From 8045dc3342bf38e8d31072e234deeeb3d8d4aa1c Mon Sep 17 00:00:00 2001
From: Clay Baenziger <cbaenziger@bloomberg.net>
Date: Tue, 25 Sep 2018 05:04:14 -0400
Subject: [PATCH] Use pam_namespaces and pam_exec to clean-up home dirs and
 temp space Also DRY-up sysctl/pam code repeated in Kafka and Hadoop; should
 be in BCPC

---
 cookbooks/bcpc-hadoop/metadata.rb             |  1 -
 cookbooks/bcpc-hadoop/recipes/configs.rb      | 25 ------
 cookbooks/bcpc-hadoop/recipes/datanode.rb     |  3 +
 cookbooks/bcpc-hadoop/recipes/hannibal.rb     |  2 +
 cookbooks/bcpc-hadoop/recipes/hbase_master.rb |  2 +
 .../bcpc-hadoop/recipes/historyserver.rb      |  3 +
 .../bcpc-hadoop/recipes/hive_hcatalog.rb      |  2 +
 cookbooks/bcpc-hadoop/recipes/httpfs.rb       |  3 +
 .../bcpc-hadoop/recipes/httpfs_config.rb      |  2 +-
 cookbooks/bcpc-hadoop/recipes/journalnode.rb  |  3 +
 .../bcpc-hadoop/recipes/namenode_master.rb    |  3 +
 .../bcpc-hadoop/recipes/namenode_no_HA.rb     |  3 +
 .../bcpc-hadoop/recipes/namenode_standby.rb   |  3 +
 cookbooks/bcpc-hadoop/recipes/oozie.rb        |  3 +
 cookbooks/bcpc-hadoop/recipes/opentsdb.rb     |  3 +
 .../recipes/phoenix_query_server.rb           |  3 +
 .../bcpc-hadoop/recipes/region_server.rb      |  3 +
 .../bcpc-hadoop/recipes/resource_manager.rb   |  3 +
 .../bcpc-hadoop/recipes/smoke_test_user.rb    |  3 +
 cookbooks/bcpc-hadoop/recipes/yarnproxy.rb    |  3 +
 .../bcpc-hadoop/recipes/zookeeper_impl.rb     |  3 +
 cookbooks/bcpc/attributes/default.rb          |  5 ++
 cookbooks/bcpc/metadata.rb                    |  2 +
 cookbooks/bcpc/recipes/cronjobs.rb            |  7 +-
 cookbooks/bcpc/recipes/pam.rb                 | 86 +++++++++++++++++++
 .../bcpc/templates/default/inst_dir.sh.erb    | 19 ++++
 .../templates/default/pam_namespace.conf.erb  | 11 +++
 .../templates/default/pam_namespace.init.erb  | 25 ++++++
 cookbooks/bcpc_kafka/metadata.rb              |  2 -
 cookbooks/bcpc_kafka/recipes/default.rb       | 30 -------
 stub-environment/roles/BCPC-Hadoop-Head.json  |  3 +-
 .../roles/BCPC-Hadoop-Worker.json             |  3 +-
 .../roles/BCPC-Kafka-Head-Server.json         |  1 +
 .../roles/BCPC-Kafka-Head-Zookeeper.json      |  1 +
 34 files changed, 211 insertions(+), 63 deletions(-)
 create mode 100644 cookbooks/bcpc/recipes/pam.rb
 create mode 100644 cookbooks/bcpc/templates/default/inst_dir.sh.erb
 create mode 100644 cookbooks/bcpc/templates/default/pam_namespace.conf.erb
 create mode 100644 cookbooks/bcpc/templates/default/pam_namespace.init.erb

diff --git a/cookbooks/bcpc-hadoop/metadata.rb b/cookbooks/bcpc-hadoop/metadata.rb
index 572bf9003..73c4e9a9c 100644
--- a/cookbooks/bcpc-hadoop/metadata.rb
+++ b/cookbooks/bcpc-hadoop/metadata.rb
@@ -12,7 +12,6 @@
 depends 'database'
 depends 'java'
 depends 'poise'
-depends 'pam'
 depends 'sysctl'
 depends 'ulimit'
 depends 'locking_resource'
diff --git a/cookbooks/bcpc-hadoop/recipes/configs.rb b/cookbooks/bcpc-hadoop/recipes/configs.rb
index d44104249..37f8f2206 100644
--- a/cookbooks/bcpc-hadoop/recipes/configs.rb
+++ b/cookbooks/bcpc-hadoop/recipes/configs.rb
@@ -2,8 +2,6 @@
 ::Chef::Recipe.send(:include, Bcpc_Hadoop::Helper)
 
 include_recipe 'bcpc-hadoop::default'
-# NOTE: This include_recipe is necessary for resource collection
-include_recipe 'sysctl::default'
 
