I'm running Fedora 30 in a LXC container (the host is CentOS 7). When I start the container, I get the usual console messages, then nothing. I do not get a login prompt.
When I attach to the container and run systemctl, I don't see console-getty.service running. When I try to start it, systemctl says it is masked. Unmasking and starting console-getty.service gives me the missing login prompt.
Does anyone know why console-getty.service is masked by default?
On 5/19/19 10:41 PM, Michael Eager wrote:
Does anyone know why console-getty.service is masked by default?
(Where did you get the container image?)
I don't know the answer, but my guess would be that a getty doesn't really serve a purpose in a container, since anyone who can access the container tools can run an arbitrary process within the container, including /bin/bash.
On 5/20/19 7:44 AM, Gordon Messmer wrote:
On 5/19/19 10:41 PM, Michael Eager wrote:
Does anyone know why console-getty.service is masked by default?
(Where did you get the container image?)
It's a standard downloadable image using "lxc-create -t download". I assume that this is https://us.images.linuxcontainers.org/.
I don't know the answer, but my guess would be that a getty doesn't really serve a purpose in a container, since anyone who can access the container tools can run an arbitrary process within the container, including /bin/bash.
Getty serves the same purpose it does on real hardware: A way to log into the system as a user (or root) and control or configure it. For example, to set up SSH access for users who do not have root privileges on the host system. Or to restart or shut down, not something that you want a user to do remotely.
I looked at recent Fedora images (28, 29, 30) and they all mask getty. CentOS 7 images don't. They treat the console in a container just the same way that they do a real console. After boot messages, a login prompt is displayed.
You might be right that the assumption is that configuration of a Fedora LXC container would be done using "lxc-attach" on the host. After I configure a container, I usually run it headless. While configuring, I generally log in on the console. When I didn't get a console login prompt, I thought that the Fedora container was broken.
On 5/20/19 9:47 AM, Michael Eager wrote:
Getty serves the same purpose it does on real hardware
Perhaps it's a matter of perspective. getty does start a shell, but it's purpose (from my perspective) isn't to let authorized users in so much as it is to keep unauthorized users out. In a container, it can't really do that because anyone who can access the container "console" can also run arbitrary applications (including a login shell) in the container.
(Of course, I could be wrong about that with LXC. I'm more familiar with docker / podman.)
-
Gordon Messmer -
Michael Eager