croco | 29 Sep 21:53 2009

can't create users under openvz container

Colleagues,

I've just run into another issue.  I'm using Owl from the recent -current
ISO both for the HN and for the VPS; the O.S. template have been created
following the instructions found on this list's archives (thanks Galaxy!),
here: http://www.openwall.com/lists/owl-users/2007/05/08/2
Unfortunately I'm using a kernel taken right from openvz.org, not the
Openwall one, because I couln't find the OpenVZ kernel at the Openwall ftp
site.

The VPS runs, procesess seem Okay, it pings and can be accessed by ssh,
but simple useradd command fails like this:

varan101!root:~# useradd -u 1000 crocodil
useradd: cannot lock shadow password file
varan101!root:~# 

Using strace I see the following:

open("/etc/tcb/crocodil/shadow.lock",
O_WRONLY|O_CREAT|O_NOCTTY|O_NONBLOCK|O_NOFOLLOW, 0600) = -1 EACCES
(Permission denied)

The kernel version is this:

Linux XXXXXXXXXXXXXXXXX 2.6.18-ovz028stab056.1 #1 Mon Aug 18 13:00:29 MSD
2008 i686 GNU/Linux

May be this is a known iissue?  What am I doing wrong?

(Continue reading)

Dmitry V. Levin | 29 Sep 22:01 2009

Re: can't create users under openvz container

On Tue, Sep 29, 2009 at 11:53:41PM +0400, croco <at> openwall.com wrote:
[...]
> Using strace I see the following:
> 
> open("/etc/tcb/crocodil/shadow.lock",
> O_WRONLY|O_CREAT|O_NOCTTY|O_NONBLOCK|O_NOFOLLOW, 0600) = -1 EACCES
> (Permission denied)

Looks like something odd happened with permissions, either with
/etc/tcb/crocodil or one of its parents.

/etc/tcb/crocodil should be owned by crocodil:auth and have access mode 02710.
/etc/tcb -- root:shadow and 0710.
/etc and / should have access mode a+x.

--

-- 
ldv
croco | 30 Sep 13:51 2009

revised instruction for Owl-based template creation (was Re: [owl-users] can't create users...)

Dmitry, All,

On Wed, Sep 30, 2009 at 12:01:58AM +0400, Dmitry V. Levin wrote:
> On Tue, Sep 29, 2009 at 11:53:41PM +0400, croco <at> openwall.com wrote:
> > open("/etc/tcb/crocodil/shadow.lock",
> > O_WRONLY|O_CREAT|O_NOCTTY|O_NONBLOCK|O_NOFOLLOW, 0600) = -1 EACCES
> > (Permission denied)
> 
> /etc/tcb/crocodil should be owned by crocodil:auth and have access mode 02710.
> /etc/tcb -- root:shadow and 0710.
> /etc and / should have access mode a+x.

Dmitry, thank you very much!  The problem really was with the / directory
permissions.  Errr.. great experience :-)

2All: I've just created a wiki page with an instruction on Owl-based
template creation actually based on the instruction published by Galaxy on
this list 2 years ago.  The instruction contains more details (e.g. how to
use 'make installworld'), some links, the notice about "chmod 755 /", and
also --ostemplate instead of (erroneous) --os-template.  However, the
instruction perhaps needs to be improved further, so everyone's welcome to
take a part :-)  It is found here:

http://openwall.info/wiki/Owl/usage-examples/OpenVZ/template-creation

Thanks for cooperation!

