![首頁 Logo Keith ]p !!](/themes/mytheme/logo.png){kind=logo}
最後更新: 2020-04-16
前言
在 LXC 上, 我們要考慮兩種 console
- host's virtual consoles
- container's local virtual consoles
The host's virtual consoles
accessed using the key sequence Alt+Fn(or Ctrl+Alt+F)
For a container to be able to use a host's virtual console it must not be in use by the host.
-> no getty or other process runs on any virtual console
The container's local virtual consoles
accessed using the "lxc-console" command
Container's startup console
lxc-start -n VPS # 此時會 start default 的 console
# Centos7
ps a
PID TTY STAT TIME COMMAND
42 lxc/console Ss+ 0:00 /sbin/agetty --noclear --keep-baud console 115200,38400,9600 vt220ls -l /dev/console
lrwxrwxrwx 1 root root 11 Apr 14 10:59 /dev/console -> lxc/console
ls -lH /dev/console
crw--w---- 1 root tty 136, 28 Apr 14 10:59 /dev/console
Troubleshoot
login password 錯誤
Apr 7 18:08:47 centos7 login: pam_securetty(login:auth): access denied: tty 'lxc/console' is not secure ! Apr 7 18:08:53 centos7 login: FAILED LOGIN 1 FROM lxc/console FOR root, Authentication failure
/etc/securetty 內沒有 lxc/console (Default 有 "console", 不是 "lxc/console")
lxc-console
Connect:
# default 係連接到 Container 的 tty1
lxc-console -n VPS [ttynum]
# A ttynum of 0 may be given to attach to the container's /dev/console instead of its dev/tty<ttynum>
lxc-console -n VPS 0
Exit:
Ctrl+a,q
P.S.
In GNU screen, "Ctrl-A" then "A" to send "Ctrl-A" signal
Centos7 設定 tty console
/etc/systemd/logind.conf
# 表示默認最多可以自動啓動多少個虛擬終端
# Defaults to 6. When set to 0, automatic spawning of autovt services is disabled.
# [email protected] 即是 [email protected] (/usr/lib/systemd/system/[email protected] -> [email protected])
NAutoVTs=1
# Identifies one virtual terminal that shall unconditionally be reserved for [email protected] activation.
ReserveVT=4
Service
vim /usr/lib/systemd/system/[email protected]
# 由 tty0 改成 tty1 (因為 template 內沒有 tty0) ConditionPathExists=/dev/tty1
systemctl daemon-reload
systemctl enable getty@tty1
systemctl start [email protected]
Remark
ls -go /etc/systemd/system/getty.target.wants
lrwxrwxrwx. 1 38 Apr 6 17:37 [email protected] -> /usr/lib/systemd/system/[email protected]
Debug 測試
Container: /sbin/agetty tty1
Host: lxc-console -n centos7
VPS Local Virtual Consoles Settings
Hypervisor Setting:
lxc.tty = n
* if "n = 2" => VPS will not be able to use the host's tty1 and tty2 devices
* /dev/tty0 is special and always refers to the current virtual console
* major device number (tty devices) and 1, 2, 3
To test this access
- Set lxc.tty to 1
- Make there that the container has dev/tty1 and /dev/tty2
- lxc-start the container
- lxc-console into the container
-
ls -Al /dev/tty
crw------- 1 root root 4, 2 Dec 2 00:20 /dev/tty2
- echo "test output" > /dev/tty2
- Ctrl+Alt+F2 to view the host's second terminal
- You should see "test output" printed on the screen
Remark:
* Real host devices will have a major number of 4
* local devices will have a major number of 136
dmesg
Prevent dmesg on LXC node for all containers
# Centos 7 Hypervisor
/usr/share/lxc/config/common.seccomp
syslog errno 1
# Linux
/etc/sysctl.conf
kernel.dmesg_restrict=1
This toggle indicates whether unprivileged users are prevented from using dmesg to view messages from the kernel’s log buffer.
1 => users must have CAP_SYSLOG to use dmesg(8).
# In Container
dmesg
dmesg: read kernel buffer failed: Operation not permitted
參考