lxc !tty !ssh

[orangeicebear]

Hallo auf einem frischem debian/buster mit lxc bekomme ich kein tty login promt und kann mich auch nicht per ssh verbinden

Code: Alles auswählen

root@bubu ~ # lxc-attach -n db passwd               
New password: 
Retype new password: 
passwd: password updated successfully
root@bubu ~ # ssh root@10.0.3.249     
root@10.0.3.249's password: 
Permission denied, please try again.
root@10.0.3.249's password:

Code: Alles auswählen

lxc-console -n db                                                                                                         :(

Connected to tty 1
Type <Ctrl+a q> to exit the console, <Ctrl+a Ctrl+a> to enter Ctrl+a itself

der container läuft bekommt eine ip und kann per lxc-attach angesprochen werden

Code: Alles auswählen

root@bubu ~ # lxc-attach -n db ip a  
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
4: eth0@if5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 00:16:3e:77:a8:e0 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet 10.0.3.249/24 brd 10.0.3.255 scope global dynamic eth0
       valid_lft 2286sec preferred_lft 2286sec
    inet6 fe80::216:3eff:fe77:a8e0/64 scope link 
       valid_lft forever preferred_lft forever

derzeit versuche ich mit 2 bridges das problem zu lösen
je 2 container laufen auf einer bridge

Code: Alles auswählen

root@bubu ~ # lxc-ls -f            
NAME   STATE   AUTOSTART GROUPS IPV4           IPV6 UNPRIVILEGED 
db     RUNNING 1         -      10.0.3.249     -    false        
drupal RUNNING 1         -      10.0.3.81      -    false        
mail   RUNNING 1         -      192.168.122.63 -    false        
proxy  RUNNING 1         -      192.168.122.83 -    false

virbr0wurde nach dieser docu erstellt https://wiki.debian.org/LXC

Code: Alles auswählen

$ sudo apt-get install -qy libvirt-clients libvirt-daemon-system iptables ebtables dnsmasq-base
$ sudo virsh net-start default
$ sudo virsh net-autostart default

lxcbr0

Code: Alles auswählen

cat /etc/default/lxc-net
LXC_BRIDGE="lxcbr0"
LXC_ADDR="10.0.3.1"
LXC_NETMASK="255.255.255.0"
LXC_NETWORK="10.0.3.0/24"
LXC_DOMAIN=""

Code: Alles auswählen

ip r
default via 116.202.112.129 dev enp35s0 onlink 
10.0.3.0/24 dev lxcbr0 proto kernel scope link src 10.0.3.1 
116.202.112.128/26 via 116.202.112.129 dev enp35s0 
116.202.112.128/26 dev enp35s0 proto kernel scope link src MEINEIP 
192.168.122.0/24 dev virbr0 proto kernel scope link src 192.168.122.1 

ich habe es mit apparmor und ohne versucht

Code: Alles auswählen

root@bubu ~ # cat /var/lib/lxc/db/config
# lxc.apparmor.profile = generated
# lxc.apparmor.allow_nesting = 1
lxc.net.0.type = veth
lxc.net.0.hwaddr = 00:16:3e:77:a8:e0
lxc.net.0.link = lxcbr0
lxc.net.0.flags = up
lxc.rootfs.path = dir:/var/lib/lxc/db/rootfs

# Common configuration
lxc.include = /usr/share/lxc/config/debian.common.conf

# Container specific configuration
lxc.tty.max = 4
lxc.uts.name = db
lxc.arch = amd64
lxc.pty.max = 1024
lxc.start.auto = 1

Code: Alles auswählen

cat /usr/share/lxc/config/debian.common.conf
# This derives from the global common config
lxc.include = /usr/share/lxc/config/common.conf

# Doesn't support consoles in /dev/lxc/
lxc.tty.dir = lxc

# When using LXC with apparmor, the container will be confined by default.
# If you wish for it to instead run unconfined, copy the following line
# (uncommented) to the container's configuration file.
lxc.apparmor.profile = unconfined

# If you wish to allow mounting block filesystems, then use the following
# line instead, and make sure to grant access to the block device and/or loop
# devices below in lxc.cgroup.devices.allow.
#lxc.apparmor.profile = lxc-container-default-with-mounting

