Hello.
I am experimenting with LXC via libvirt on my Gentoo development
system. I can start the LXC domain and connect to its console. However, I
am unable to login as root. I've used "chroot" and "passwd" from
the host
system to explicitly set the root password. Still no luck. So I began
debugging....
I ran "strace" on the container's "login" process (after
agetty exec'd
login). I noticed that it was unable to open "/dev/log". Sure enough the
unix domain socket did not exist inside the container (as seen from outside
the container). So I tweaked my host's syslog-ng.conf file to create this
socket. My hope was to monitor the log events generated by the login
process. So the log device certainly exists (and it tests ok with the
'logger' command):
The LXC file-system was created with the "lxc-gentoo" script (
http://lxc-gentoo.sourceforge.net/). The only changes that I've made to
the container's file system is to change roots' password
($rootfs/etc/shadow) and configure syslog-ng to create a logging socket at
$rootfs/dev/log.
I've even edit "$rootfs/etc/shadow" and completely removed root's
password hash. I still can't log into the account from "virsh console". I
thought that maybe I was unable to authenticate because the "login" process
cannot log success/failure to /dev/log. However, I know from experience
that on other Gentoo systems I can login as root even when syslog-ng is
kaput, and /dev/log does not exist.
"/etc/pam.d" inside the container is byte-for-byte the same as my host
system, and I can authenticate as root from the physical console.
I have a few main questions:
1) Is my domain configured correctly?
2) Why is the container unable to write to the "/dev/log" provided from
outside the container?
3) Why am I unable to authenticate as the "root" user?
Thank you for your time.
ostara ~ # virsh -c lxc:/// start dwj-lnx-dev
Domain dwj-lnx-dev started
ostara ~ # virsh -c lxc:/// console dwj-lnx-dev
Connected to domain dwj-lnx-dev
Escape character is ^]
INIT: version 2.88 booting
Gentoo Linux;
http://www.gentoo.org/
Copyright 1999-2009 Gentoo Foundation; Distributed under the GPLv2
Press I to enter interactive boot mode
* Skipping mount of /proc as it's already mounted
* Skipping mount of /sys as it's already mounted
* Using existing device nodes in /dev ... [
ok ]
* Skipping mount of /dev/pts as it's already mounted
* Remounting root filesystem read-only ...
mount: / is busy [
!! ]
* Skipping root filesystem check (fstab's passno == 0) ... [
ok ]
* Checking all filesystems ... [
ok ]
* Mounting local filesystems ...
mount: mount point /dev/shm does not exist
* Some local filesystem failed to mount [
!! ]
* Mounting USB device filesystem (usbfs) ... [
ok ]
* Activating (possible) swap ... [
ok ]
* Setting system clock using the hardware clock [UTC] ... [
ok ]
* Configuring kernel parameters ...
error: "Read-only file system" setting key
"net.ipv4.conf.default.rp_filter"
error: "Read-only file system" setting key
"net.ipv4.conf.all.rp_filter" [
ok ]
* Cleaning /var/lock, /var/run ... [
ok ]
* Wiping /tmp directory ... [
ok ]
* Starting lo
* Bringing up lo
* 127.0.0.1/8 [
ok ]
* Adding routes
* 127.0.0.0/8 ... [
ok ]
INIT: Entering runlevel: 3
* Starting eth0
* Bringing up eth0
* 192.168.2.199 [
ok ]
* Adding routes
* default via 192.168.2.1 ... [
ok ]
* Mounting network filesystems ... [
ok ]
/lib64/rcscripts/sh/rc-services.sh: line 412: /etc/init.d/udev-postmount:
Permission denied
* Starting local ... [
ok ]
This is ostara.unknown_domain (Linux x86_64 3.2.12-gentoo) 23:06:09
ostara login:
ostara ~ # virsh -c lxc:/// version
Compiled against library: libvir 0.9.11
Using library: libvir 0.9.11
Using API: LXC 0.9.11
Running hypervisor: LXC 3.2.12
ostara ~ # ls -l /vm/lxc/dwj-lnx-dev/dev/log
srw-rw-rw- 1 root root 0 May 14 17:31 /vm/lxc/dwj-lnx-dev/dev/log
ostara ~ # logger -s /vm/lxc/dwj-lnx-dev/dev/log "CAPYBARA"
djenkins: /vm/lxc/dwj-lnx-dev/dev/log CAPYBARA
ostara ~ # tail -n 100 /var/log/messages | grep CAPYBARA
May 14 17:58:57 localhost djenkins: /vm/lxc/dwj-lnx-dev/dev/log CAPYBARA
(lots of strace setup omitted):
Buried about 60% down in the strace output is the attempt by "login" inside
the container to access "/dev/log", which failed (ENOENT).
open("/etc/passwd", O_RDONLY|O_CLOEXEC) = 3
lseek(3, 0, SEEK_CUR) = 0
fstat(3, {st_mode=S_IFREG|0644, st_size=720, ...}) = 0
mmap(NULL, 720, PROT_READ, MAP_SHARED, 3, 0) = 0x7fc6ccb66000
lseek(3, 720, SEEK_SET) = 720
munmap(0x7fc6ccb66000, 720) = 0
close(3) = 0
time([1337035715]) = 1337035715
socket(PF_FILE, SOCK_DGRAM|SOCK_CLOEXEC, 0) = 3
connect(3, {sa_family=AF_FILE, path="/dev/log"}, 110) = -1 ENOENT (No such
file or directory)
close(3) = 0
fstat(1, {st_mode=S_IFCHR|0600, st_rdev=makedev(136, 0), ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0x7fc6ccb66000
write(1, "\n", 1) = 1
write(1, "Login incorrect\n", 16) = 16
time(NULL) = 1337035715
This is my domain config:
ostara ~ # virsh -c lxc:/// dumpxml dwj-lnx-dev
<domain type='lxc'>
<name>dwj-lnx-dev</name>
<uuid>fbcd8c3a-9939-12b4-727d-5d3526bc448f</uuid>
<memory unit='KiB'>500000</memory>
<currentMemory unit='KiB'>500000</currentMemory>
<vcpu>2</vcpu>
<os>
<type arch='x86_64'>exe</type>
<init>/sbin/init</init>
</os>
<clock offset='utc'/>
<on_poweroff>destroy</on_poweroff>
<on_reboot>restart</on_reboot>
<on_crash>destroy</on_crash>
<devices>
<emulator>/usr/libexec/libvirt_lxc</emulator>
<filesystem type='mount' accessmode='passthrough'>
<source dir='/vm/lxc/dwj-lnx-dev'/>
<target dir='/'/>
</filesystem>
<interface type='bridge'>
<mac address='52:54:00:3e:d9:7c'/>
<source bridge='br0'/>
</interface>
<console type='pty'>
<target type='lxc' port='0'/>
</console>
</devices>
</domain>