 # disable IPv6 (e.g. for HADOOP-8568)
 case node['platform_family']
@@ -19,29 +17,6 @@
   Chef::Log.warn '============ Unable to disable IPv6 for non-Debian systems'
 end
 
-# ensure we use /etc/security/limits.d to allow ulimit overriding
-if !node.key?('pam_d') || !node['pam_d'].key?('services') || !node['pam_d']['services'].key?('common-session')
-  node.default['pam_d']['services'] = {
-    'common-session' => {
-      'main' => {
-        'pam_permit_default' => { 'interface' => 'session', 'control_flag' => '[default=1]', 'name' => 'pam_permit.so' },
-        'pam_deny' => { 'interface' => 'session', 'control_flag' => 'requisite', 'name' => 'pam_deny.so' },
-        'pam_permit_required' => { 'interface' => 'session', 'control_flag' => 'required', 'name' => 'pam_permit.so' },
-        'pam_limits' => { 'interface' => 'session', 'control_flag' => 'required', 'name' => 'pam_limits.so' },
-        'pam_umask' => { 'interface' => 'session', 'control_flag' => 'optional', 'name' => 'pam_umask.so' },
-        'pam_unix' => { 'interface' => 'session', 'control_flag' => 'required', 'name' => 'pam_unix.so' }
-      },
-      'includes' => []
-    }
-  }
-end
-
-# set vm.swapiness to 0 (to lessen swapping)
-# NOTE: See above for note about resource collection
-sysctl_param 'vm.swappiness' do
-  value 0
-end
-
 # Populate node attributes for all kind of hosts
 set_hosts
 node.override['locking_resource']['zookeeper_servers'] = \
diff --git a/cookbooks/bcpc-hadoop/recipes/datanode.rb b/cookbooks/bcpc-hadoop/recipes/datanode.rb
index d6634a60c..f4a39e3cd 100644
--- a/cookbooks/bcpc-hadoop/recipes/datanode.rb
+++ b/cookbooks/bcpc-hadoop/recipes/datanode.rb
@@ -10,6 +10,9 @@
   'docopy' => true
 }
 
+# ensure we do not make polyinstantation directories for hdfs and yarn
+node.default['bcpc']['pam_namespace']['real_home_dir_users'] += ['hdfs', 'yarn']
+
 hdp_select_pkgs = %w(hadoop-yarn-nodemanager hadoop-hdfs-datanode hadoop-client)
 
 hdp_pkg_strs = (hdp_select_pkgs + %w(
diff --git a/cookbooks/bcpc-hadoop/recipes/hannibal.rb b/cookbooks/bcpc-hadoop/recipes/hannibal.rb
index e6128ad7c..88f4b7a7a 100644
--- a/cookbooks/bcpc-hadoop/recipes/hannibal.rb
+++ b/cookbooks/bcpc-hadoop/recipes/hannibal.rb
@@ -1,5 +1,7 @@
 # Setup hannibal config
 
+# ensure we do not make polyinstantation directories for hannibal
+node.default['bcpc']['pam_namespace']['real_home_dir_users'] += ['hannibal']
 # Populate node attributes for all kind of hosts
 set_hosts
 
diff --git a/cookbooks/bcpc-hadoop/recipes/hbase_master.rb b/cookbooks/bcpc-hadoop/recipes/hbase_master.rb
index 666108bf1..db6cc597e 100644
--- a/cookbooks/bcpc-hadoop/recipes/hbase_master.rb
+++ b/cookbooks/bcpc-hadoop/recipes/hbase_master.rb
@@ -3,6 +3,8 @@
 include_recipe 'bcpc-hadoop::hbase_config'
 include_recipe 'bcpc-hadoop::hbase_queries'
 
+# ensure we do not make polyinstantation directories for hbase
+node.default['bcpc']['pam_namespace']['real_home_dir_users'] += ['hbase']
 #
 # Updating node attributes to copy HBase master log file to centralized location (HDFS)
 #
diff --git a/cookbooks/bcpc-hadoop/recipes/historyserver.rb b/cookbooks/bcpc-hadoop/recipes/historyserver.rb
index 797d443c2..349adb418 100644
--- a/cookbooks/bcpc-hadoop/recipes/historyserver.rb
+++ b/cookbooks/bcpc-hadoop/recipes/historyserver.rb
@@ -2,6 +2,9 @@
 ::Chef::Recipe.send(:include, Bcpc_Hadoop::Helper)
 ::Chef::Resource::Bash.send(:include, Bcpc_Hadoop::Helper)
 
