[lxc-users] Cannot reach login prompt when root mapped to host user id

Tomassino Ferrauto t_ferrauto at yahoo.it
Sat May 23 10:45:00 UTC 2015


Hi all,
        I have a minor problem with unprivileged containers, I don't
know whether it is a bug in lxc or a configuration problem. What I'm
trying to do is running unprivileged containers in which the root user
in the container is mapped to the user that started the container in
the host. Everything works fine (including lxc-attach) except that
when the container is started in foreground, the login prompt is never
reached. I have messages like these:

[...]
 * Starting save kernel messages   ...done.
 * Starting regular background program processing daemon   ...done.
 * Stopping System V runlevel compatibility   ...done.
<4>init: setvtrgb main process (415) terminated with status 1
<4>init: plymouth-upstart-bridge main process ended, respawning
<4>init: tty4 main process (363) terminated with status 1
<4>init: tty4 main process ended, respawning
<4>init: tty2 main process (365) terminated with status 1
<4>init: tty2 main process ended, respawning
<4>init: tty3 main process (366) terminated with status 1
<4>init: tty3 main process ended, respawning
<4>init: console main process (405) terminated with status 1
<4>init: console main process ended, respawning
<4>init: tty1 main process (411) terminated with status 1
<4>init: tty1 main process ended, respawning
<4>init: setvtrgb main process (433) terminated with status 1
<4>init: tty4 main process (423) terminated with status 1
<4>init: tty4 main process ended, respawning
<4>init: tty2 main process (425) terminated with status 1
<4>init: tty2 main process ended, respawning
<4>init: tty3 main process (427) terminated with status 1
<4>init: tty3 main process ended, respawning
<4>init: console main process (429) terminated with status 1
<4>init: console main process ended, respawning
<4>init: tty1 main process (431) terminated with status 1
<4>init: tty1 main process ended, respawning
<4>init: setvtrgb main process (450) terminated with status 1

The configuration file for the container is:

# Template used to create this container: /usr/share/lxc/templates/lxc-download
# Parameters passed to the template: -d ubuntu -r trusty -a amd64
# For additional config options, please look at lxc.container.conf(5)

# Distribution configuration
lxc.include = /usr/share/lxc/config/ubuntu.common.conf
lxc.include = /usr/share/lxc/config/ubuntu.userns.conf
lxc.arch = x86_64

# Container specific configuration
lxc.id_map = u 0 1001 1
lxc.id_map = g 0 1001 1
lxc.id_map = u 1 1017505 65535
lxc.id_map = g 1 1017505 65535
lxc.rootfs = /home/tommy/.local/share/lxc/userRoot/rootfs
lxc.utsname = userRoot

# Network configuration
lxc.network.type = veth
lxc.network.flags = up
lxc.network.link = lxcbr0
lxc.network.hwaddr = 00:16:3e:32:4b:d2

The host is Debian Jessie. It seems to me that there are problems with
permissions of some devices, here is the content of /dev (seen from
the host)

