Why is it needed to set `pam_loginuid` to its `optional` value with docker?
pam_loginuid is used to set the loginuid audit attribute of a process when a user logs in through SSH, X, or anything like that. This attribute can then be used by the audit framework for various purposes.
However, setting this audit attributes requires some audit-related capabilities to be enabled; and by default, Docker drops them, so the audit_setloginuid call will fail.
When the PAM module is configured to required, such failures are fatal (and PAM prevents the login from going on); while optional means "go on anyway".
I might be wrong, but I believe that while pam_loginuid is available in previous versions (I tested with 12.04) it wasn't enabled anyway; so that's why 13.10 and higher require this special setting.
This investigation is too long for a comment. As @jpetazzo indicated, this problem is likely due to lack of the CAP_AUDIT_WRITE capability. Which apparently affects some versions of Docker and Linux, but not others. So here I'll try to investigate the evolution of this.
- #3015 (2013-12-13, 0.7.2) introduced cap dropping for lxc daemon and included
AUDIT_WRITEin the list of dropped capabilities - #5810 (2014-05-16, 0.12.0) made container library drop all capabilities except for whitelisted ones
- #6527 (2014-06-19, 1.0.1) moved from blacklist to whitelist and didn't include
AUDIT_WRITEin that - #7179 (2014-07-24, 1.2.0) added the
AUDIT_WRITEcapability to a whitelist - #20662 (2016-03-19, 1.11.0) moved files around so the setting is now in
oci/defaults_linux.go
So it would seem as though all versions before 0.7.2 and also all versions since 1.2.0 should keep CAP_AUDIT_WRITE. As I'm seeing pam_loginuid-related problems with 1.12.5 there might be some other capability involved here.