+# ensure we do not make polyinstantation directories for mapred
+node.default['bcpc']['pam_namespace']['real_home_dir_users'] += ['mapred']
+
 %w{hadoop-mapreduce-historyserver}.each do |pkg|
   package hwx_pkg_str(pkg, node[:bcpc][:hadoop][:distribution][:release]) do
     action :install
diff --git a/cookbooks/bcpc-hadoop/recipes/hive_hcatalog.rb b/cookbooks/bcpc-hadoop/recipes/hive_hcatalog.rb
index fa9d731d4..3fa38093f 100644
--- a/cookbooks/bcpc-hadoop/recipes/hive_hcatalog.rb
+++ b/cookbooks/bcpc-hadoop/recipes/hive_hcatalog.rb
@@ -6,6 +6,8 @@
 ::Chef::Recipe.send(:include, Bcpc_Hadoop::Helper)
 ::Chef::Resource::Bash.send(:include, Bcpc_Hadoop::Helper)
 
+# ensure we do not make polyinstantation directories for hive
+node.default['bcpc']['pam_namespace']['real_home_dir_users'] += ['hive']
 %w{hadooplzo hadooplzo-native hive-hcatalog}.map do |pp|
   hwx_pkg_str(pp, node[:bcpc][:hadoop][:distribution][:release])
 end.each do |pkg|
diff --git a/cookbooks/bcpc-hadoop/recipes/httpfs.rb b/cookbooks/bcpc-hadoop/recipes/httpfs.rb
index b96b184a7..0b8540160 100644
--- a/cookbooks/bcpc-hadoop/recipes/httpfs.rb
+++ b/cookbooks/bcpc-hadoop/recipes/httpfs.rb
@@ -3,6 +3,9 @@
 ::Chef::Recipe.send(:include, Bcpc_Hadoop::Helper)
 ::Chef::Resource::Bash.send(:include, Bcpc_Hadoop::Helper)
 
+# ensure we do not make polyinstantation directories for httpfs
+node.default['bcpc']['pam_namespace']['real_home_dir_users'] += ['httpfs']
+
 package hwx_pkg_str("hadoop-httpfs", node[:bcpc][:hadoop][:distribution][:release]) do
   action :install
 end
diff --git a/cookbooks/bcpc-hadoop/recipes/httpfs_config.rb b/cookbooks/bcpc-hadoop/recipes/httpfs_config.rb
index 4a9ae2b44..8d79654f8 100644
--- a/cookbooks/bcpc-hadoop/recipes/httpfs_config.rb
+++ b/cookbooks/bcpc-hadoop/recipes/httpfs_config.rb
@@ -27,4 +27,4 @@
      source "#{t}.erb"
      mode 0644
   end
-end
\ No newline at end of file
+end
diff --git a/cookbooks/bcpc-hadoop/recipes/journalnode.rb b/cookbooks/bcpc-hadoop/recipes/journalnode.rb
index 36100199f..4723f78ae 100644
--- a/cookbooks/bcpc-hadoop/recipes/journalnode.rb
+++ b/cookbooks/bcpc-hadoop/recipes/journalnode.rb
@@ -42,6 +42,9 @@
     
 end
 
+# ensure we do not make polyinstantation directories for hdfs
+node.default['bcpc']['pam_namespace']['real_home_dir_users'] += ['hdfs']
+
 %w{hadoop-hdfs-namenode hadoop-hdfs-journalnode}.each do |pkg|
   package hwx_pkg_str(pkg, hdprel) do
     action :install
diff --git a/cookbooks/bcpc-hadoop/recipes/namenode_master.rb b/cookbooks/bcpc-hadoop/recipes/namenode_master.rb
index 55f82fd3c..3977ce5dd 100644
--- a/cookbooks/bcpc-hadoop/recipes/namenode_master.rb
+++ b/cookbooks/bcpc-hadoop/recipes/namenode_master.rb
@@ -24,6 +24,9 @@
   }
 end
 
+# ensure we do not make polyinstantation directories for hdfs
+node.default['bcpc']['pam_namespace']['real_home_dir_users'] += ['hdfs']
+
 # shortcut to the desired HDFS command version
 hdfs_cmd = "/usr/hdp/#{node[:bcpc][:hadoop][:distribution][:active_release]}/"\
            'hadoop-hdfs/bin/hdfs'
diff --git a/cookbooks/bcpc-hadoop/recipes/namenode_no_HA.rb b/cookbooks/bcpc-hadoop/recipes/namenode_no_HA.rb
index 7ab00af87..b24bda5fb 100644
--- a/cookbooks/bcpc-hadoop/recipes/namenode_no_HA.rb
+++ b/cookbooks/bcpc-hadoop/recipes/namenode_no_HA.rb
@@ -18,6 +18,9 @@
     'docopy' => true
 }
 
