3.0.2 [bug?] - cannot create root password in privileged container


#1

host - ubuntu cosmic with 4.18.0-11 kernel / systemd 239-7 / apparmor 2.12

There is no issue with creating a root password via lxc-attach and passwd in an unprivileged container but very curiously it is not possible to create a password the same way for a privileged container (tried centos 7 and ubuntu cosmic),

The error reads

passwd: System error
passwd: Authentication token manipulation error

From journalctl -f it reports

passwd[7799]: PAM audit_log_acct_message() failed: Operation not permitted

Tried also chroot /srv/lxc/container/rootfs passwd but that is not working for either unprivileged or privileged container.

Now why would setting a password in an unprivileged container work but not in a privileged one and how to remedy, or is it a (nother systemd) bug perhaps?

This sounds similar of an issue also considering the patch - removing NoNewPrivileges=true and adding CAP_AUDIT_WRITE to CapabilityBoundingSet

Tried with lxc.cap.keep = CAP_AUDIT_WRITE but the container would not boot.


#2

@brauner @stgraber

Is here anything that can be done to debug this further?


#3

Switched kernel to 4.19.6-041906-generic but the issue persists.


with lxc.cap.keep = CAP_AUDIT_WRITE and lxc-start test -F -L /tmp/test.log just nothing happens, no output on the console, the log file is created but empty.

From the host log it appears that the network device gets engaged but that is all (container not booting). Instead there appears this line

new mount options do not match the existing superblock, will be ignored


#4

Tried lxc.apparmor.profile = unconfined but that did not remedy the issue. At least kernel and apparmor are eliminated as potential cause.

Suppose all that is left now is to file a bug report at the ubuntu package repo then.