Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Container root "Login incorrect" when run from '/usr/lib/systemd/system/systemd-nspawn@.service' #852

Closed
kaihendry opened this Issue Aug 4, 2015 · 10 comments

Comments

4 participants
@kaihendry
Copy link

kaihendry commented Aug 4, 2015

https://www.youtube.com/watch?v=GQfxODGmbVM

It works fine from sudo systemd-nspawn -b -D /var/lib/machines/bar -n as the https://wiki.archlinux.org/index.php/Systemd-nspawn suggests, but not from the service file. What am I missing?

@richardmaw-codethink

This comment has been minimized.

Copy link
Contributor

richardmaw-codethink commented Aug 4, 2015

One difference is that the nspawn service uses the --machine option, rather than --directory.

Another difference is that if you boot with nspawn directly, you are logged in by its primary terminal, while if you log in with machinectl login you end up on a secondary terminal.
I don't know what arch does, but I've heard some distributions put extra restrictions on root access for non primary terminals. Can you log in as another user?

@kaihendry

This comment has been minimized.

Copy link
Author

kaihendry commented Aug 4, 2015

There is no other user besides root.

I am not sure what the difference is between a primary and secondary terminal is. Sidenote: in my ideal world, I would just get root shell. I don't feel the need to type user/pass to login to a container from a host. In fact it would awesome if containers did away with permissions so I could focus on sandboxing just with a container. ;)

I peered at https://bugs.archlinux.org/?project=1&cat%5B%5D=31&string=systemd but only similar-ish bug https://bugs.archlinux.org/task/45094?project=1&cat%5B0%5D=31&string=systemd sounds like something else.

@richardmaw-codethink

This comment has been minimized.

Copy link
Contributor

richardmaw-codethink commented Aug 4, 2015

On Tue, Aug 04, 2015 at 06:59:07AM -0700, Kai Hendry wrote:

There is no other user besides root.

If you were to add one and see whether you could log in as that user,
we could narrow down the source of the problem.

I am not sure what the difference is between a primary and secondary terminal is.

Generally which ones are listed in /etc/securetty and which aren't.

Sidenote: in my ideal world, I would just get root shell. I don't feel the need to type user/pass to login to a container from a host. In fact it would awesome if containers did away with permissions so I could focus on sandboxing just with a container. ;)

You can run commands in your container without logging in with systemd-run, use the --machine option.

I peered at https://bugs.archlinux.org/?project=1&cat%5B%5D=31&string=systemd but only similar-ish bug https://bugs.archlinux.org/task/45094?project=1&cat%5B0%5D=31&string=systemd sounds like something else.

Possibly not, I'd still recommend checking whether it's because /etc/securetty doesn't list the pts terminals.

@kaihendry

This comment has been minimized.

Copy link
Author

kaihendry commented Aug 4, 2015

Don't quite understand how I am supposed to login...

[hendry@nuc ~]$ machinectl
MACHINE CLASS     SERVICE
bar     container nspawn

1 machines listed.
[hendry@nuc ~]$ sudo machinectl -M bar /bin/bash
Unknown operation /bin/bash.
[hendry@nuc ~]$ sudo machinectl -M bar bash
Unknown operation bash.
[hendry@nuc ~]$ sudo systemd-run -M bar bash
Running as unit run-22360.service.

/var/lib/machines/bar/etc/securetty for a Archlinux pacstrap 2015-08-04

Creating a user and setting its passwd allows me to login... http://s.natalian.org/2015-08-04/1438701575_1912x1036.png Still prefer to just use root.

Is it because root has no password set in the shadow?

[root@bar ~]# cat /etc/shadow
root::14871::::::
@richardmaw-codethink

This comment has been minimized.

Copy link
Contributor

richardmaw-codethink commented Aug 4, 2015

On Tue, Aug 04, 2015 at 08:22:18AM -0700, Kai Hendry wrote:

Don't quite understand how I am supposed to login...

[hendry@nuc ~]$ machinectl
MACHINE CLASS     SERVICE
bar     container nspawn

1 machines listed.
[hendry@nuc ~]$ sudo systemd-run -M bar bash
Running as unit run-22360.service.

You can't do interactive commands with systemd-run, hence why you log
in with machinectl login.

/var/lib/machines/bar/etc/securetty for a Archlinux pacstrap 2015-08-04

Creating a user and setting its passwd allows me to login... http://s.natalian.org/2015-08-04/1438701575_1912x1036.png Still prefer to just use root.

Is it because root has no password set in the shadow?

[root@bar ~]# cat /etc/shadow
root::14871::::::

You can't log in as root because Arch is configured to use pam_securetty,
which doesn't let root log in on any tty device not listed in
/etc/securetty, and since it's a container, you don't get an actual
tty device, you get a pseudo-tty, which the first will be pts/0.

This is not a bug with systemd, but with a configuration option Arch
has explicitly chosen.

If you want root logins by default in Arch containers please persuade
Arch to not use pam_securetty, or to add the pts devices to the
whitelist.

@poettering

This comment has been minimized.

Copy link
Member

poettering commented Aug 4, 2015

Yes, pam_security is really an obsolete thing. It comes from a time where tty names where static. But today the fewest ttys are actual good old mainboard serial ports. Pretty much all of them instead are plugged in via USB or are pseudo ttys. Either way their names are not fixed like /etc/securetty expects it, the entire concept is hence obsolete.

Hence: please ask your distro to stop shipping with pam_securetty enabled by default, it's really a thing of the past. In the meantime remove it manually from all files in /etc/pam.d/* or add all your potential current and future ptys to /etc/securetty.

Closing, as this is something systemd is not responsible for, but something to fix in your distro.

@kaihendry

This comment has been minimized.

Copy link
Author

kaihendry commented Aug 5, 2015

Not sure if you have an Archlinux liaison, so I filed https://bugs.archlinux.org/task/45903 so it can hopefully be fixed in my distro.

@richardmaw-codethink

This comment has been minimized.

Copy link
Contributor

richardmaw-codethink commented Aug 6, 2015

@kaihendry I stumbled across #825, which mentions the possibility of adding a machinectl shell command, which given your previous comment on this issue:

Sidenote: in my ideal world, I would just get root shell. I don't feel the need to type user/pass to login to a container from a host.

I thought you'd be interested.

@kaihendry

This comment has been minimized.

Copy link
Author

kaihendry commented Aug 6, 2015

Thanks for taking the time to inform me! Oh btw I made a tutorial video today about containers and Arch where I disabled pam_securetty in one of the steps. https://www.youtube.com/watch?v=7Obl8_dozh0 You might find it entertaining.

@net147

This comment has been minimized.

Copy link
Contributor

net147 commented Aug 7, 2015

You could just delete /etc/securetty from the container which will allow root login on all ttys.

@evverx evverx referenced this issue Mar 7, 2016

Closed

cant login in nspawn container via machinectl #2808

1 of 2 tasks complete

awood added a commit to awood/salmon that referenced this issue Aug 31, 2016

Add option to remove /etc/securetty from the container.
The presence of /etc/securetty will cause `machinectl login` to break.
The clumsy solution is to remove it entirely.

See also systemd/systemd#852 and
https://wiki.archlinux.org/index.php/Systemd-nspawn#root_login_fails
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.