LXC - console

最後更新: 2020-04-16

前言

 

在 LXC 上, 我們要考慮兩種 console

  • host's virtual consoles
  • container's local virtual consoles

The host's virtual consoles

accessed using the key sequence Alt+Fn(or Ctrl+Alt+F)

For a container to be able to use a host's virtual console it must not be in use by the host.

    -> no getty or other process runs on any virtual console

The container's local virtual consoles

accessed using the "lxc-console" command

 


Container's startup console

 

lxc-start -n VPS     # 此時會 start default 的 console

# Centos7

ps a

  PID TTY      STAT   TIME COMMAND
   42 lxc/console Ss+   0:00 /sbin/agetty --noclear --keep-baud console 115200,38400,9600 vt220

ls -l /dev/console

lrwxrwxrwx 1 root root 11 Apr 14 10:59 /dev/console -> lxc/console

ls -lH /dev/console

crw--w---- 1 root tty 136, 28 Apr 14 10:59 /dev/console

Troubleshoot

login password 錯誤

Apr  7 18:08:47 centos7 login: pam_securetty(login:auth): access denied: tty 'lxc/console' is not secure !
Apr  7 18:08:53 centos7 login: FAILED LOGIN 1 FROM lxc/console FOR root, Authentication failure

/etc/securetty 內沒有 lxc/console (Default 有 "console", 不是 "lxc/console")

 


lxc-console

 

Connect:

# default 係連接到 Container 的 tty1

lxc-console -n VPS [ttynum]

# A ttynum of 0 may be given to attach to the container's /dev/console instead of its dev/tty<ttynum>

lxc-console -n VPS 0

Exit:

Ctrl+a,q

 

 


Centos7 設定 tty console

 

/etc/systemd/logind.conf

# 表示默認最多可以自動啓動多少個虛擬終端

# Defaults to 6. When set to 0, automatic spawning of autovt services is disabled.

# autovt@.service 即是 getty@.service (/usr/lib/systemd/system/autovt@.service -> getty@.service)

NAutoVTs=1

# Identifies one virtual terminal that shall unconditionally be reserved for autovt@.service activation.

ReserveVT=4

Service

vim /usr/lib/systemd/system/getty@.service

# 由 tty0 改成 tty1 (因為 template 內沒有 tty0)
ConditionPathExists=/dev/tty1

systemctl daemon-reload

systemctl enable getty@tty1

systemctl start getty@tty1.service

Remark

ls -go /etc/systemd/system/getty.target.wants

lrwxrwxrwx. 1 38 Apr  6 17:37 getty@tty1.service -> /usr/lib/systemd/system/getty@.service

Debug 測試

Container: /sbin/agetty tty1

Host: lxc-console -n centos7

 


VPS Local Virtual Consoles Settings

 

Hypervisor Setting:

lxc.tty = n

 * if "n = 2" => VPS will not be able to use the host's tty1 and tty2 devices

 * /dev/tty0 is special and always refers to the current virtual console

 * major device number (tty devices) and 1, 2, 3

To test this access

  1. Set lxc.tty to 1
  2. Make there that the container has dev/tty1 and /dev/tty2
  3. lxc-start the container
  4. lxc-console into the container
  5. ls -Al /dev/tty

    crw------- 1 root root 4, 2 Dec 2 00:20 /dev/tty2
     

  6. echo "test output" > /dev/tty2
  7. Ctrl+Alt+F2 to view the host's second terminal
  8. You should see "test output" printed on the screen

Remark:

 * Real host devices will have a major number of 4

 * local devices will have a major number of 136

 


dmesg

 

Prevent dmesg on LXC node for all containers

# Centos 7 Hypervisor

/usr/share/lxc/config/common.seccomp

syslog errno 1

# Linux

/etc/sysctl.conf

kernel.dmesg_restrict=1

This toggle indicates whether unprivileged users are prevented from using dmesg to view messages from the kernel’s log buffer.

1 => users must have CAP_SYSLOG to use dmesg(8).

# In Container

dmesg

dmesg: read kernel buffer failed: Operation not permitted

 


參考