[lxc-users] lxc-fedora template

Michael H. Warfield mhw at WittsEnd.com
Wed Jun 4 18:23:48 UTC 2014 

Further information:

On Wed, 2014-06-04 at 12:57 -0400, Michael H. Warfield wrote:
> Hello,

> On Thu, 2014-06-05 at 02:10 +1100, Dmitry Kolesov wrote:
> > Hello,
> > 
> > 
> > I created container from lxc-fedora template. My operation system is
> > Fedora 20.
> > The kernel is 3.14.0 x86_64. 
> > When I start conteiner there is one fail message: 
> >  [FAILED] Failed to set up automount Arbitrary Executable
> > File...utomount Point.
> > All another messages are "OK".
> > But when I try to login into I have message: "Login incorrect".
> > I tryed to chroot into rootfs directory and I have changed root's
> > password.
> > But I always have this message: "Login incorrect".
> > SELinux is disabled in my main OS.
> > Could somebody help me to login into?

> Yeah, I can take a pretty good guess what the problem might be.

> First a few questions.

> 1) What is the host distro (I'm guessing Fedora or CentOS)?

> 2) What version of LXC are you running?

> 3) Was LXC installed/built from the distro or from recent tarball or
> from git?  If from git, when?

> 4) Logging in on the lxc-start console, using lxc-console or using ssh?

5) Have you updated to the latest kernel update for F20?  My dev system
is running 3.14.4-200.fc20.x86_64.  Your kernel rev doesn't seem to be a
stock Fedora rev string so I'm maybe guessing you are not on Fedora
after all?

What you are running into is likely this bug.

https://bugzilla.redhat.com/show_bug.cgi?id=1002914

This is a kernel configuration issue.  Note comment #6:

-- 
I've noticed that this issue should be fixed in v3.13-rc1

As mentioned in commit

    http://o.cs.uvic.ca:20810/perl/cid.pl?cid=83fa6bbe4c4541ae748b550b4ec391f8a0acfe94

CONFIG_AUDIT_LOGINUID_IMMUTABLE=y was removed. Could you please retest it on the latest Fedora?
-- 

And #7:

-- 
 Hi,
 I have tried with the latest upgrades of F20 and the problem has been fixed.
 Thank you very much for the support!

 Regards,
 Enrique
-- 

I'm deducing here that if "CONFIG_AUDIT_LOGINUID_IMMUTABLE=y" in the
kernel config, then you are going to run into this problem.  Check that
config option for your kernel build.  If that's a custom kernel, then
you can also get rid of that and be able to set the login uid in a
container (probably a good idea).  If you are on Fedora, please update
to the latest stock build and retest, according to that bug report.

> So, now I'll take some WAGs (wild ass guesses) with little to go on.  If
> you're running the distro stock version of LXC on a Fedora 20 host (most
> likely if you're building Fedora 20 containers) then you're probably
> running an out of date version of LXC.  Latest version from Fedora 20
> Updates is 0.9.0 and I'm not overly surprised you're running into this
> problem.  Even Fedora rawhide (to be Fedora 21) is only sporting 0.9.0,
> sigh...  Nothing encouraging in Updates Testing either, so I guess
> someone needs to file a bugzilla request to rebase it.
> 
> Check in your container ${root_fs}/etc/pam.d directory for files
> containing this line:
> 
> session    required     pam_loginuid.so
> 
> Most especially the files "login" and "sshd" but others as well.
> 
> If that line exists and is not commented out (leading hash #), that's
> most likely your problem.  You might have also seen an error about
> unable to set session something or another, it's been a while since I
> looked at it.  That might have only shown up in the log files, I don't
> recall.  Comment out that line in every file that has it.
> 
> Around between Fedora 19 and Fedora 20, they introduced some changes
> regarding this whole "login uid" and pam_loginuid is no longer able to
> set a login uid when running in a container.  I added code to the
> lxc-fedora template to comment out all those lines in the pam.d files.
> But, I think that went into the 1.0.0 release and was probably not in
> the 0.9.0 release.  We're currently on release 1.0.3 with 1.0.4 on the
> near horizon.
> 
> Once those lines are commented out, you should be able to log in.
> That's all assuming what I'm guessing you are running but it's
> consistent with what I would expect.
> 
> I would also strongly recommend upgrading to 1.0.3 or 1.0.4 when it's
> out, if you're not already there.  1.0.4 is going to have some
> significant improvements to the bootup and autostart processes (which
> don't even exist in 0.9.0).
> 
> > Regards,
> > Dmitry

Regards,
Mike
-- 
Michael H. Warfield (AI4NB) | (770) 978-7061 |  mhw at WittsEnd.com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of it!

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 482 bytes
Desc: This is a digitally signed message part
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20140604/5ffb9f0b/attachment.sig>

More information about the lxc-users mailing list