Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

machined: improve error message when "machinectl login" is used on a container without dbus inside #685

Closed
rickysarraf opened this issue Jul 23, 2015 · 18 comments

Comments

5 participants
@rickysarraf
Copy link

commented Jul 23, 2015

Filing it here as this does not look to have been fixed. The same bug is also filed on Debian at:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=792882

Package: systemd
Version: 222-2
Severity: important
File: /bin/machinectl
Tags: patch

I am evaluating moving from LXC to systemd-nspawn. During the course, I've run into the following problem, which is known upstream, and claimed to be fixed.

My hope was that the fix was part of the 222 release, but I guess that is not the case.

The fix: f227310

The problem:

chutzpah:~# machinectl list
MACHINE CLASS SERVICE
deb-template container nspawn

1 machines listed.

chutzpah:~# machinectl login deb-template
Failed to get machine PTY: Input/output error

chutzpah:#
chutzpah:
# machinectl list
MACHINE CLASS SERVICE
deb-template container nspawn

1 machines listed.

chutzpah:~# machinectl list-images
NAME TYPE RO USAGE CREATED MODIFIED
ceph directory no n/a n/a n/a
deb-template directory no n/a n/a n/a
jenkins directory no n/a n/a n/a
trusty-template directory no n/a n/a n/a
ubuntu directory no n/a n/a n/a

5 images listed.

chutzpah:# man systemd-nspawn
chutzpah:
# machinectl login deb-template
Failed to get machine PTY: Input/output error

-- Package-specific info:

-- System Information:
Debian Release: stretch/sid
APT prefers testing
APT policy: (990, 'testing'), (500, 'unstable'), (100, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.1.2+ (SMP w/4 CPU cores)
Locale: LANG=en_IN, LC_CTYPE=en_IN (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages systemd depends on:
ii adduser 3.113+nmu3
ii libacl1 2.2.52-2
ii libapparmor1 2.9.2-3
ii libaudit1 1:2.4.2-1
ii libblkid1 2.26.2-6
ii libc6 2.19-18
ii libcap2 1:2.24-9
ii libcap2-bin 1:2.24-9
ii libcryptsetup4 2:1.6.6-5
ii libgcrypt20 1.6.3-2
ii libkmod2 20-1
ii liblzma5 5.1.1alpha+20120614-2.1
ii libmount1 2.26.2-6
ii libpam0g 1.1.8-3.1
ii libseccomp2 2.2.1-2
ii libselinux1 2.3-2+b1
ii libsystemd0 222-2
ii mount 2.26.2-6
ii sysv-rc 2.88dsf-59.2
ii udev 221-1+deb9u2
ii util-linux 2.26.2-6

Versions of packages systemd recommends:
ii dbus 1.8.18-1
ii libpam-systemd 222-2

Versions of packages systemd suggests:
pn systemd-ui

-- Configuration Files:
/etc/systemd/logind.conf changed:
[Login]
HandleLidSwitch=ignore
LidSwitchIgnoreInhibited=yes

-- no debconf information

@richardmaw-codethink

This comment has been minimized.

Copy link
Contributor

commented Jul 23, 2015

machinectl login works by creating the pty and speaking to the d-bus daemon in the container, asking systemd to start a container-getty@$pty.service.

If you're not running systemd or d-bus in the container it can't start this service.

Additionally, it machinectl login cannot currently handle containers in uid-shifted user namespaces, since machinectl login doesn't enter the uid namespace when trying to talk to the d-bus daemon in the container, so the credential check fails from having the wrong UIDs.

@rickysarraf

This comment has been minimized.

Copy link
Author

commented Jul 23, 2015

In the deb-template container, systemd is installed.

root@deb-template:~# dpkg -l | grep -i systemd
ii libsystemd0:amd64 222-2 amd64 systemd utility library
ii systemd 222-2 amd64 system and service manager
ii systemd-sysv 222-2 amd64 system and service manager - SysV links

But not dbus. So I went ahead and installed dbus into it. And yes, it works after that. Thanks.
The login, I guess, is restricted because root's login is usually restricted to TTYs mentioned in securetty ???

rrs@learner:~$ sudo machinectl list
MACHINE CLASS SERVICE
deb-template container nspawn

1 machines listed.
2015-07-23 / 17:43:11 ♒♒♒ ☺
rrs@learner:~$ sudo machinectl login deb-template
Connected to machine deb-template. Press ^] three times within 1s to exit session.

Debian GNU/Linux stretch/sid deb-template pts/0

deb-template login: root

Login incorrect
deb-template login: root

Login incorrect
deb-template login: rrs
Password:

Login incorrect
deb-template login: ^^^
Debian GNU/Linux stretch/sid deb-template pts/0

deb-template login:
Connection to machine deb-template terminated.
2015-07-23 / 17:44:45 ♒♒♒ ☺

@mbiebl

This comment has been minimized.

