Hi, I’m trying to set up a Kubernetes deployment of Open OnDemand using Keycloak for authentication, and I’m running into the same issue as the one at
We would rather not allow users to SSH into the OnDemand container as is the typical solution for this problem. Though it can be done, we’d like to avoid it for security reasons. Is there any way to get around this “missing home directory” page? Can you disable this error page and allow users to log in regardless of missing homedirs?
If there is no way around it we can try setting up SSH to work but restricting the /etc/hosts.allow file. Still, we would like to avoid SSH if at all possible.
Is there no way to ensure a home directory is present in the container while still preventing users from SSH-ing into the container?
The versions of rubygems included in the versions of Ruby we use currently do File.expand_path "~" to find the home directory (which in turn uses getpwnam to get the password struct for the user which has the home directory path. In other places in the code, we use Dir.home which respects just $HOME environment variable. In the container, the processes would need both env var and the password struct returned by getpwnam to point to a directory that exists.
If the home directory is not present, a crash occurs on startup of the Rails apps. I actually thought this was a bug not in OnDemand but in Ruby standard library itself, though it was a while ago when I debugged this issue so my memory is fuzzy.
Well, we can look into setting up SSSD and pam_mkhomedir in the container. We also might be able to mount a filesystem using Autofs. It really depends on what will work and can meet our various needs.
Thanks for explaining that, though. I know it’s a bit of a fringe case.
Okay looks like I got it working. I set up an incrontab to run a script whenever /var/log/httpd24/access.log is edited. The script looks for new PUN directories in /var/log/ondemand-nginx and then makes a home directory for those users