Alpine linux Edge mirroring Root cannot log in

yooadmin · November 13, 2025, 2:06pm

lxc-console my

my login:root

Login incorrect

After entering the container and setting the password, you can’t log in either

simos · November 13, 2025, 2:44pm

The container images do not have default passwords. In fact, the root account is locked.

Let’s see an actual example. First, we create an Alpine Edge container.

$ sudo lxc-create --name mycontainer --template download -- --dist alpine --release edge --arch amd64
Downloading the image index
Downloading the rootfs
Downloading the metadata
The image cache is now ready
Unpacking the rootfs

---
You just created an Alpinelinux edge x86_64 (20251112_13:00) container.
$ sudo lxc-ls 
mycontainer
$ sudo lxc-start --name mycontainer
$ sudo lxc-info --name mycontainer
Name:           mycontainer
State:          RUNNING
PID:            811532
IP:             10.0.3.214
Link:           vethSdZmFJ
 TX bytes:      1.83 KiB
 RX bytes:      12.20 KiB
 Total bytes:   14.03 KiB
$

Now, we get a shell into the LXC container. We do that with lxc-attach, that attaches to the running instance and spawns a root shell. In doing so, there is no check for passwords; we get a direct shell bypassing any authentication. In the following you can see that the password field in the /etc/shadow file is *, meaning that the root account is locked.

$ sudo lxc-attach --name mycontainer
/ # head -3 /etc/passwd
root:x:0:0:root:/root:/bin/sh
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
/ # head -3 /etc/shadow
root:*::0:::::
bin:!::0:::::
daemon:!::0:::::
/ #

Normally you would not log into an instance using the console (i.e. lxc-console). You would use lxc-attach that gives you a root shell bypassing any authentication.

But what if you want to get a login shell anyway? Does not work.

$ sudo lxc-attach --name mycontainer -- login
mycontainer login: root
Login incorrect<Ctrl>+<C>
$

How about with lxc-console? Same thing, you cannot get a login shell for some reason.

$ sudo lxc-console --name mycontainer

Connected to tty 1
Type <Ctrl+a q> to exit the console, <Ctrl+a Ctrl+a> to enter Ctrl+a itself

Welcome to Alpine Linux 3.23.0_alpha20251016 (edge)
Kernel 6.8.0-87-generic on x86_64 (/dev/tty1)

mycontainer login: root
Login incorrect
mycontainer login: <Ctrl>+A q     $

This means that something is wrong in the Alpine image that does not allow to login into the instance. I am not sure what it is, and I believe that it is related to the Alpine image itself. I tried the same with the Ubuntu image and it worked. Therefore, it’s something technical with the Alpine image that requires to lxc-attach in order to get a shell in the instance.

For completeness, here is what you would do with Incus. We use the image images:alpine/edge/cloud. The /cloud part says that we want to image with cloud-init support, which, among others, has a non-root account with the name alpine (and it’s locked). The su -l alpine would get a login shell into the Alpine instance for the account alpine.

$ incus launch images:alpine/edge/cloud mycontainer
Launching mycontainer
$ incus exec mycontainer -- su -l alpine
mycontainer:~$ id
uid=1000(alpine) gid=1000(alpine) groups=4(adm),10(wheel),1000(alpine)
mycontainer:~$

yooadmin · November 13, 2025, 9:50pm

It is, Ubuntu,debian,It is, Ubuntu,debian, It’s all normal, that’s alpine linux for reasons other than cloud is there any other way for it to log in to root

simos · November 13, 2025, 10:10pm

And I admitted that indeed something is wrong with the Alpine image. Whatever is wrong with the Alpine image, it is likely an issue with Alpine or the packaging of the Alpine image.

You can always use lxc-attach to get a shell, and you can even install SSH server. There are plenty of workarounds.