Copy link
Contributor

commented Jul 23, 2015

@rickysarraf have you read https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=771675#20 which I referenced in the Debian bug report?

@mbiebl

This comment has been minimized.

Copy link
Contributor

commented Jul 23, 2015

I stumbled about this /dev/pts/0 problem and securetty as well. But I'm not sure if adding pts/0 to /etc/securetty is the correct solution.

@mbiebl

This comment has been minimized.

Copy link
Contributor

commented Jul 23, 2015

Quoting http://unix.stackexchange.com/questions/41840/effect-of-entries-in-etc-securetty:

adding entries like pts/[0-9]* will allow programs that use pseudo-terminals (pty) and pam_securetty to >login into root assuming the allocated pty is one of the ones listed; it's normally a good idea not to >include these entries because it's a security risk; it would allow, for instance, someone to login into >root via telenet, which sends passwords in plaintext (note that pts/[0-9]* is the format for udev which is >used in RHEL 5.5; it will be different if using devfs or some other form of device management)

So, shipping a default configuration for /etc/securetty including pts/0 doesn't sound like something we would want.

@rickysarraf

This comment has been minimized.

Copy link
Author

commented Jul 23, 2015

@mbiebl Thanks. That is inline with what I saw, and the workaround works too.

So, when using systemd-nspawn, the terminal environment is /dev/console (which is mentioned in securetty), where as machinectl uses pts/0 (the usual tty service used over network for pseudo tty).

@poettering

This comment has been minimized.

Copy link
Member

commented Jul 23, 2015

Could you please strace machined right before issuing the "machinectl login" command with the options "strace -p $PID -s 500 -o /tmp/mctl.log -f", with $PID being machined's PID. Then issue the command in another window, and cancel the strace with C-c, and append the /tmp/mctl.log file here. Thanks!

@poettering poettering added analyze machine and removed analyze labels Jul 23, 2015

@mbiebl

This comment has been minimized.

Copy link
Contributor

commented Jul 23, 2015

@poettering there are two issues here:
machinectl login requiring dbus (and systemd) running in the container, and @rickysarraf didn't have dbus installed. Is machinectl login supposed to be working without dbus running inside the container?

The second one, is that Debian enables pam_securetty, and /etc/securetty doesn't list pts/0. See my comment at #685 (comment)

@poettering

This comment has been minimized.

Copy link
Member

commented Jul 23, 2015

@mbiebl ah, yeah machinectl login does require dbus inside the container, no way around that.

well /etc/securetty is only about root logins, not about any other logins. A such it is unrelated to the issue at hand.

That said, pam_securetty is total crack from pre-hotplug times (since it assumes the primary tty name was stable) where physical ttys and modems existed. It's completely useless cruft on modern systems... Kill it. It's just annoying, and given that SSH is the way into systems these days also completely misleading.

I figure we can consider the case closed, but we should turn into into an RFE issue to improve the error message in the case dbus is missing from the container?

@mbiebl

This comment has been minimized.

Copy link
Contributor

commented Jul 23, 2015

Sounds like a good idea to improve the error message if dbus is not running.
It took me a bit to figure out what was going wrong.

As for pam_securetty: I'll talk to our login/pam package maintainers to see what they have to say about dropping it from /etc/pam.d/login
@martinpitt I see that Ubuntu enables securetty in /etc/pam.d/login as well, so this affects Ubuntu in the same way.

@poettering poettering changed the title /bin/machinectl: machinectl fails to login to container machined: improve error message when "machinectl login" is used on a container without dbus inside Jul 23, 2015

@rickysarraf

This comment has been minimized.

Copy link
Author

commented Jul 24, 2015

Is the dependency on dbus/systemd a hard dependency ?
systemd-nspawn was able to boot whereas machinectl failed. So it was confusing. My initial impression was that systemd-nspawn was the main workhorse, and machinectl a wrapper on top of it.

@poettering

This comment has been minimized.

Copy link
Member

commented Jul 24, 2015

Yes, "machinectl login" only works if systemd+dbus are running inside the container. It instantiates a new getty for the login, and it can do that only if there's something inside that we can talk to. This is even documented in the man page for machinectl (though dbus is not explicitly mentioned, but we make very clear in README anyway that systemd without dbus isn't really supported outside of smaller embedded setups).

@rainerborene

This comment has been minimized.

Copy link

commented Sep 7, 2015

Same problem here. As you can see on the log file it is related to /dev/pts/0 issue. But I am not sure how to fix this issue. Append tty0 to /etc/securetty on the container didn't work. Any ideas?