+# ensure we do not make polyinstantation directories for hdfs
+node.default['bcpc']['pam_namespace']['real_home_dir_users'] += ['hdfs']
+
 # shortcut to the desired HDFS command version
 hdfs_cmd = "/usr/hdp/#{node[:bcpc][:hadoop][:distribution][:active_release]}/hadoop-hdfs/bin/hdfs"
 
diff --git a/cookbooks/bcpc-hadoop/recipes/namenode_standby.rb b/cookbooks/bcpc-hadoop/recipes/namenode_standby.rb
index 8160e62b2..70a931cd1 100644
--- a/cookbooks/bcpc-hadoop/recipes/namenode_standby.rb
+++ b/cookbooks/bcpc-hadoop/recipes/namenode_standby.rb
@@ -16,6 +16,9 @@
     'docopy' => true
 }
 
+# ensure we do not make polyinstantation directories for hdfs
+node.default['bcpc']['pam_namespace']['real_home_dir_users'] += ['hdfs']
+
 # shortcut to the desired HDFS command version
 hdfs_cmd = "/usr/hdp/#{node[:bcpc][:hadoop][:distribution][:active_release]}/hadoop-hdfs/bin/hdfs"
 
diff --git a/cookbooks/bcpc-hadoop/recipes/oozie.rb b/cookbooks/bcpc-hadoop/recipes/oozie.rb
index 4eabacff1..cfa06d113 100644
--- a/cookbooks/bcpc-hadoop/recipes/oozie.rb
+++ b/cookbooks/bcpc-hadoop/recipes/oozie.rb
@@ -27,6 +27,9 @@
 ::Chef::Recipe.send(:include, Bcpc_Hadoop::Helper)
 ::Chef::Resource::Bash.send(:include, Bcpc_Hadoop::Helper)
 
+# ensure we do not make polyinstantation directories for oozie
+node.default['bcpc']['pam_namespace']['real_home_dir_users'] += ['oozie']
+
 #
 # These data bags and vault items are pre-populated at compile time by
 # the bcpc::mysql_data_bags recipe.
diff --git a/cookbooks/bcpc-hadoop/recipes/opentsdb.rb b/cookbooks/bcpc-hadoop/recipes/opentsdb.rb
index 43fbd5f54..3cdd28883 100644
--- a/cookbooks/bcpc-hadoop/recipes/opentsdb.rb
+++ b/cookbooks/bcpc-hadoop/recipes/opentsdb.rb
@@ -35,4 +35,7 @@
 node.force_default['bach_opentsdb']['hbase_region_princ'] =
   "hbase/_HOST@#{krb_realm}"
 
+# ensure we do not make polyinstantation directories for opentsdb
+node.default['bcpc']['pam_namespace']['real_home_dir_users'] += [node['bach_opentsdb']['tsd_user']]
+
 include_recipe 'bach_opentsdb'
diff --git a/cookbooks/bcpc-hadoop/recipes/phoenix_query_server.rb b/cookbooks/bcpc-hadoop/recipes/phoenix_query_server.rb
index 9563d1e5d..1f1d0cd25 100644
--- a/cookbooks/bcpc-hadoop/recipes/phoenix_query_server.rb
+++ b/cookbooks/bcpc-hadoop/recipes/phoenix_query_server.rb
@@ -4,6 +4,9 @@
 
 qs_runas = node['bcpc']['hadoop']['phoenix']['phoenixqs']['username']
 
+# ensure we do not make polyinstantation directories for PQS
+node.default['bcpc']['pam_namespace']['real_home_dir_users'] += [qs_runas]
+
 user qs_runas do
   comment 'Runs phoenix queryserver'
   only_if { node['bcpc']['hadoop']['phoenix']['phoenixqs']['localuser'] }
diff --git a/cookbooks/bcpc-hadoop/recipes/region_server.rb b/cookbooks/bcpc-hadoop/recipes/region_server.rb
index 21e7bd438..e71bcb227 100644
--- a/cookbooks/bcpc-hadoop/recipes/region_server.rb
+++ b/cookbooks/bcpc-hadoop/recipes/region_server.rb
@@ -11,6 +11,9 @@
   copylog['region_server_out']['docopy'] = true
 end
 
