LXD Container - cannot install SSH server - wrong permissions

[C2331]

Hello,

I am trying to create an LXD container (ether Ubuntu or Debian) but various errors come up when trying to apt update or apt install openssh-server

When running in unprivileged mode apt update complains about the certificates

Code: Select all

root@ubuntu-1:~# apt update
Hit:1 http://archive.ubuntu.com/ubuntu focal InRelease
Get:2 http://archive.ubuntu.com/ubuntu focal-updates InRelease [114 kB]
Get:3 http://security.ubuntu.com/ubuntu focal-security InRelease [114 kB]
Err:1 http://archive.ubuntu.com/ubuntu focal InRelease            
  At least one invalid signature was encountered.
Err:2 http://archive.ubuntu.com/ubuntu focal-updates InRelease      
  At least one invalid signature was encountered.
Err:3 http://security.ubuntu.com/ubuntu focal-security InRelease
  At least one invalid signature was encountered.
Fetched 228 kB in 1s (217 kB/s)
Reading package lists... Done
Building dependency tree       
Reading state information... Done
All packages are up to date.
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://archive.ubuntu.com/ubuntu focal InRelease: At least one invalid signature was encountered.
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://archive.ubuntu.com/ubuntu focal-updates InRelease: At least one invalid signature was encountered.
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://security.ubuntu.com/ubuntu focal-security InRelease: At least one invalid signature was encountered.
W: Failed to fetch http://archive.ubuntu.com/ubuntu/dists/focal/InRelease  At least one invalid signature was encountered.
W: Failed to fetch http://archive.ubuntu.com/ubuntu/dists/focal-updates/InRelease  At least one invalid signature was encountered.
W: Failed to fetch http://security.ubuntu.com/ubuntu/dists/focal-security/InRelease  At least one invalid signature was encountered.
W: Some index files failed to download. They have been ignored, or old ones used instead.

When running in privileged mode, apt update works ok, but when trying to install openssh-server it fails

