TL;DR Do not set passwords on container users, get shell with native LXC tooling taking advantage of the host authentication. Reduce attack surfaces of exposed services.
ORIGINAL POST Container shell with no password
Proxmox VE has an unusual default way to get a shell in an LXC container - the GUI method basically follows the CLI logic of the bespoke pct command: ^
pct console 100
Connected to tty 1 Type <Ctrl+a q> to exit the console, <Ctrl+a Ctrl+a> to enter Ctrl+a itself Fedora Linux 39 (Container Image) Kernel 6.8.12-4-pve on an x86_64 (tty2) ct1 login:
But when you think of it, what is going on? These are LXC containers, ^ so it’s all running on the host just using kernel containment features. And you are already authenticated when on the host machine.
CAUTION This is a little different in PVE cluster when using shell on another node, then such connection has to be relayed to the actual host first, but let’s leave that case aside here.
So how about reaching out for the native tooling? ^
lxc-info 100
Name: 100 State: RUNNING PID: 1344 IP: 10.10.10.100 Link: veth100i0 TX bytes: 4.97 KiB RX bytes: 93.84 KiB Total bytes: 98.81 KiB
Looks like our container is all well, then:
lxc-attach 100
[root@ct1 ~]#
Yes, that’s right, a root shell, of our container:
cat /etc/os-release
NAME="Fedora Linux" VERSION="39 (Container Image)" ID=fedora VERSION_ID=39 VERSION_CODENAME="" PLATFORM_ID="platform:f39" PRETTY_NAME="Fedora Linux 39 (Container Image)" ---8<---
Well, and that’s about it.