+# ensure we do not make polyinstantation directories for hbase
+node.default['bcpc']['pam_namespace']['real_home_dir_users'] += ['hbase']
+
 (%w(libsnappy1) + %w(hbase hbase-regionserver phoenix).map do |p|
   hwx_pkg_str(p, node[:bcpc][:hadoop][:distribution][:release])
 end).each do |pkg|
diff --git a/cookbooks/bcpc-hadoop/recipes/resource_manager.rb b/cookbooks/bcpc-hadoop/recipes/resource_manager.rb
index 4bd6e00a5..f99bf1aa4 100644
--- a/cookbooks/bcpc-hadoop/recipes/resource_manager.rb
+++ b/cookbooks/bcpc-hadoop/recipes/resource_manager.rb
@@ -2,6 +2,9 @@
 ::Chef::Recipe.send(:include, Bcpc_Hadoop::Helper)
 ::Chef::Resource::Bash.send(:include, Bcpc_Hadoop::Helper)
 
+# ensure we do not make polyinstantation directories for YARN
+node.default['bcpc']['pam_namespace']['real_home_dir_users'] += ['yarn']
+
 ruby_block 'create-yarn-directories' do
   block do
     node.run_state['bcpc_hadoop_disks']['mounts'].each do |disk_number|
diff --git a/cookbooks/bcpc-hadoop/recipes/smoke_test_user.rb b/cookbooks/bcpc-hadoop/recipes/smoke_test_user.rb
index 88ea47297..b43cbea14 100644
--- a/cookbooks/bcpc-hadoop/recipes/smoke_test_user.rb
+++ b/cookbooks/bcpc-hadoop/recipes/smoke_test_user.rb
@@ -20,6 +20,9 @@
 
 test_user = node['hadoop_smoke_tests']['oozie_user']
 
+# ensure we do not make polyinstantation directories for the Smoke Tests
+node.default['bcpc']['pam_namespace']['real_home_dir_users'] += [test_user]
+
 # create a local user and group if needed
 user test_user do
   manage_home true
diff --git a/cookbooks/bcpc-hadoop/recipes/yarnproxy.rb b/cookbooks/bcpc-hadoop/recipes/yarnproxy.rb
index fcc924890..73dee10ea 100644
--- a/cookbooks/bcpc-hadoop/recipes/yarnproxy.rb
+++ b/cookbooks/bcpc-hadoop/recipes/yarnproxy.rb
@@ -8,6 +8,9 @@
   end
 end
 
+# ensure we do not make polyinstantation directories for the yarn
+node.default['bcpc']['pam_namespace']['real_home_dir_users'] += ['yarn']
+
 hdp_select('hadoop-mapreduce-historyserver', node[:bcpc][:hadoop][:distribution][:active_release])
 
 service "hadoop-yarn-proxyserver" do 
diff --git a/cookbooks/bcpc-hadoop/recipes/zookeeper_impl.rb b/cookbooks/bcpc-hadoop/recipes/zookeeper_impl.rb
index 1b0028c44..c62910e98 100644
--- a/cookbooks/bcpc-hadoop/recipes/zookeeper_impl.rb
+++ b/cookbooks/bcpc-hadoop/recipes/zookeeper_impl.rb
@@ -5,6 +5,9 @@
 
 include_recipe 'bcpc-hadoop::zookeeper_packages'
 
+# ensure we do not make polyinstantation directories for the zookeepers
+node.default['bcpc']['pam_namespace']['real_home_dir_users'] += ['zookeepers']
+
 user_ulimit 'zookeeper' do
   filehandle_limit 65_536
 end
diff --git a/cookbooks/bcpc/attributes/default.rb b/cookbooks/bcpc/attributes/default.rb
index 0c5a695a1..79faf8d7c 100644
--- a/cookbooks/bcpc/attributes/default.rb
+++ b/cookbooks/bcpc/attributes/default.rb
@@ -250,3 +250,8 @@
 # sshd_config
 default['bcpc']['ssh']['address_family'] = 'inet'
 default['bcpc']['ssh']['x11_forwarding'] = false
+
+# pam config
+default['bcpc']['pam_namespace']['real_home_dir_users'] = ['root', 'ubuntu']
+default['bcpc']['pam_namespace']['shm_polyinstantion_dir'] = 'inst-dir'
+default['bcpc']['pam_namespace']['polyinstantion_dir'] = File.join('/', node['bcpc']['pam_namespace']['shm_polyinstantion_dir'])
diff --git a/cookbooks/bcpc/metadata.rb b/cookbooks/bcpc/metadata.rb
index 2b05080ad..38df2b75b 100644
--- a/cookbooks/bcpc/metadata.rb
+++ b/cookbooks/bcpc/metadata.rb
@@ -22,4 +22,6 @@
 depends 'ntp'
 depends 'ubuntu'
 depends 'sudo'
+depends 'sysctl'
+depends 'pam'
 depends 'pdns'
diff --git a/cookbooks/bcpc/recipes/cronjobs.rb b/cookbooks/bcpc/recipes/cronjobs.rb
index 73683258e..69256efb6 100644
--- a/cookbooks/bcpc/recipes/cronjobs.rb
+++ b/cookbooks/bcpc/recipes/cronjobs.rb
@@ -18,9 +18,12 @@
 
