Now, /dev/console is linked to the /dev/pts/0,
so for the process agetty, the tty device of
agetty is pts/0. this will cause login container
failed.
since pts/0 is not in the /etc/securetty. so
pam module pam_securetty will prevent the root
user logging on the system.
this patch doesn't make /dev/console a symbol but
binds /dev/pts/0 to it. so the tty device of
agetty will be console. root can login the system
successfully.
change from v1:
1,Add some comments.
2,Modify the System error report message.
Signed-off-by: Gao feng <gaofeng@xxxxxxxxxxxxxx>
---
src/lxc/lxc_container.c | 22 ++++++++++++++++------
1 file changed, 16 insertions(+), 6 deletions(-)
diff --git a/src/lxc/lxc_container.c b/src/lxc/lxc_container.c
index 255c711..9c71bad 100644
--- a/src/lxc/lxc_container.c
+++ b/src/lxc/lxc_container.c
@@ -1049,12 +1049,22 @@ static int lxcContainerSetupDevices(char **ttyPaths, size_t nttyPaths)
return -1;
}
VIR_FREE(tty);
- if (i == 0 &&
- symlink(ttyPaths[i], "/dev/console") < 0) {
- virReportSystemError(errno,
- _("Failed to symlink %s to /dev/console"),
- ttyPaths[i]);
- return -1;
+ if (i == 0) {
+ if (virFileTouch("/dev/console", 0600) < 0) {
+ virReportSystemError(errno, "%s",
+ _("Failed to create /dev/console"));
+ return -1;
+ }
+ /* Binding /dev/console to pts, this will make agetty
+ * trust its tty device is console but not the pts device.
+ * So the pam_sercuretty module will not try to prevent
+ * root user logging on container. */
+ if (mount(ttyPaths[0], "/dev/console", NULL, MS_BIND, NULL) < 0) {
+ virReportSystemError(errno,
+ _("Failed to bind %s to /dev/console"),
+ ttyPaths[i]);
+ return -1;
+ }
}
}
return 0;
--
1.8.3.1
--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list