[libvirt] [PATCH] LXC: mount /dev/pts/0 to /dev/console

Now, /dev/console is linked to the /dev/pts/0, so for the process agetty, the tty device of agetty is pts/0. this will cause login container failed. since pts/0 is not in the /etc/securetty. so pam module pam_securetty will prevent the root user logging on the system. this patch doesn't make /dev/console a symbol but binds /dev/pts/0 to it. so the tty device of agetty will be console. root can login the system successfully. Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com> --- src/lxc/lxc_container.c | 19 +++++++++++++------ 1 file changed, 13 insertions(+), 6 deletions(-) diff --git a/src/lxc/lxc_container.c b/src/lxc/lxc_container.c index 255c711..1cede41 100644 --- a/src/lxc/lxc_container.c +++ b/src/lxc/lxc_container.c @@ -1049,12 +1049,19 @@ static int lxcContainerSetupDevices(char **ttyPaths, size_t nttyPaths) return -1; } VIR_FREE(tty); - if (i == 0 && - symlink(ttyPaths[i], "/dev/console") < 0) { - virReportSystemError(errno, - _("Failed to symlink %s to /dev/console"), - ttyPaths[i]); - return -1; + if (i == 0) { + if (virFileTouch("/dev/console", 0600) < 0) { + virReportSystemError(errno, "%s", + _("Failed to create /dev/console")); + return -1; + } + + if (mount(ttyPaths[0], "/dev/console", NULL, MS_BIND, NULL) < 0) { + virReportSystemError(errno, + _("Failed to symlink %s to /dev/console"), + ttyPaths[i]); + return -1; + } } } return 0; -- 1.8.3.1

Now, /dev/console is linked to the /dev/pts/0, so for the process agetty, the tty device of agetty is pts/0. this will cause login container failed. since pts/0 is not in the /etc/securetty. so pam module pam_securetty will prevent the root user logging on the system. this patch doesn't make /dev/console a symbol but binds /dev/pts/0 to it. so the tty device of agetty will be console. root can login the system successfully. change from v1: 1,Add some comments. 2,Modify the System error report message. Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com> --- src/lxc/lxc_container.c | 22 ++++++++++++++++------ 1 file changed, 16 insertions(+), 6 deletions(-) diff --git a/src/lxc/lxc_container.c b/src/lxc/lxc_container.c index 255c711..9c71bad 100644 --- a/src/lxc/lxc_container.c +++ b/src/lxc/lxc_container.c @@ -1049,12 +1049,22 @@ static int lxcContainerSetupDevices(char **ttyPaths, size_t nttyPaths) return -1; } VIR_FREE(tty); - if (i == 0 && - symlink(ttyPaths[i], "/dev/console") < 0) { - virReportSystemError(errno, - _("Failed to symlink %s to /dev/console"), - ttyPaths[i]); - return -1; + if (i == 0) { + if (virFileTouch("/dev/console", 0600) < 0) { + virReportSystemError(errno, "%s", + _("Failed to create /dev/console")); + return -1; + } + /* Binding /dev/console to pts, this will make agetty + * trust its tty device is console but not the pts device. + * So the pam_sercuretty module will not try to prevent + * root user logging on container. */ + if (mount(ttyPaths[0], "/dev/console", NULL, MS_BIND, NULL) < 0) { + virReportSystemError(errno, + _("Failed to bind %s to /dev/console"), + ttyPaths[i]); + return -1; + } } } return 0; -- 1.8.3.1

On Tue, Oct 29, 2013 at 03:37:51PM +0800, Gao feng wrote:
Now, /dev/console is linked to the /dev/pts/0, so for the process agetty, the tty device of agetty is pts/0. this will cause login container failed. since pts/0 is not in the /etc/securetty. so pam module pam_securetty will prevent the root user logging on the system.
this patch doesn't make /dev/console a symbol but binds /dev/pts/0 to it. so the tty device of agetty will be console. root can login the system successfully.
This only really fixes it for the first console. If the guest has multiple <console/> lines defined, we still have the same problem with securetty for other consoles. I'm wondering if there is any scope for just getting the securetty check todo the right thing by default for psuedo ttys. Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|

On 10/30/2013 07:15 PM, Daniel P. Berrange wrote:
On Tue, Oct 29, 2013 at 03:37:51PM +0800, Gao feng wrote:
Now, /dev/console is linked to the /dev/pts/0, so for the process agetty, the tty device of agetty is pts/0. this will cause login container failed. since pts/0 is not in the /etc/securetty. so pam module pam_securetty will prevent the root user logging on the system.
this patch doesn't make /dev/console a symbol but binds /dev/pts/0 to it. so the tty device of agetty will be console. root can login the system successfully.
This only really fixes it for the first console. If the guest has multiple <console/> lines defined, we still have the same problem with securetty for other consoles.I'm wondering if
Oh, that's /dev/ttyN, not /dev/console. /dev/console is only one. In my container which running fedora18, the tty device of agetty is console 553 pts/0 Ss+ 0:00 /sbin/agetty --noclear -s console 115200 38400 9600 So, this patch resolves the problem I faced. if we found the ttyN devices also need to be bound to some pts devices, it's another patch. but actually, /dev/console is pointed to different tty devices in the view of different process. this linking/binding console to /dev/pts/0 behave may mess up something. and the multiple console setting seems doesn't work for container, only the first console is opened/listened.
there is any scope for just getting the securetty check todo the right thing by default for psuedo ttys.
Right now I don't face any problem, but I don't know if this will break something. and as I mention above, the linking /dev/console to /dev/pts/0 behave will break something too. I don't have any idea to implement the behave which /dev/console /dev/tty0 provides now. any idea? Thanks Gao
participants (2)
-
Daniel P. Berrange
-
Gao feng