tommy at octopus:/proc/4436/root/dev$ ls -nahl
total 8.0K
drwxr-xr-x  3 1001 1001   4.0K May 23 12:17 .
drwxr-xr-x 21 1001 1001   4.0K May 23 12:17 ..
crw-------  1 1001    5 136, 7 May 23 12:28 console
lrwxrwxrwx  1 1001 1001     11 May 11 04:16 core -> /proc/kcore
lrwxrwxrwx  1 1001 1001     13 May 11 04:16 fd -> /proc/self/fd
crw-rw-rw-  1    0    0   1, 7 May 23 11:49 full
lrwxrwxrwx  1 1001 1001      7 May 23 12:17 kmsg -> console
srw-rw-rw-  1 1001 1001      0 May 23 12:17 log
crw-rw-rw-  1    0    0   1, 3 May 23 11:49 null
lrwxrwxrwx  1 1001 1001     13 May 23 12:08 ptmx -> /dev/pts/ptmx
drwxr-xr-x  2    0    0      0 May 23 12:17 pts
lrwxrwxrwx  1 1001 1001      4 May 11 04:16 ram -> ram1
crw-rw-rw-  1    0    0   1, 8 May 23 11:49 random
lrwxrwxrwx  1 1001 1001      8 May 11 04:16 shm -> /run/shm
lrwxrwxrwx  1 1001 1001      4 May 11 04:16 stderr -> fd/2
lrwxrwxrwx  1 1001 1001      4 May 11 04:16 stdin -> fd/0
lrwxrwxrwx  1 1001 1001      4 May 11 04:16 stdout -> fd/1
crw-rw-rw-  1    0    5   5, 0 May 23 12:28 tty
crw--w----  1 1001    5 136, 3 May 23 12:17 tty1
crw--w----  1 1001    5 136, 4 May 23 12:17 tty2
crw--w----  1 1001    5 136, 5 May 23 12:17 tty3
crw--w----  1 1001    5 136, 6 May 23 12:17 tty4
crw-rw-rw-  1    0    0   1, 9 May 23 11:49 urandom
crw-rw-rw-  1    0    0   1, 5 May 23 11:49 zero

What seems strange to me is the group 5 (host tty group) and the
different permissions (see below) for tty* and console. For
comparison, here are the permission of files in /dev in a container
where also root is mapped to a higher uid (and that doesn't have the
problem with the login prompt)

tommy at octopus:/proc/5649/root/dev$ ls -nahl
total 8.0K
drwxr-xr-x  3 1017504 1017504    4.0K May 23 12:25 .
drwxr-xr-x 21 1017504 1017504    4.0K May 23 12:25 ..
crw-------  1 1017504 1017509 136, 13 May 23 12:26 console
lrwxrwxrwx  1 1017504 1017504      11 May 11 04:16 core -> /proc/kcore
lrwxrwxrwx  1 1017504 1017504      13 May 11 04:16 fd -> /proc/self/fd
crw-rw-rw-  1       0       0   1,  7 May 23 11:49 full
lrwxrwxrwx  1 1017504 1017504       7 May 23 12:25 kmsg -> console
srw-rw-rw-  1 1017504 1017504       0 May 23 12:25 log
crw-rw-rw-  1       0       0   1,  3 May 23 11:49 null
lrwxrwxrwx  1 1017504 1017504      13 May 23 12:06 ptmx -> /dev/pts/ptmx
drwxr-xr-x  2       0       0       0 May 23 12:25 pts
lrwxrwxrwx  1 1017504 1017504       4 May 11 04:16 ram -> ram1
crw-rw-rw-  1       0       0   1,  8 May 23 11:49 random
lrwxrwxrwx  1 1017504 1017504       8 May 11 04:16 shm -> /run/shm
lrwxrwxrwx  1 1017504 1017504       4 May 11 04:16 stderr -> fd/2
lrwxrwxrwx  1 1017504 1017504       4 May 11 04:16 stdin -> fd/0
lrwxrwxrwx  1 1017504 1017504       4 May 11 04:16 stdout -> fd/1
crw-rw-rw-  1       0       5   5,  0 May 23 12:28 tty
crw-rw----  1 1017504 1017509 136,  9 May 23 12:25 tty1
crw-rw----  1 1017504 1017509 136, 10 May 23 12:25 tty2
crw-rw----  1 1017504 1017509 136, 11 May 23 12:25 tty3
crw-rw----  1 1017504 1017509 136, 12 May 23 12:25 tty4
crw-rw-rw-  1       0       0   1,  9 May 23 11:49 urandom
crw-rw-rw-  1       0       0   1,  5 May 23 11:49 zero

One last note: I had to add the user to the group tty on the host for
unprivileged containers to work. Let me know if you need more
information.

        Tomassino


More information about the lxc-users mailing list