 # Base cronjobs/ pseudo-cronjobs that should be on all machines in the cluster.
 
+polyinstantion_dir = node['bcpc']['pam_namespace']['polyinstantion_dir']
+shm_polyinstantion_dir = node['bcpc']['pam_namespace']['shm_polyinstantion_dir']
+
 clear_tmp = node['bcpc']['cronjobs']['clear_tmp']
-execute 'clear /tmp' do
-  command '/usr/bin/find /tmp -type f '\
+execute 'clear tmp dirs' do
+  command '/usr/bin/find /tmp #{polyinstantion_dir} /dev/shm/#{shm_polyinstantion_dir} -type f '\
           "-atime +#{clear_tmp['atime_age']} -delete && "\
           '/usr/bin/touch /var/lib/clear-temp.run'
   not_if do
diff --git a/cookbooks/bcpc/recipes/pam.rb b/cookbooks/bcpc/recipes/pam.rb
new file mode 100644
index 000000000..5e1d3de66
--- /dev/null
+++ b/cookbooks/bcpc/recipes/pam.rb
@@ -0,0 +1,86 @@
+#
+# Cookbook Name:: bcpc
+# Recipe:: pam
+#
+# Copyright 2018, Bloomberg Finance L.P.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+# Chef recipe to implement pam_namespace polyinstantiated directories
+# This will provide users the appearance they are the only user with data
+# in the affected directories -- also this will clean-up their data when
+# leaving the machine
+
+directory '/inst-dirs' do
+  user 'root'
+  group 'root'
+  mode 0o000
+end
+
+directory '/usr/local/sbin' do
+  action :create
+end
+
+polyinstantion_dir = node['bcpc']['pam_namespace']['polyinstantion_dir']
+shm_polyinstantion_dir = node['bcpc']['pam_namespace']['shm_polyinstantion_dir']
+
+template '/usr/local/sbin/inst_dir.sh' do
+  source 'inst_dir.sh.erb'
+  mode 500
+  variables(shm_polyinstantion_dir: shm_polyinstantion_dir,
+            polyinstantion_dir: polyinstantion_dir)
+end
+
+template '/etc/security/namespace.conf' do
+  source 'pam_namespace.conf.erb'
+  mode 500
+  variables(lazy {{ real_home_dir_users:
+                     node['bcpc']['pam_namespace']['real_home_dir_users'].join(','),
+                   shm_polyinstantion_dir: shm_polyinstantion_dir,
+                   polyinstantion_dir: polyinstantion_dir
+                 }})
+end
+
+template '/etc/security/namespace.init' do
+  source 'pam_namespace.init.erb'
+  mode 755
+end
+
+# NOTE: This include_recipe is necessary for resource collection
+include_recipe 'sysctl::default'
+
+# ensure we use /etc/security/limits.d to allow ulimit overriding
+if !node.key?('pam_d') || !node['pam_d'].key?('services') || !node['pam_d']['services'].key?('common-session')
+  node.default['pam_d']['services'] = {
+    'common-session' => {
+      'main' => {
+        'pam_permit_default' =>  { 'interface' => 'session', 'control_flag' => '[default=1]', 'name' => 'pam_permit.so' },
+        'pam_deny' =>            { 'interface' => 'session', 'control_flag' => 'requisite', 'name' => 'pam_deny.so' },
+        'pam_permit_required' => { 'interface' => 'session', 'control_flag' => 'required', 'name' => 'pam_permit.so' },
+        'pam_limits' =>          { 'interface' => 'session', 'control_flag' => 'required', 'name' => 'pam_limits.so' },
+        'pam_umask' =>           { 'interface' => 'session', 'control_flag' => 'optional', 'name' => 'pam_umask.so' },
+        'pam_unix' =>            { 'interface' => 'session', 'control_flag' => 'required', 'name' => 'pam_unix.so' },
+        'pam_exec' =>            { 'interface' => 'session', 'control_flag' => 'optional', 'name' => 'pam_exec.so', 'args' => '/usr/local/sbin/inst_dir.sh' },
+        'pam_namespace' =>       { 'interface' => 'session', 'control_flag' => 'required', 'name' => 'pam_namespace.so', 'args' => 'unmnt_remnt' },
+      },
+      'includes' => []
+    }
+  }
+end
+
+# set vm.swapiness to 0 (to lessen swapping)