# Extra cgroup device access
## rtc
lxc.cgroup.devices.allow = c 254:0 rm
## tun
lxc.cgroup.devices.allow = c 10:200 rwm
## hpet
lxc.cgroup.devices.allow = c 10:228 rwm
## kvm
lxc.cgroup.devices.allow = c 10:232 rwm
## To use loop devices, copy the following line to the container's
## configuration file (uncommented).
#lxc.cgroup.devices.allow = b 7:* rwm

Code: Alles auswählen

cat /etc/lxc/default.conf
lxc.apparmor.profile = generated
lxc.apparmor.allow_nesting = 1

lxc.net.0.type = veth
lxc.net.0.link = lxcbr0
lxc.net.0.flags = up

Code: Alles auswählen

cat /etc/default/lxc 
# LXC_AUTO - whether or not to start containers at boot
LXC_AUTO="true"

# BOOTGROUPS - What groups should start on bootup?
#	Comma separated list of groups.
#	Leading comma, trailing comma or embedded double
#	comma indicates when the NULL group should be run.
# Example (default): boot the onboot group first then the NULL group
BOOTGROUPS="onboot,"

# SHUTDOWNDELAY - Wait time for a container to shut down.
#	Container shutdown can result in lengthy system
#	shutdown times.  Even 5 seconds per container can be
#	too long.
SHUTDOWNDELAY=5

# OPTIONS can be used for anything else.
#	If you want to boot everything then
#	options can be "-a" or "-a -A".
OPTIONS=

# STOPOPTS are stop options.  The can be used for anything else to stop.
#	If you want to kill containers fast, use -k
STOPOPTS="-a -A -s"

USE_LXC_BRIDGE="true"  # overridden in lxc-net

[ ! -f /etc/default/lxc-net ] || . /etc/default/lxc-net

[schorsch_76]

Bei den LXC Containern musst du im Container ssh installieren. Dann sollte das gehen. Die sind im Auslieferungszustand sehr minimal. Nichtmal Ping ist installiert.

Das Terminal bzw. lxc-console geht bei mir auch. Ich muss aber zuerst nochmal <Enter> drücken dann zeigt mir lxc-terminal den Login Prompt.

[orangeicebear]

ssh war bereits installiert
enter drücken war mein erster verdacht, aber leider nicht die lösung

Code: Alles auswählen

root@bubu ~ # lxc-attach -n db ps aux
USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
root         1  0.0  0.0  21432  9368 ?        Ss   11:33   0:00 /sbin/init
root        37  0.0  0.0  27440 10676 ?        Ss   11:33   0:00 /lib/systemd/systemd-journald
root        63  0.0  0.0   9492  5612 ?        Ss   11:33   0:00 /sbin/dhclient -4 -v -i -pf /run/dhclient.eth0.pid -lf /var/lib/dhcp/dhclient.
root        87  0.0  0.0   5384  2016 pts/0    Ss+  11:33   0:00 /sbin/agetty -o -p -- \u --noclear --keep-baud console 115200,38400,9600 vt220
root        88  0.0  0.0  15840  6600 ?        Ss   11:33   0:00 /usr/sbin/sshd -D
root       119  0.0  0.0  10632  3096 ?        Rs+  12:36   0:00 ps aux

Code: Alles auswählen

127 root@bubu ~ # lxc-checkconfig                                                                                                           :(
Kernel configuration not found at /proc/config.gz; searching...
Kernel configuration found at /boot/config-4.19.0-6-amd64
--- Namespaces ---
Namespaces: enabled
Utsname namespace: enabled
Ipc namespace: enabled
Pid namespace: enabled
User namespace: enabled
Network namespace: enabled

--- Control groups ---
Cgroups: enabled

Cgroup v1 mount points: 
/sys/fs/cgroup/systemd
/sys/fs/cgroup/pids
/sys/fs/cgroup/cpu,cpuacct
/sys/fs/cgroup/freezer
/sys/fs/cgroup/memory
/sys/fs/cgroup/rdma
/sys/fs/cgroup/perf_event
/sys/fs/cgroup/blkio
/sys/fs/cgroup/net_cls,net_prio
/sys/fs/cgroup/cpuset
/sys/fs/cgroup/devices

Cgroup v2 mount points: 
/sys/fs/cgroup/unified

Cgroup v1 clone_children flag: enabled
Cgroup device: enabled
Cgroup sched: enabled
Cgroup cpu account: enabled
Cgroup memory controller: enabled
Cgroup cpuset: enabled

