^#*/#/' -i /etc/pam.d/crond –
Attorn sed -E 's/^session\s+required\s+pam_loginuid.so$/#&/' -i /etc/pam.d/cron –
Hylophagous the base Docker containers don't start services like cron - they only start what you specify in the ENTRYPOINT/CMD
some 'fatter' containers use things like supervisord to start services - but where possible, its more maintainable to separate services into different containers and share data using with volume containers, or --link
@dwitz's answer is correct but I had to alter the sed command a bit to make it work for me on Ubuntu 16.04 within a docker container.
cat /etc/pam.d/cron |sed -e "s/required pam_loginuid.so/optional pam_loginuid.so/g" > /tmp/cron && mv /tmp/cron /etc/pam.d/cron
In my case, I debug the cron:
$ apt-get install rsyslog
$ rsyslogd
$ service cron restart
$ tail -f /var/log/syslog
And found NUMBER OF HARD LINKS > 1 error in logs.
The solution was to put this in entrypoint.sh
touch /etc/crontab /etc/cron.d/*
and boom!
--privileged option if you get the following error when running rsyslogd: rsyslogd: imklog: cannot open kernel log (/proc/kmsg): Operation not permitted –
Morceau © 2022 - 2024 — McMap. All rights reserved.