container's /home/ubuntu/ spawns with incorrect permissions, preventing SSH access
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
lxc (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
agent-version: 1.15.0.1
ii juju-core 1.15.0-
ii juju-local 1.14.1-
Attempting to use the local provider, I find that I cannot ssh to new containers, failing public key authentication. Poking around on the host in the rootfs directroy for the container (/var/lib/
Oct 7 20:19:22 ubuntu-
$ ls -lh /var/lib/
total 4.0K
drwxr-xr-x 3 ubuntu ubuntu 4.0K Oct 7 20:17 ubuntu
$ ls -lha /var/lib/
total 24K
drwxr-xr-x 3 ubuntu ubuntu 4.0K Oct 7 20:17 .
drwxr-xr-x 3 root root 4.0K Oct 3 07:06 ..
-rw-r--r-- 1 ubuntu ubuntu 220 Apr 3 2012 .bash_logout
-rw-r--r-- 1 ubuntu ubuntu 3.5K Apr 3 2012 .bashrc
-rw-r--r-- 1 ubuntu ubuntu 675 Apr 3 2012 .profile
drwx------ 2 sower sower 4.0K Oct 7 20:17 .ssh
$ sudo ls -lha /var/lib/
total 12K
drwx------ 2 sower sower 4.0K Oct 7 20:17 .
drwxr-xr-x 3 ubuntu ubuntu 4.0K Oct 7 20:17 ..
-rw------- 1 sower sower 381 Oct 7 20:17 authorized_keys
The sower user is a user on the host system with uid 1000. I am using juju as the ubuntu user (uid 1001). With the exception of /home/ubuntu/.ssh/, it looks like /home/ubuntu ends up with incorrect ownership. Manually changing ownership of the directory and its contents to uid 1000 on from the host allows me to SSH in.
Related branches
affects: | juju → juju-core |
tags: | added: theme-oil |
affects: | juju-core → lxc |
affects: | ubuntu (Ubuntu) → lxc (Ubuntu) |
no longer affects: | lxc |
Changed in lxc (Ubuntu): | |
status: | New → Fix Released |
For reference, to reproduce this, launch an instance of saucy with this user-data:
#cloud-config
system_info:
default_user:
name: smoser
ssh into instance, then add a 'ubuntu' user. That new ubuntu user should get uid '1001' (anything other than 1000 is needed to show the problem).
Then,
$ id -u; whoami
1000
smoser
$ id -u ubuntu
1001
$ sudo lxc-create -t ubuntu-cloud -n precise-source -- --release=precise
$ sudo lxc-create -t ubuntu-cloud -n lucid-source -- --release=lucid
# verify the home dir has correct ownership wrt the /etc/passwd inside the image
$ ls --numeric-uid-gid -d /var/lib/ lxc/precise- source/ rootfs/ home/ubuntu lxc/precise- source/ rootfs/ home/ubuntu lxc/precise- source/ rootfs/ etc/passwd x:1000: 1000:Ubuntu: /home/ubuntu: /bin/bash
drwxr-xr-x 2 1000 1000 4096 Oct 3 07:06 /var/lib/
$ grep ubuntu /var/lib/
ubuntu:
$ ls --numeric-uid-gid -d /var/lib/ lxc/lucid- source/ rootfs/ home/ubuntu lxc/lucid- source/ rootfs/ home/ubuntu lxc/lucid- source/ rootfs/ etc/passwd x:1000: 1000:Ubuntu, ,,:/home/ ubuntu: /bin/bash
drwxr-xr-x 2 1000 1000 4096 Oct 7 03:05 /var/lib/
$ grep "ubuntu" /var/lib/
ubuntu:
$ sudo lxc-clone --snapshot -B overlayfs -o precise-source -n test1 -- --auth- key=/home/ smoser/ .ssh/id_ rsa.pub
$ sudo lxc-start --daemon --name test1
$ sudo lxc-ls --fancy --fancy- format= "ipv4" test1
IPV4
----------
10.0.3.252
$ ssh ubuntu@10.0.3.252 "echo It worked" 9d:b0:02: 5f:3e:db: b3:8e:97: d2:23:4a: af.
The authenticity of host '10.0.3.252 (10.0.3.252)' can't be established.
ECDSA key fingerprint is 3d:e8:79:
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.0.3.252' (ECDSA) to the list of known hosts.
It worked