lxc 3.0.2/3 - cannot create root password in privileged container

Bug #1807134 reported by km on 2018-12-06
This bug affects 1 person
Affects Status Importance Assigned to Milestone
lxc (Ubuntu)

Bug Description

Prior filing this as potential bug help was sought but did not yield a remedy


host - ubuntu cosmic with kernel 4.18.0-12 / systemd 239-7 / apparmor 2.12

Whilst there is no issue with creating a root password via lxc-attach and passwd in an unprivileged container it is however not possible to create a password the same way for a privileged container (tried centos 7 and ubuntu cosmic).

Error reported from within the containers:

passwd: System error
passwd: Authentication token manipulation error

Error reported at the host:

passwd: PAM audit_log_acct_message() failed: Operation not permitted

Next tried with:

chroot /container/path/rootfs passwd

but that produced the same error.

Next tried with:

lxc.cap.keep = CAP_AUDIT_WRITE

but the container would not boot.

Next tried with:

lxc.apparmor.profile = unconfined

but no remedy.

Next switched the kernel to 4.19.7 but no dice either.

km (n8v8r) on 2018-12-08
description: updated
km (n8v8r) wrote :

The issue persists after having upgraded lxc to version 3.0.3

summary: - lxc 3.0.2 - cannot create root password in privileged container
+ lxc 3.0.2/3 - cannot create root password in privileged container
km (n8v8r) wrote :

The issue is due to the lxc logic of applying in deploying in default.conf

lxc.idmap = u 0 100000 65536
lxc.idmap = g 0 100000 65536

in which case the container is ultimately constructed as unprivileged container and such cannot be reverted with a the container specific config.

Changed in lxc (Ubuntu):
status: New → Invalid
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers