Solar Designer | 30 Sep 00:59 2009

Re: can't create users under openvz container

On Tue, Sep 29, 2009 at 11:53:41PM +0400, croco <at> openwall.com wrote:
> The VPS runs, procesess seem Okay, it pings and can be accessed by ssh,
> but simple useradd command fails like this:
> 
> varan101!root:~# useradd -u 1000 crocodil
> useradd: cannot lock shadow password file
> varan101!root:~# 
> 
> Using strace I see the following:
> 
> open("/etc/tcb/crocodil/shadow.lock",
> O_WRONLY|O_CREAT|O_NOCTTY|O_NONBLOCK|O_NOFOLLOW, 0600) = -1 EACCES
> (Permission denied)

This is typically caused by improper permissions on "/" (the fs root
directory), which in turn may have been caused by "/" or "." missing
from your OpenVZ template.  "chmod 755 /" run from within the container
should fix this for the container.  Adding "." with mode 755 to the
template tarball should fix it for other containers created from the
template (as far as I recall).

> The kernel version is this:
> 
> Linux XXXXXXXXXXXXXXXXX 2.6.18-ovz028stab056.1 #1 Mon Aug 18 13:00:29 MSD
> 2008 i686 GNU/Linux

This is unrelated to the problem at hand, but the above is an outdated
kernel version.  I understand that you picked a pre-built OpenVZ kernel,
but they have newer versions pre-built as well - in fact, they do it for
each new version they release on the "rhel5" branch.  The current stable
"rhel5" branch version is:

http://wiki.openvz.org/Download/kernel/rhel5/028stab064.7

The download directory for these is:

http://download.openvz.org/kernel/branches/rhel5-2.6.18/stable/

Perhaps the OpenVZ folks should no longer declare the branch based on
vanilla 2.6.18 "maintained", with no new version on that branch for over
a year now.  In fact, I don't think further maintenance of that branch
would even make sense - it would need to include all the same security
fixes that are getting into the "rhel5" branch anyway.  Perhaps we
should notify them of this bug / outdated info on the web page at
http://download.openvz.org/kernel/ , which I think is what lured you
into downloading that kernel.

Alexander

--

-- 
To unsubscribe, e-mail owl-users-unsubscribe <at> lists.openwall.com and reply
to the automated confirmation request that will be sent to you.


Gmane