--- Misc ---
Veth pair device: enabled, loaded
Macvlan: enabled, not loaded
Vlan: enabled, not loaded
Bridges: enabled, loaded
Advanced netfilter: enabled, loaded
CONFIG_NF_NAT_IPV4: enabled, loaded
CONFIG_NF_NAT_IPV6: enabled, loaded
CONFIG_IP_NF_TARGET_MASQUERADE: enabled, not loaded
CONFIG_IP6_NF_TARGET_MASQUERADE: enabled, not loaded
CONFIG_NETFILTER_XT_TARGET_CHECKSUM: enabled, loaded
CONFIG_NETFILTER_XT_MATCH_COMMENT: enabled, not loaded
FUSE (for use with lxcfs): enabled, loaded

--- Checkpoint/Restore ---
checkpoint restore: enabled
CONFIG_FHANDLE: enabled
CONFIG_EVENTFD: enabled
CONFIG_EPOLL: enabled
CONFIG_UNIX_DIAG: enabled
CONFIG_INET_DIAG: enabled
CONFIG_PACKET_DIAG: enabled
CONFIG_NETLINK_DIAG: enabled
File capabilities: 

Note : Before booting a new kernel, you can check its configuration
usage : CONFIG=/path/to/config /usr/bin/lxc-checkconfig

Code: Alles auswählen

root@bubu ~ # ssh root@192.168.122.249                
root@192.168.122.249's password: 
Permission denied, please try again.
root@192.168.122.249's password: 

130 root@bubu ~ # lxc-attach -n db apt install iputils-ping                                                                                 :(
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following NEW packages will be installed:
  iputils-ping
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 43.0 kB of archives.
After this operation, 102 kB of additional disk space will be used.
Get:1 http://deb.debian.org/debian buster/main amd64 iputils-ping amd64 3:20180629-2 [43.0 kB]
Fetched 43.0 kB in 0s (1,080 kB/s)
debconf: delaying package configuration, since apt-utils is not installed
Selecting previously unselected package iputils-ping.
(Reading database ... 8769 files and directories currently installed.)
Preparing to unpack .../iputils-ping_3%3a20180629-2_amd64.deb ...
Unpacking iputils-ping (3:20180629-2) ...
Setting up iputils-ping (3:20180629-2) ...
root@bubu ~ # lxc-attach -n db ip a                    
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
18: eth0@if19: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 00:16:3e:77:a8:e0 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet 192.168.122.249/24 brd 192.168.122.255 scope global dynamic eth0
       valid_lft 3442sec preferred_lft 3442sec
    inet6 fe80::216:3eff:fe77:a8e0/64 scope link 
       valid_lft forever preferred_lft forever
root@bubu ~ # lxc-console -n db    

Connected to tty 1
Type <Ctrl+a q> to exit the console, <Ctrl+a Ctrl+a> to enter Ctrl+a itself





sdf
sdf
root

[schorsch_76]

Der root User darf in der Standardconfig _nicht_ einloggen. Leg einen normalen User an und nutze dann sudo oder "su -".

[orangeicebear]

Code: Alles auswählen

orangeicebear@bubu:~$ sudo lxc-console -n db

Connected to tty 1
Type <Ctrl+a q> to exit the console, <Ctrl+a Ctrl+a> to enter Ctrl+a itself


mehrmals enter gedrückt


orangeicebear@bubu:~$ sudo lxc-console -n proxy

Connected to tty 1
Type <Ctrl+a q> to exit the console, <Ctrl+a Ctrl+a> to enter Ctrl+a itself

mehrmals enter gedrückt

orangeicebear@bubu:~$ sudo lxc-console -n mail

Connected to tty 1
Type <Ctrl+a q> to exit the console, <Ctrl+a Ctrl+a> to enter Ctrl+a itself


mehrmals enter gedrückt

orangeicebear@bubu:~$ sudo lxc-console -n drupal

Connected to tty 1
Type <Ctrl+a q> to exit the console, <Ctrl+a Ctrl+a> to enter Ctrl+a itself

mehrmals enter gedrückt

orangeicebear@bubu:~$

[schorsch_76]

Zur Verdeutlichung: root darf in der Standardconfig über ssh nicht einloggen.

Stichwort: PermitRootLogin in der sshd_config

EDIT: Siehe zu lxc-console
https://discuss.linuxcontainers.org/t/w ... mpt/5423/2
und 907615

[orangeicebear]

per ssh bin ich drinn
aber tty funkt mit lxc-console nicht

lxc-attach -n NAME -- login
funkt aber

Danke!