Sudo within docker
Fix sudo: policy plugin failed session initialization error.
created: 2015-11-14 | topic: computer | tag: docker,configure | author: Jason Lenz
Problem:
When executing sudo within an ArchLinux Docker container the following error message was happening:
sudo: policy plugin failed session initialization
Environment: sudo v1.8.15, Docker v1.9.0, ArchLinux as of 2015-11-14
Quick Solution:
Within the archlinux docker container one needs to comment out the following line in “/etc/security/limits.conf”:
* - nice 0
changed to:
#* - nice 0
Long Explanation:
I started by turning on logging for sudo to see what was driving the error. One needs to add the following lines to “/etc/sudo.conf” to turn on verbose logging:
Debug sudo /var/log/sudo_debug all@debug
Debug sudoers.so /var/log/sudoers_debug all@debug
After executing a sudo command again I looked at the “/var/log/sudoers_debug” file and found the following indicating a “pam” (pluggable authentication module) permission issue:
...
-> sudo_auth_begin_session @ ./auth/sudo_auth.c:341
-> sudo_pam_begin_session @ ./auth/pam.c:223
pam_open_session: Permission denied @ sudo_pam_begin_session() ./auth/pam.c:277
...
I then went and looked at the “/etc/pam.d/sudo” configuration file which further references “/etc/pam.d/system-auth”. Through trial and error I found that by commenting out the following line in system-auth, sudo began to work again without the error:
session required pam_limits.so
changed to:
#session required pam_limits.so
Through further web searching I determined that the “pam_limits.so” module uses settings in “/etc/security/limits.conf”. Again, through trial and error I found that by commenting out the following line in “limits.conf” alone I could get sudo working again:
* - nice 0
changed to:
#* - nice 0
Not sure why the “nice” limit setting is the one causing problems, but I suspect it has to do with docker not allowing system “nice” settings to be adjusted within a container.
Source links:
https://www.sudo.ws/man/1.8.15/sudo.conf.man.html