+sysctl_param 'vm.swappiness' do
+  value 0
+end
+
diff --git a/cookbooks/bcpc/templates/default/inst_dir.sh.erb b/cookbooks/bcpc/templates/default/inst_dir.sh.erb
new file mode 100644
index 000000000..d5f323d88
--- /dev/null
+++ b/cookbooks/bcpc/templates/default/inst_dir.sh.erb
@@ -0,0 +1,19 @@
+#!/bin/bash
+
+# This script is managed by Chef
+# It is designed to setup directories using pam_exec
+# for the pam_namespaces module to isolate user-direcotires
+
+if [ -z "$PAM_TYPE" -o "$PAM_TYPE" == "open_session" ]; then
+  # need to setup the polyinstantation directory for login
+  mkdir -pm 000 "/dev/shm/<%= @shm_polyinstantion_dir %>"
+elif [ -z "$PAM_TYPE" -o "$PAM_TYPE" == "close_session" ]; then
+  # see if user still has any prescence on this machine
+  pgrep -u "$PAM_USER" && exit 0
+  # if no prescense of user, remove all trace of their activity
+  rm -rf "<%= @polyinstantion_dir %>/home_$PAM_USER" \
+         "<%= @polyinstantion_dir %>/tmp_$PAM_USER" \
+         "<%= @polyinstantion_dir %>/var_tmp_$PAM_USER" \
+         "/dev/shm/<%= @shm_polyinstantion_dir %>/inst_$PAM_USER"
+fi
+exit 0
diff --git a/cookbooks/bcpc/templates/default/pam_namespace.conf.erb b/cookbooks/bcpc/templates/default/pam_namespace.conf.erb
new file mode 100644
index 000000000..63f386167
--- /dev/null
+++ b/cookbooks/bcpc/templates/default/pam_namespace.conf.erb
@@ -0,0 +1,11 @@
+# /etc/security/namespace.conf
+#
+#############################
+# This file managed by Chef #
+#############################
+#
+#masked mnt point   real mnt point               isolation-level    excluded users
+/var/tmp            <%= @polyinstantion_dir %>/var_tmp_           user              root
+$HOME               <%= @polyinstantion_dir %>/home_              user              <%= @real_home_dir_users %>
+/tmp                <%= @polyinstantion_dir %>/tmp_               user              root
+/dev/shm            /dev/shm/<%= @shm_polyinstantion_dir %>/inst_      user              root
diff --git a/cookbooks/bcpc/templates/default/pam_namespace.init.erb b/cookbooks/bcpc/templates/default/pam_namespace.init.erb
new file mode 100644
index 000000000..67d4aa2d2
--- /dev/null
+++ b/cookbooks/bcpc/templates/default/pam_namespace.init.erb
@@ -0,0 +1,25 @@
+#!/bin/sh
+# It receives polydir path as $1, the instance path as $2,
+# a flag whether the instance dir was newly created (0 - no, 1 - yes) in $3,
+# and user name in $4.
+#
+# The following section will copy the contents of /etc/skel if this is a
+# newly created home directory.
+if [ "$3" = 1 ]; then
+        # This line will fix the labeling on all newly created directories
+        [ -x /sbin/restorecon ] && /sbin/restorecon "$1"
+        user="$4"
+        passwd=$(getent passwd "$user")
+        homedir=$(echo "$passwd" | cut -f6 -d":")
+        if [ "$1" = "$homedir" ]; then
+                gid=$(echo "$passwd" | cut -f4 -d":")
+                cp -rT /etc/skel "$homedir"
+                chown -R "$user":"$gid" "$homedir"
+                mask=$(awk '/^UMASK/{gsub("#.*$", "", $2); print $2; exit}' /etc/login.defs)
+                mode=$(printf "%o" $((0777 & ~$mask)))
+                chmod ${mode:-700} "$homedir"
+                [ -x /sbin/restorecon ] && /sbin/restorecon -R "$homedir"
+        fi
+fi
+
+exit 0
diff --git a/cookbooks/bcpc_kafka/metadata.rb b/cookbooks/bcpc_kafka/metadata.rb
index 5a214431b..115f8b2d5 100644
--- a/cookbooks/bcpc_kafka/metadata.rb
+++ b/cookbooks/bcpc_kafka/metadata.rb
@@ -12,8 +12,6 @@
 depends 'bcpc-hadoop'
 depends 'bcpc_jmxtrans'
 depends 'kafka', '>= 2.2.2'
-depends 'pam'
-depends 'sysctl'
 depends 'ulimit'
 