$ machinectl status debian
debian
       Since: Mon 2015-09-07 13:53:28 BRT; 6min ago
      Leader: 14547 (systemd)
     Service: nspawn; class container
        Root: /var/lib/machines/debian
       Iface: ve-debian
          OS: Debian GNU/Linux 8 (jessie)
        Unit: systemd-nspawn@debian.service
          ├─14544 /usr/bin/systemd-nspawn --quiet --keep-unit --boot --link-journal=try-guest --network-veth --machine=debian
          ├─14547 /lib/systemd/systemd
          └─system.slice
            ├─dbus.service
            │ └─14628 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation
            ├─cron.service
            │ └─14624 /usr/sbin/cron -f
            ├─systemd-journald.service
            │ └─14575 /lib/systemd/systemd-journald
            ├─systemd-logind.service
            │ └─14627 /lib/systemd/systemd-logind
            ├─console-getty.service
            │ └─14637 /sbin/agetty --noclear --keep-baud console 115200 38400 9600 vt102
            └─rsyslog.service
              └─14629 /usr/sbin/rsyslogd -n

Sep 07 13:53:29 arch systemd-nspawn[14544]: Starting Console Getty...
Sep 07 13:53:29 arch systemd-nspawn[14544]: [  OK  ] Started Console Getty.
Sep 07 13:53:29 arch systemd-nspawn[14544]: [  OK  ] Reached target Login Prompts.
Sep 07 13:53:29 arch systemd-nspawn[14544]: [  OK  ] Started Cleanup of Temporary Directories.
Sep 07 13:53:29 arch systemd-nspawn[14544]: [  OK  ] Started Login Service.
Sep 07 13:53:29 arch systemd-nspawn[14544]: [  OK  ] Reached target Multi-User System.
Sep 07 13:53:29 arch systemd-nspawn[14544]: [  OK  ] Reached target Graphical Interface.
Sep 07 13:53:29 arch systemd-nspawn[14544]: Starting Update UTMP about System Runlevel Changes...
Sep 07 13:53:29 arch systemd-nspawn[14544]: [  OK  ] Started Update UTMP about System Runlevel Changes.
Sep 07 13:53:30 arch systemd-nspawn[14544]: Debian GNU/Linux 8 arch console
@rainerborene

This comment has been minimized.

Copy link

commented Sep 8, 2015

If I open a terminal session which tty output is /dev/pts/0 the connection is established but my terminal window closes automatically. Here's the strace log.

@poettering

This comment has been minimized.

Copy link
Member

commented Sep 8, 2015

@rainerborene that issue is unrelated and already fixed in git. We'll do a new release today, where that's fixed.

@poettering poettering closed this in 385080c Sep 8, 2015

@rickysarraf

This comment has been minimized.

Copy link
Author

commented Sep 14, 2015

@poettering machinectl still does not work as documented. Please see console output below. I can't login into the container. The container does have dbus and systemd in it. With the new systemd (226), the only improvement is that now I get the same error message in all the containers.

rrs@chutzpah:~$ machinectl login fedora
Failed to get login PTY: There is no system bus in container fedora.
21:29 ♒♒♒ ☹ => 1

rrs@chutzpah:~$ machinectl login fedora
Failed to get login PTY: There is no system bus in container fedora.
21:30 ♒♒♒ ☹ => 1

rrs@chutzpah:~$ machinectl login deb-template
Failed to get login PTY: There is no system bus in container deb-template.
21:30 ♒♒♒ ☹ => 1

rrs@chutzpah:~$ sudo systemctl status -M deb-template
● deb-template
State: running
Jobs: 0 queued
Failed: 0 units
Since: Mon 2015-09-14 21:30:21 IST; 1min 35s ago
CGroup: /machine.slice/systemd-nspawn@deb\x2dtemplate.service
├─8442 /usr/bin/systemd-nspawn --quiet --keep-unit --boot --link-journal
├─8445 /lib/systemd/systemd
└─system.slice
├─dbus.service
│ └─8669 /usr/bin/dbus-daemon --system --address=systemd: --nofork --n
├─networking.service
│ └─8647 dhclient -v -pf /run/dhclient.host0.pid -lf /var/lib/dhcp/dhc
├─systemd-journald.service
│ └─8492 /lib/systemd/systemd-journald
├─ssh.service
│ └─8674 /usr/sbin/sshd -D
├─systemd-logind.service
│ └─8671 /lib/systemd/systemd-logind
└─console-getty.service
└─8676 /sbin/agetty --noclear --keep-baud console 115200 38400 9600

@poettering

This comment has been minimized.

Copy link
Member

commented Sep 18, 2015

@rickysarraf could you open a new bug about that please?

@rickysarraf

This comment has been minimized.

Copy link
Author

commented Sep 18, 2015

@poettering Created new issue with fresh logs. Let's follow it there. #1298

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.