Getting root Access to LXC

lxc

#1

Context…

  • Fresh minimal install of CentOS 7
  • Installed yum -y install lxc lxc-templates libcap-devel libcgroup busybox wget bridge-utils lxc-extra libvirt perl debootstrap
  • Bridged NIC
  • Configured /etc/lxc/default.conffor bridge
  • Manually started lxc.service and libvirtd
  • lxc-checkconfig shows everything enabled except…
    • newuidmap is not installed
    • newgidmap is not installed
  • Created LXC using lxc-create -n centostest -t centos

During the lxc-create process, I see this…

Storing root password in '/var/lib/lxc/centostest/tmp_root_pass'
chpasswd: cannot open /etc/passwd
Expiring password for user root.
passwd: Libuser error at line: 413 - Error replacing '/etc/passwd': Permission denied.
passwd: Error
sed: can't read /var/lib/lxc/centostest/rootfs/etc/rc.sysinit: No such file or directory
sed: can't read /var/lib/lxc/centostest/rootfs/etc/rc.d/rc.sysinit: No such file or directory

Get the temporary password using cat '/var/lib/lxc/centostest/tmp_root_pass'

Start the LXC using lxc-start -n centostest -d

Try to access root using lxc-console -n centostest -t 0

centostest login: root
Password: 
Login incorrect

It will not accept the temporary password. (And yes, I am confident I have type the password correctly. I have typed it repeatedly myself, had others type it in, and copied and pasted the temporary password in. And have done all the above repeatedly.)

So I tried to update the password…

[root@centos01 ~]# chroot /var/lib/lxc/centostest/rootfs passwd
Changing password for user root.
New password: 
Retype new password: 
passwd: Authentication token manipulation error

What is the next step in figuring out how to getting root access to the LXC?

And this may be red herring…

Sometimes when using lxc-console -n centostest -t 0 I would get a login: timed out after 60 seconds after entering the password.

Since this machine this is running on has plenty of resources and did not have reason to time out, I ran top and noticed that anytime the LXC is started 'systemd-journal` is at 100% CPU usage. Shut it down and the usage disappears.

Tailing the journal using journal -f when I start the LXC…

Mar 01 10:09:52 centos01.lan kernel: virbr3: port 2(veth6YXUHN) entered blocking state
Mar 01 10:09:52 centos01.lan kernel: virbr3: port 2(veth6YXUHN) entered disabled state
Mar 01 10:09:52 centos01.lan kernel: device veth6YXUHN entered promiscuous mode
Mar 01 10:09:52 centos01.lan kernel: IPv6: ADDRCONF(NETDEV_UP): veth6YXUHN: link is not ready
Mar 01 10:09:52 centos01.lan NetworkManager[3741]: <info>  [1519916992.8850] manager: (vethG4QTPK): new Veth device (/org/freedesktop/NetworkManager/Devices/55)
Mar 01 10:09:52 centos01.lan NetworkManager[3741]: <info>  [1519916992.8892] manager: (veth6YXUHN): new Veth device (/org/freedesktop/NetworkManager/Devices/56)
Mar 01 10:09:52 centos01.lan libvirtd[31229]: 2018-03-01 15:09:52.906+0000: 31229: error : virNetDevSendEthtoolIoctl:2939 : ethtool ioctl error: No such device
Mar 01 10:09:52 centos01.lan libvirtd[31229]: 2018-03-01 15:09:52.921+0000: 31229: error : virNetDevSendEthtoolIoctl:2939 : ethtool ioctl error: No such device
Mar 01 10:09:52 centos01.lan kernel: IPv6: ADDRCONF(NETDEV_CHANGE): veth6YXUHN: link becomes ready
Mar 01 10:09:52 centos01.lan kernel: virbr3: port 2(veth6YXUHN) entered blocking state
Mar 01 10:09:52 centos01.lan kernel: virbr3: port 2(veth6YXUHN) entered forwarding state
Mar 01 10:09:52 centos01.lan NetworkManager[3741]: <info>  [1519916992.9228] device (veth6YXUHN): link connected
Mar 01 10:09:52 centos01.lan libvirtd[31229]: 2018-03-01 15:09:52.926+0000: 31229: error : virNetDevSendEthtoolIoctl:2939 : ethtool ioctl error: No such device
Mar 01 10:09:52 centos01.lan libvirtd[31229]: 2018-03-01 15:09:52.931+0000: 31229: error : virNetDevSendEthtoolIoctl:2939 : ethtool ioctl error: No such device
Mar 01 10:09:52 centos01.lan libvirtd[31229]: 2018-03-01 15:09:52.936+0000: 31229: error : virNetDevSendEthtoolIoctl:2939 : ethtool ioctl error: No such device
Mar 01 10:09:52 centos01.lan libvirtd[31229]: 2018-03-01 15:09:52.940+0000: 31229: error : virNetDevSendEthtoolIoctl:2939 : ethtool ioctl error: No such device
Mar 01 10:09:52 centos01.lan libvirtd[31229]: 2018-03-01 15:09:52.945+0000: 31229: error : virNetDevSendEthtoolIoctl:2939 : ethtool ioctl error: No such device
Mar 01 10:09:52 centos01.lan libvirtd[31229]: 2018-03-01 15:09:52.950+0000: 31229: error : virNetDevSendEthtoolIoctl:2939 : ethtool ioctl error: No such device

And when I shut down the LXC…

Mar 01 10:12:41 centos01.lan kernel: virbr3: port 2(veth6YXUHN) entered disabled state
Mar 01 10:12:41 centos01.lan kernel: device veth6YXUHN left promiscuous mode
Mar 01 10:12:41 centos01.lan kernel: virbr3: port 2(veth6YXUHN) entered disabled state
Mar 01 10:12:41 centos01.lan NetworkManager[3741]: <info>  [1519917161.6898] device (veth6YXUHN): released from master device virbr3

Again, what is the next step in figuring out how to getting root access to the LXC?


(Christian Brauner) #2

Hm, can you try the download template instead:

lxc-create -n <container-name> -t download -- -d centos -r 7 -a amd64

and see if you have the same issue?


#3

Just an update on this.

@brauner - Thanks for your reply. I have done as you suggested and tried the template download.

I can attach to the container using lxc-attach but am going to have to do more homework on how to use the function or chroot to change user credentials.

When I run lxc-checkconfig everything looks good except that is says…

newuidmap is not installed
newgidmap is not installed

I am guessing there is some kind of user ID mapping that I am going to have to figure out.

Thanks again for your help.