systemd-nspawn many issues -- cannot change password, cannot log in

lilmike · 2017-03-16 04:05:52

Hi,
I'm trying to set up systemd-nspawn to compartmentalize some websites on my server. However, I'm getting to the point where I have pacstraped the new system into a folder under /var/lib/machines, then ran systemd-nspawn -n --boot -D <folder>. Then I log in as root, with no password and set it. After that, I can systemcdtl powreoff, and machinectl start <name>. However, at that point when I try to log in, it gives invalid login. I read a few bugs on the systemd bugtracker about arch and this specific issue saying that pam-security is to blame, as it only will let you login on a regular console, and the tty you're logging in from with machinectl login is /dev/pts/0 or similar. However, I don't see anything uncommented in /etc/security/* with tty or root or even wheel in it. Any thoughts on that?

In addition, this brought up another issue. I powered off from machinectl, and then tried to create a user that wasn't root to try and log in with machinctl to get things going and just use sudo, but when I try to change the password, I get 'token manipulation error'. All the posts I've read are either talking about selinux, which shouldn't be the case here, or that the filesystem is readonly, which doesn't seem to be the case here. As you would have noticed, I could change the root password prior to shutting down the first time I ran directly with systemd-nspawn, but not after.
Any thoughts?
Thanks,
-Michael.

lilmike · 2017-03-21 16:16:42

Any clue?
-Michael.

Texbrew · 2017-03-21 22:24:08

lilmike wrote:

Any clue?
-Michael.

Forum mods will warn you thread bumping is not allowed. That's the only clue I have..

ayekat · 2017-03-21 23:57:49

lilmike wrote:

However, I don't see anything uncommented in /etc/security/* with tty or root or even wheel in it. Any thoughts on that?

For the first part, I just tested and ran into the same issue. However, the file in question appears to be /etc/securetty, so adding

pts/0

allows root login via machinectl for me™.

But that appears to be a bad idea, as any application can allocate a pseudo-terminal - although I haven't quite understood how exactly that is a problem, as long as you keep track of what processes are running on your system (which I think you should do anyway). Perhaps somebody can shed some light on this issue?

(BTW, logging in as a regular user works fine regardless of whether I put that entry into /etc/securetty or not)

I powered off from machinectl, and then tried to create a user that wasn't root to try and log in with machinctl to get things going and just use sudo, but when I try to change the password, I get 'token manipulation error'.

The only error I'm able to trigger for `passwd` is by typing the wrong current password. But if no password is set, it should usually ask for a new password directly. So I'm not able to reproduce that error - perhaps someone else will walk along.

OTOH I'm running into execv(e)-related errors for pacman post-transaction hooks - but that's probably unrelated, and for another thread.

--edit2--
Would you mind posting the exact in- and output for your `passwd` issue?

Texbrew wrote:

Forum mods will warn you thread bumping is not allowed. That's the only clue I have..

If you're concerned about such things, there is a report button - no need to make a post.

--edit--
I'd like to apologize partly. If it weren't for the bump (and Texbrew's reply), I would probably not have made the effort of digging into this issue myself. But yes, bumping is discouraged.

Last edited by ayekat (2017-03-22 07:48:47)

Texbrew · 2017-03-22 01:54:07

I am not concerned about such things. Actually, I was trying to head off a moderator warning. Point taken, though. Not my business. I'll stay out of it. Good luck to the OP.

No, I don't use the report button because "Nobody likes a snitch".

lilmike · 2017-03-23 00:14:05

Ok, I got the passwd command to work, it was apparently a conflict between the way machinctl (systemd-nspawn@.service) starts the machine and the way I was starting it manually. Now, however, I have the problem of host0 and the other end of the virtual network cable not coming up when I have systemd-networkd enabled and started on both container and host. Dmesg mentions 'host0: link is not ready'.
-Michael.

ayekat · 2017-03-23 15:55:23

lilmike wrote:

Now, however, I have the problem of host0 and the other end of the virtual network cable not coming up when I have systemd-networkd enabled and started on both container and host. Dmesg mentions 'host0: link is not ready'.