--
Croco

(Continue reading)

Solar Designer | 1 Oct 16:13 2009

Re: revised instruction for Owl-based template creation

On Wed, Sep 30, 2009 at 03:51:27PM +0400, croco <at> openwall.com wrote:
> 2All: I've just created a wiki page with an instruction on Owl-based
> template creation actually based on the instruction published by Galaxy on
> this list 2 years ago.  The instruction contains more details (e.g. how to
> use 'make installworld'), some links, the notice about "chmod 755 /", and
> also --ostemplate instead of (erroneous) --os-template.  However, the
> instruction perhaps needs to be improved further, so everyone's welcome to
> take a part :-)  It is found here:
> 
> http://openwall.info/wiki/Owl/usage-examples/OpenVZ/template-creation

Thank you!  I made some minor edits to the above wiki page yesterday.
It will need to be significantly revised once we integrate OpenVZ into
Owl, yet even when we do it will make some sense for Owl users to create
their own OpenVZ templates, so a wiki page like this will be useful.

Alexander

--

-- 
To unsubscribe, e-mail owl-users-unsubscribe <at> lists.openwall.com and reply
to the automated confirmation request that will be sent to you.

Solar Designer | 30 Sep 00:59 2009

Re: can't create users under openvz container

On Tue, Sep 29, 2009 at 11:53:41PM +0400, croco <at> openwall.com wrote:
> The VPS runs, procesess seem Okay, it pings and can be accessed by ssh,
> but simple useradd command fails like this:
> 
> varan101!root:~# useradd -u 1000 crocodil
> useradd: cannot lock shadow password file
> varan101!root:~# 
> 
> Using strace I see the following:
> 
> open("/etc/tcb/crocodil/shadow.lock",
> O_WRONLY|O_CREAT|O_NOCTTY|O_NONBLOCK|O_NOFOLLOW, 0600) = -1 EACCES
> (Permission denied)

This is typically caused by improper permissions on "/" (the fs root
directory), which in turn may have been caused by "/" or "." missing
from your OpenVZ template.  "chmod 755 /" run from within the container
should fix this for the container.  Adding "." with mode 755 to the
template tarball should fix it for other containers created from the
template (as far as I recall).

> The kernel version is this:
> 
> Linux XXXXXXXXXXXXXXXXX 2.6.18-ovz028stab056.1 #1 Mon Aug 18 13:00:29 MSD
> 2008 i686 GNU/Linux

This is unrelated to the problem at hand, but the above is an outdated
kernel version.  I understand that you picked a pre-built OpenVZ kernel,
but they have newer versions pre-built as well - in fact, they do it for
each new version they release on the "rhel5" branch.  The current stable
(Continue reading)

croco | 30 Sep 14:05 2009

Re: can't create users under openvz container

On Wed, Sep 30, 2009 at 02:59:46AM +0400, Solar Designer wrote:
> On Tue, Sep 29, 2009 at 11:53:41PM +0400, croco <at> openwall.com wrote:
>
> > open("/etc/tcb/crocodil/shadow.lock",
> > O_WRONLY|O_CREAT|O_NOCTTY|O_NONBLOCK|O_NOFOLLOW, 0600) = -1 EACCES
> > (Permission denied)
> 
> This is typically caused by improper permissions on "/" (the fs root
> directory), which in turn may have been caused by "/" or "." missing
> from your OpenVZ template.  "chmod 755 /" run from within the container
> should fix this for the container.  Adding "." with mode 755 to the
> template tarball should fix it for other containers created from the
> template (as far as I recall).

Exactly this.  Dmitry (ldv) was the first to mention this to me, so I
checked it and saw this is really the case.  See my reply to Dmitry for the
path to the new wiki page I've just created :-)

> This is unrelated to the problem at hand, but the above is an outdated
> kernel version.  I understand that you picked a pre-built OpenVZ kernel,
> but they have newer versions pre-built as well - in fact, they do it for
> each new version they release on the "rhel5" branch.  The current stable
> "rhel5" branch version is:
> 
> http://wiki.openvz.org/Download/kernel/rhel5/028stab064.7

Actually this was the first one I tried.  On my machine it was hanging on
the message "BIOS check successful".  I'm not sure whether it is a buggy
kernel or buggy machine -- either way, the version I finally piked (see
below) just works.
(Continue reading)


Gmane