[SOLVED] Unable to install packages in lxc container

archtaku · 2014-02-07 06:05:22

tl;dr: lxc-console should be used for logging in, not lxc-attach. Also, I had to do some additional work to get the tty to work in systemd, and I plan to update the wiki soon.

I created a container using the following command:

# lxc-create -n test -t archlinux

Once created and configured, I started the container daemonized, and attached:

# lxc-start -n test -d
# lxc-attach --clear-env -n test -- su - root

However, I am unable to install any software packages because GPG isn't working properly

[root@test ~]# pacman -Syu openssh
:: Synchronizing package databases...
 core is up to date
 extra is up to date
 community is up to date
 multilib is up to date
:: Starting full system upgrade...
resolving dependencies...
looking for inter-conflicts...

Packages (3): ldns-1.6.17-1  libedit-20130601_3.1-1  openssh-6.5p1-2

Total Installed Size:   6.08 MiB

:: Proceed with installation? [Y/n]
(3/3) checking keys in keyring                       [###########################] 100%
(3/3) checking package integrity                     [###########################] 100%
error: GPGME error: Inappropriate ioctl for device
error: GPGME error: Inappropriate ioctl for device
error: GPGME error: Inappropriate ioctl for device
error: libedit: missing required signature
:: File /var/cache/pacman/pkg/libedit-20130601_3.1-1-x86_64.pkg.tar.xz is corrupted (invalid or corrupted package (PGP signature)).
Do you want to delete it? [Y/n]
error: ldns: missing required signature
:: File /var/cache/pacman/pkg/ldns-1.6.17-1-x86_64.pkg.tar.xz is corrupted (invalid or corrupted package (PGP signature)).
Do you want to delete it? [Y/n]
error: openssh: missing required signature
:: File /var/cache/pacman/pkg/openssh-6.5p1-2-x86_64.pkg.tar.xz is corrupted (invalid or corrupted package (PGP signature)).
Do you want to delete it? [Y/n]
error: failed to commit transaction (invalid or corrupted package (PGP signature))
Errors occurred, no packages were upgraded.

error: segmentation fault
Please submit a full bug report with --debug if appropriate.

The container config is as follows:

lxc.utsname=test
lxc.autodev=1
lxc.tty=1
lxc.pts=1024
lxc.rootfs=/var/lib/lxc/test/rootfs
lxc.mount=/var/lib/lxc/test/fstab
lxc.cap.drop=mknod sys_module mac_admin mac_override
lxc.kmsg=0
lxc.stopsignal=SIGRTMIN+4
#networking
lxc.network.type=veth
lxc.network.link=br0
lxc.network.flags=up
lxc.network.name=eth0
lxc.network.ipv4=10.10.209.2/24
lxc.network.ipv4.gateway=10.10.209.1
lxc.network.mtu=1500
#cgroups
lxc.cgroup.devices.deny = a
lxc.cgroup.devices.allow = c *:* m
lxc.cgroup.devices.allow = b *:* m
lxc.cgroup.devices.allow = c 1:3 rwm
lxc.cgroup.devices.allow = c 1:5 rwm
lxc.cgroup.devices.allow = c 1:7 rwm
lxc.cgroup.devices.allow = c 1:8 rwm
lxc.cgroup.devices.allow = c 1:9 rwm
lxc.cgroup.devices.allow = c 1:9 rwm
lxc.cgroup.devices.allow = c 4:1 rwm
lxc.cgroup.devices.allow = c 5:0 rwm
lxc.cgroup.devices.allow = c 5:1 rwm
lxc.cgroup.devices.allow = c 5:2 rwm
lxc.cgroup.devices.allow = c 136:* rwm

Has anyone else experienced this? I've searched the web for solutions to the GPG error, and most of them relate to GPG not working in a chroot because the right things don't exist in /dev. However, I was under the impression that lxc.autodev=1 would take care of this, and indeed /dev/pts, etc. all exist in the container.

Last edited by archtaku (2014-02-07 23:19:12)

x33a · 2014-02-07 10:28:10

Try

# pacman-key --refresh-keys

from within the container. Though, I do notice a segmentation fault, so I am not sure if it'll work.

archtaku · 2014-02-07 16:46:34

x33a wrote:

Try
# pacman-key --refresh-keys
from within the container. Though, I do notice a segmentation fault, so I am not sure if it'll work.

I just did this, and the command succeeded:

gpg: refreshing 75 keys from hkp://pool.sks-keyservers.net
gpg: requesting key 5263801D from hkp server pool.sks-keyservers.net
gpg: requesting key FFF979E7 from hkp server pool.sks-keyservers.net
gpg: requesting key CDFD6BB0 from hkp server pool.sks-keyservers.net
gpg: requesting key 4C7EA887 from hkp server pool.sks-keyservers.net
... snip ...
gpg: Total number processed: 74
gpg:              unchanged: 74

However, the installation still failed.

I was able to get pacman to install openssh by turning off signature verification. I then ssh'ed into the container, turned signature verification back on, and was able to install other packages just fine.

So the issue seems to be with how lxc-attach connects to the container. A temporary solution would be:

Add openssh to the list of packages installed when running lxc-create.
```
# lxc-create -n test -t archlinux -- -P vim,openssh
```
Attach to the container and run systemctl enable sshd.service, and set a root password
Detach, then ssh into container and go about your business.

However, I'd rather have the option of not using sshd on the container, and still be able to install packages, so I don't necessarily consider this problem solved yet.

Can anyone shed some light on what I might be doing wrong when I attach to the container?

Last edited by archtaku (2014-02-07 16:46:52)

archtaku · 2014-02-07 22:46:10

OK, so it looks like I was going about this the wrong way. I should have been using lxc-console to login, not lxc-attach. But, I still couldn't login. I found this section on the wiki, and copied getty@.service to /etc/systemd/system within the container, made the changes noted in the patch, and did a systemctl daemon-reload. I have agetty running on the container (see below), but I still get no login prompt when I try to use lxc-console.

[root@test ~]# ps aux | grep tty
root        25  0.0  0.0   7900   804 console  Ss+  22:25   0:00 /sbin/agetty --noclear -s console 115200 38400 9600
root        96  0.0  0.0   6328   784 ?        Ss   22:34   0:00 /sbin/agetty --noclear getty
root        98  0.0  0.0  10664  1052 pts/0    S+   22:34   0:00 grep tty

Last edited by archtaku (2014-02-07 22:48:04)

archtaku · 2014-02-07 23:16:28

Yay, figured it out. So, /etc/systemd/system/getty.target.wants/getty@tty1.service existed and still pointed to /lib/systemd/system/getty@.service. I pointed it at the updated copy in /etc/systemd/system/ and now I get a login prompt at the lxc-console.

Also, when I decided to up lxc.tty to 2, I needed to add another symlink for tty2 in /etc/systemd/system/getty.target.wants/ to get that tty to work.

Arch Linux

#1 2014-02-07 06:05:22

[SOLVED] Unable to install packages in lxc container

#2 2014-02-07 10:28:10

Re: [SOLVED] Unable to install packages in lxc container

#3 2014-02-07 16:46:34

Re: [SOLVED] Unable to install packages in lxc container

#4 2014-02-07 22:46:10

Re: [SOLVED] Unable to install packages in lxc container

#5 2014-02-07 23:16:28

Re: [SOLVED] Unable to install packages in lxc container

Board footer