Hello.

    I am experimenting with LXC via libvirt on my Gentoo development system.  I can start the LXC domain and connect to its console.  However, I am unable to login as root.  I've used "chroot" and "passwd" from the host system to explicitly set the root password.  Still no luck.  So I began debugging....

    I ran "strace" on the container's "login" process (after agetty exec'd login).  I noticed that it was unable to open "/dev/log".  Sure enough the unix domain socket did not exist inside the container (as seen from outside the container).  So I tweaked my host's syslog-ng.conf file to create this socket.  My hope was to monitor the log events generated by the login process.  So the log device certainly exists (and it tests ok with the 'logger' command):

   The LXC file-system was created with the "lxc-gentoo" script (http://lxc-gentoo.sourceforge.net/).  The only changes that I've made to the container's file system is to change roots' password ($rootfs/etc/shadow) and configure syslog-ng to create a logging socket at $rootfs/dev/log.

    I've even edit "$rootfs/etc/shadow" and completely removed root's password hash.  I still can't log into the account from "virsh console".  I thought that maybe I was unable to authenticate because the "login" process cannot log success/failure to /dev/log.  However, I know from experience that on other Gentoo systems I can login as root even when syslog-ng is kaput, and /dev/log does not exist.

   "/etc/pam.d" inside the container is byte-for-byte the same as my host system, and I can authenticate as root from the physical console.

   I have a few main questions:

1) Is my domain configured correctly?

2) Why is the container unable to write to the "/dev/log" provided from outside the container?

3) Why am I unable to authenticate as the "root" user?

   Thank you for your time.


ostara ~ # virsh -c lxc:/// start dwj-lnx-dev
Domain dwj-lnx-dev started

ostara ~ # virsh -c lxc:/// console dwj-lnx-dev
Connected to domain dwj-lnx-dev
Escape character is ^]
INIT: version 2.88 booting

Gentoo Linux; http://www.gentoo.org/
 Copyright 1999-2009 Gentoo Foundation; Distributed under the GPLv2

Press I to enter interactive boot mode

 * Skipping mount of /proc as it's already mounted
 * Skipping mount of /sys as it's already mounted
 * Using existing device nodes in /dev ...                                [ ok ]
 * Skipping mount of /dev/pts as it's already mounted
 * Remounting root filesystem read-only ...
mount: / is busy                                                          [ !! ]
 * Skipping root filesystem check (fstab's passno == 0) ...               [ ok ]
 * Checking all filesystems ...                                           [ ok ]
 * Mounting local filesystems ...
mount: mount point /dev/shm does not exist
 * Some local filesystem failed to mount                                  [ !! ]
 * Mounting USB device filesystem (usbfs) ...                             [ ok ]
 * Activating (possible) swap ...                                         [ ok ]
 * Setting system clock using the hardware clock [UTC] ...                [ ok ]
 * Configuring kernel parameters ...
error: "Read-only file system" setting key "net.ipv4.conf.default.rp_filter"
error: "Read-only file system" setting key "net.ipv4.conf.all.rp_filter"  [ ok ]
 * Cleaning /var/lock, /var/run ...                                       [ ok ]
 * Wiping /tmp directory ...                                              [ ok ]
 * Starting lo
 *   Bringing up lo
 *     127.0.0.1/8                                                        [ ok ]
 *   Adding routes
 *     127.0.0.0/8 ...                                                    [ ok ]
INIT: Entering runlevel: 3
 * Starting eth0
 *   Bringing up eth0
 *     192.168.2.199                                                      [ ok ]
 *   Adding routes
 *     default via 192.168.2.1 ...                                        [ ok ]
 * Mounting network filesystems ...                                       [ ok ]
/lib64/rcscripts/sh/rc-services.sh: line 412: /etc/init.d/udev-postmount: Permission denied
 * Starting local ...                                                     [ ok ]


This is ostara.unknown_domain (Linux x86_64 3.2.12-gentoo) 23:06:09

ostara login:


ostara ~ # virsh -c lxc:/// version
Compiled against library: libvir 0.9.11
Using library: libvir 0.9.11
Using API: LXC 0.9.11
Running hypervisor: LXC 3.2.12

ostara ~ # ls -l /vm/lxc/dwj-lnx-dev/dev/log
srw-rw-rw- 1 root root 0 May 14 17:31 /vm/lxc/dwj-lnx-dev/dev/log

ostara ~ # logger -s /vm/lxc/dwj-lnx-dev/dev/log "CAPYBARA"
djenkins: /vm/lxc/dwj-lnx-dev/dev/log CAPYBARA

ostara ~ # tail -n 100 /var/log/messages | grep CAPYBARA
May 14 17:58:57 localhost djenkins: /vm/lxc/dwj-lnx-dev/dev/log CAPYBARA


(lots of strace setup omitted):
Buried about 60% down in the strace output is the attempt by "login" inside the container to access "/dev/log", which failed (ENOENT).

open("/etc/passwd", O_RDONLY|O_CLOEXEC) = 3
lseek(3, 0, SEEK_CUR)                   = 0
fstat(3, {st_mode=S_IFREG|0644, st_size=720, ...}) = 0
mmap(NULL, 720, PROT_READ, MAP_SHARED, 3, 0) = 0x7fc6ccb66000
lseek(3, 720, SEEK_SET)                 = 720
munmap(0x7fc6ccb66000, 720)             = 0
close(3)                                = 0
time([1337035715])                      = 1337035715
socket(PF_FILE, SOCK_DGRAM|SOCK_CLOEXEC, 0) = 3
connect(3, {sa_family=AF_FILE, path="/dev/log"}, 110) = -1 ENOENT (No such file or directory)
close(3)                                = 0
fstat(1, {st_mode=S_IFCHR|0600, st_rdev=makedev(136, 0), ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fc6ccb66000
write(1, "\n", 1)                       = 1
write(1, "Login incorrect\n", 16)       = 16
time(NULL)                              = 1337035715

This is my domain config:
ostara ~ # virsh -c lxc:/// dumpxml dwj-lnx-dev
<domain type='lxc'>
  <name>dwj-lnx-dev</name>
  <uuid>fbcd8c3a-9939-12b4-727d-5d3526bc448f</uuid>
  <memory unit='KiB'>500000</memory>
  <currentMemory unit='KiB'>500000</currentMemory>
  <vcpu>2</vcpu>
  <os>
    <type arch='x86_64'>exe</type>
    <init>/sbin/init</init>
  </os>
  <clock offset='utc'/>
  <on_poweroff>destroy</on_poweroff>
  <on_reboot>restart</on_reboot>
  <on_crash>destroy</on_crash>
  <devices>
    <emulator>/usr/libexec/libvirt_lxc</emulator>
    <filesystem type='mount' accessmode='passthrough'>
      <source dir='/vm/lxc/dwj-lnx-dev'/>
      <target dir='/'/>
    </filesystem>
    <interface type='bridge'>
      <mac address='52:54:00:3e:d9:7c'/>
      <source bridge='br0'/>
    </interface>
    <console type='pty'>
      <target type='lxc' port='0'/>
    </console>
  </devices>
</domain>