Could you post your container's .network file?

In my container, the network interface is called host0@ifX (where X seems to be incremented every time), so in systemd-networkd, you might want to match the name host0@* in order to properly configure the interface.

lilmike · 2017-03-23 16:57:43

Hi,
Well, I didn't make a custom host0.network file, as apparently systemd-networkd is supposed to handle this for me. I was also told I didn't need to ln -s any files from /usr/lib/systemd/network to /etc/systemd/network, but please tell me if this is wrong.
The 80-container-host0.network in /usr/lib/systemd/network looks like this: http://codepad.org/TcHps65r

-Michael.

ayekat · 2017-03-23 17:25:42

I have to admit I use a network bridge, with dnsmasq running (so my container gets its IP address from there - but I still need a basic networkd configuration in my container).

If running without any bridge, machined appears to set up a virtual ethernet interface on the host side called `ve-<machinename>` and 10.0.0.1/28 assigned to it, whereas the container sets an IP address in the 169.254.0.0/16 range. Is that the case with your container, too?

I have not quite understood what exactly is going on, but in case I find something, I'll report back. Otherwise I fear I have to let you wait for somebody else to walk along and help you on this matter.

Last edited by ayekat (2017-03-23 17:26:26)

lilmike · 2017-03-23 20:40:24

Hi,
See that's the entire problem. It creates the host0@xxx and vxxx devices (on the container side and host side, respectively), but the ip addresses never get assigned. It seems like there must be something I'm doing wrong, as the dmesg shows 'host0: link is not up'.
I'll try ln'-ing the proper network config to the /etc/systemd/network and see what happens.
-Michael.

lilmike · 2017-03-23 20:48:49

Hi,
Just tried linking the configs to /etc/systemd/network, no go. The full error from dmesg:
ipv6: addrconf(netdev_up): host0: link is not ready.
-Michael.

pm3840 · 2017-07-27 04:41:33

root login issue:
'machinectl login' starts you in pts/0 and root login is not allowed(https://wiki.archlinux.org/index.php/Systemd-nspawn#root_login_fails). Try 'machinectl shell <container> /bin/bash' instead to login and update user/root password.
systemd-nspawn starts you with console access in container.

host0 issue:
https://wiki.archlinux.org/index.php/Systemd-networkd
Basically you need to create .network file, and enable networkd.

Arch Linux

#1 2017-03-16 04:05:52

systemd-nspawn many issues -- cannot change password, cannot log in

#2 2017-03-21 16:16:42

Re: systemd-nspawn many issues -- cannot change password, cannot log in

#3 2017-03-21 22:24:08

Re: systemd-nspawn many issues -- cannot change password, cannot log in

#4 2017-03-21 23:57:49

Re: systemd-nspawn many issues -- cannot change password, cannot log in

#5 2017-03-22 01:54:07

Re: systemd-nspawn many issues -- cannot change password, cannot log in

#6 2017-03-23 00:14:05

Re: systemd-nspawn many issues -- cannot change password, cannot log in

#7 2017-03-23 15:55:23

Re: systemd-nspawn many issues -- cannot change password, cannot log in

#8 2017-03-23 16:57:43

Re: systemd-nspawn many issues -- cannot change password, cannot log in

#9 2017-03-23 17:25:42

Re: systemd-nspawn many issues -- cannot change password, cannot log in

#10 2017-03-23 20:40:24

Re: systemd-nspawn many issues -- cannot change password, cannot log in

#11 2017-03-23 20:48:49

Re: systemd-nspawn many issues -- cannot change password, cannot log in

#12 2017-07-27 04:41:33

Re: systemd-nspawn many issues -- cannot change password, cannot log in

Board footer