 %w(ubuntu).each do |os|
diff --git a/cookbooks/bcpc_kafka/recipes/default.rb b/cookbooks/bcpc_kafka/recipes/default.rb
index 7ee181cd3..1727be618 100644
--- a/cookbooks/bcpc_kafka/recipes/default.rb
+++ b/cookbooks/bcpc_kafka/recipes/default.rb
@@ -22,33 +22,3 @@
 #
 include_recipe 'java'
 include_recipe 'java::oracle_jce'
-
-# ensure we use /etc/security/limits.d to allow ulimit over-riding
-if not node.has_key?('pam_d') or not node['pam_d'].has_key?('services') or not node['pam_d']['services'].has_key?('common-session')
-  node.default['pam_d']['services'] = {
-    'common-session' => {
-      'main' => {
-        'pam_permit_default' => {
-          'interface' => 'session', 'control_flag' => '[default=1]', 'name' => 'pam_permit.so' },
-        'pam_deny' => {
-          'interface' => 'session', 'control_flag' => 'requisite', 'name' => 'pam_deny.so' },
-        'pam_permit_required' => {
-          'interface' => 'session', 'control_flag' => 'required', 'name' => 'pam_permit.so' },
-        'pam_limits' => {
-          'interface' => 'session', 'control_flag' => 'required', 'name' => 'pam_limits.so' },
-        'pam_umask' => {
-          'interface' => 'session', 'control_flag' => 'optional', 'name' => 'pam_umask.so' },
-        'pam_unix' => {
-          'interface' => 'session', 'control_flag' => 'required', 'name' => 'pam_unix.so' }
-      },
-      'includes' => []
-    }
-  }
-end
-
-# set vm.swapiness to 0 (to lessen swapping)
-# NOTE: This include_recipe is necessary for resource collection
-include_recipe 'sysctl::default'
-sysctl_param 'vm.swappiness' do
-  value 0
-end
diff --git a/stub-environment/roles/BCPC-Hadoop-Head.json b/stub-environment/roles/BCPC-Hadoop-Head.json
index d1d394a7b..c3326a854 100644
--- a/stub-environment/roles/BCPC-Hadoop-Head.json
+++ b/stub-environment/roles/BCPC-Hadoop-Head.json
@@ -21,8 +21,9 @@
     "recipe[bcpc-hadoop::hdp_repo]",
     "recipe[bach_krb5::krb5_client]",
     "recipe[hdfsdu::create_user]",
-    "recipe[bcpc-hadoop::configs]",
+    "recipe[bcpc::pam]",
     "recipe[pam::default]",
+    "recipe[bcpc-hadoop::configs]",
     "recipe[bach_krb5::keytab_directory]",
     "recipe[bcpc-hadoop::bach_backup_wrapper]",
     "recipe[bcpc-hadoop::zookeeper_server]",
diff --git a/stub-environment/roles/BCPC-Hadoop-Worker.json b/stub-environment/roles/BCPC-Hadoop-Worker.json
index cc1200f8b..1f5d2cbd2 100644
--- a/stub-environment/roles/BCPC-Hadoop-Worker.json
+++ b/stub-environment/roles/BCPC-Hadoop-Worker.json
@@ -13,8 +13,9 @@
     "recipe[bach_krb5::krb5_client]",
     "recipe[hdfsdu::create_user]",
     "recipe[bcpc-hadoop::bach_backup_wrapper]",
-    "recipe[bcpc-hadoop::configs]",
+    "recipe[bcpc::pam]",
     "recipe[pam::default]",
+    "recipe[bcpc-hadoop::configs]",
     "recipe[bach_spark::default]",
     "recipe[bcpc-hadoop::datanode]",
     "recipe[bach_spark::cluster_install]",
diff --git a/stub-environment/roles/BCPC-Kafka-Head-Server.json b/stub-environment/roles/BCPC-Kafka-Head-Server.json
index bef469471..447571047 100644
--- a/stub-environment/roles/BCPC-Kafka-Head-Server.json
+++ b/stub-environment/roles/BCPC-Kafka-Head-Server.json
@@ -3,6 +3,7 @@
   "json_class": "Chef::Role",
   "run_list": [
     "role[Basic]",
+    "recipe[bcpc::pam]",
     "recipe[bcpc_kafka::kafka]"
   ],
   "description": "Role to setup Kafka Server",
diff --git a/stub-environment/roles/BCPC-Kafka-Head-Zookeeper.json b/stub-environment/roles/BCPC-Kafka-Head-Zookeeper.json
index 50cc089c6..b8bdb8713 100644
--- a/stub-environment/roles/BCPC-Kafka-Head-Zookeeper.json
+++ b/stub-environment/roles/BCPC-Kafka-Head-Zookeeper.json
@@ -16,6 +16,7 @@
     "role[Basic]",
     "recipe[bach_krb5::keytab_directory]",
     "recipe[bach_krb5::krb5_client]",
+    "recipe[bcpc::pam]",
     "recipe[bcpc_kafka::zookeeper_server]"
   ],
   "description": "Zookeeper Role for Kafka Machines",