Code: Select all

root@ubuntu-1:~# apt update
Hit:1 http://archive.ubuntu.com/ubuntu focal InRelease
Get:2 http://archive.ubuntu.com/ubuntu focal-updates InRelease [114 kB]
Get:3 http://security.ubuntu.com/ubuntu focal-security InRelease [114 kB]
Get:4 http://archive.ubuntu.com/ubuntu focal-updates/main amd64 Packages [1173 kB]
Get:5 http://archive.ubuntu.com/ubuntu focal-updates/main Translation-en [253 kB]
Get:6 http://archive.ubuntu.com/ubuntu focal-updates/universe amd64 Packages [849 kB]
Get:7 http://archive.ubuntu.com/ubuntu focal-updates/universe Translation-en [179 kB]
Fetched 2682 kB in 1s (1971 kB/s)                             
Reading package lists... Done
Building dependency tree       
Reading state information... Done
All packages are up to date.
root@ubuntu-1:~# apt-get install openssh-server
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following additional packages will be installed:
  libpsl5 libwrap0 ncurses-term openssh-sftp-server publicsuffix
  python3-certifi python3-chardet python3-distro python3-idna python3-requests
  python3-urllib3 ssh-import-id wget
Suggested packages:
  molly-guard monkeysphere ssh-askpass ufw python3-cryptography
  python3-openssl python3-socks
The following NEW packages will be installed:
  libpsl5 libwrap0 ncurses-term openssh-server openssh-sftp-server
  publicsuffix python3-certifi python3-chardet python3-distro python3-idna
  python3-requests python3-urllib3 ssh-import-id wget
0 upgraded, 14 newly installed, 0 to remove and 0 not upgraded.
Need to get 1659 kB of archives.
After this operation, 9318 kB of additional disk space will be used.
Do you want to continue? [Y/n] y
Get:1 http://archive.ubuntu.com/ubuntu focal/main amd64 libpsl5 amd64 0.21.0-1ubuntu1 [51.5 kB]
Get:2 http://archive.ubuntu.com/ubuntu focal/main amd64 publicsuffix all 20200303.0012-1 [111 kB]
Get:3 http://archive.ubuntu.com/ubuntu focal/main amd64 wget amd64 1.20.3-1ubuntu1 [349 kB]
Get:4 http://archive.ubuntu.com/ubuntu focal/main amd64 libwrap0 amd64 7.6.q-30 [46.3 kB]
Get:5 http://archive.ubuntu.com/ubuntu focal/main amd64 ncurses-term all 6.2-0ubuntu2 [249 kB]
Get:6 http://archive.ubuntu.com/ubuntu focal-updates/main amd64 openssh-sftp-server amd64 1:8.2p1-4ubuntu0.3 [51.5 kB]
Get:7 http://archive.ubuntu.com/ubuntu focal-updates/main amd64 openssh-server amd64 1:8.2p1-4ubuntu0.3 [377 kB]
Get:8 http://archive.ubuntu.com/ubuntu focal/main amd64 python3-certifi all 2019.11.28-1 [149 kB]
Get:9 http://archive.ubuntu.com/ubuntu focal/main amd64 python3-chardet all 3.0.4-4build1 [80.4 kB]
Get:10 http://archive.ubuntu.com/ubuntu focal/main amd64 python3-idna all 2.8-1 [34.6 kB]
Get:11 http://archive.ubuntu.com/ubuntu focal-updates/main amd64 python3-urllib3 all 1.25.8-2ubuntu0.1 [88.3 kB]
Get:12 http://archive.ubuntu.com/ubuntu focal/main amd64 python3-requests all 2.22.0-2ubuntu1 [47.1 kB]
Get:13 http://archive.ubuntu.com/ubuntu focal/main amd64 python3-distro all 1.4.0-1 [14.6 kB]
Get:14 http://archive.ubuntu.com/ubuntu focal/main amd64 ssh-import-id all 5.10-0ubuntu1 [10.0 kB]
Fetched 1659 kB in 1s (2867 kB/s)    
debconf: unable to initialize frontend: Dialog
debconf: (TERM is not set, so the dialog frontend is not usable.)
debconf: falling back to frontend: Readline
debconf: unable to initialize frontend: Readline
debconf: (Can't locate Term/ReadLine.pm in @INC (you may need to install the Term::ReadLine module) (@INC contains: /etc/perl /usr/local/lib/x86_64-linux-gnu/perl/5.30.0 /usr/local/share/perl/5.30.0 /usr/lib/x86_64-linux-gnu/perl5/5.30 /usr/share/perl5 /usr/lib/x86_64-linux-gnu/perl/5.30 /usr/share/perl/5.30 /usr/local/lib/site_perl /usr/lib/x86_64-linux-gnu/perl-base) at /usr/share/perl5/Debconf/FrontEnd/Readline.pm line 7, <> line 14.)
debconf: falling back to frontend: Teletype
Preconfiguring packages ...
Selecting previously unselected package libpsl5:amd64.
(Reading database ... 14721 files and directories currently installed.)
Preparing to unpack .../00-libpsl5_0.21.0-1ubuntu1_amd64.deb ...
Unpacking libpsl5:amd64 (0.21.0-1ubuntu1) ...
Selecting previously unselected package publicsuffix.
Preparing to unpack .../01-publicsuffix_20200303.0012-1_all.deb ...
Unpacking publicsuffix (20200303.0012-1) ...
Selecting previously unselected package wget.
Preparing to unpack .../02-wget_1.20.3-1ubuntu1_amd64.deb ...
Unpacking wget (1.20.3-1ubuntu1) ...
Selecting previously unselected package libwrap0:amd64.
Preparing to unpack .../03-libwrap0_7.6.q-30_amd64.deb ...
Unpacking libwrap0:amd64 (7.6.q-30) ...
Selecting previously unselected package ncurses-term.
Preparing to unpack .../04-ncurses-term_6.2-0ubuntu2_all.deb ...
Unpacking ncurses-term (6.2-0ubuntu2) ...
Selecting previously unselected package openssh-sftp-server.
Preparing to unpack .../05-openssh-sftp-server_1%3a8.2p1-4ubuntu0.3_amd64.deb ...
Unpacking openssh-sftp-server (1:8.2p1-4ubuntu0.3) ...
Selecting previously unselected package openssh-server.
Preparing to unpack .../06-openssh-server_1%3a8.2p1-4ubuntu0.3_amd64.deb ...
Unpacking openssh-server (1:8.2p1-4ubuntu0.3) ...
Selecting previously unselected package python3-certifi.
Preparing to unpack .../07-python3-certifi_2019.11.28-1_all.deb ...
Unpacking python3-certifi (2019.11.28-1) ...
Selecting previously unselected package python3-chardet.
Preparing to unpack .../08-python3-chardet_3.0.4-4build1_all.deb ...
Unpacking python3-chardet (3.0.4-4build1) ...
Selecting previously unselected package python3-idna.
Preparing to unpack .../09-python3-idna_2.8-1_all.deb ...
Unpacking python3-idna (2.8-1) ...
Selecting previously unselected package python3-urllib3.
Preparing to unpack .../10-python3-urllib3_1.25.8-2ubuntu0.1_all.deb ...
Unpacking python3-urllib3 (1.25.8-2ubuntu0.1) ...
Selecting previously unselected package python3-requests.
Preparing to unpack .../11-python3-requests_2.22.0-2ubuntu1_all.deb ...
Unpacking python3-requests (2.22.0-2ubuntu1) ...
Selecting previously unselected package python3-distro.
Preparing to unpack .../12-python3-distro_1.4.0-1_all.deb ...
Unpacking python3-distro (1.4.0-1) ...
Selecting previously unselected package ssh-import-id.
Preparing to unpack .../13-ssh-import-id_5.10-0ubuntu1_all.deb ...
Unpacking ssh-import-id (5.10-0ubuntu1) ...
Setting up openssh-sftp-server (1:8.2p1-4ubuntu0.3) ...
Setting up libpsl5:amd64 (0.21.0-1ubuntu1) ...
Setting up python3-distro (1.4.0-1) ...
Setting up wget (1.20.3-1ubuntu1) ...
Setting up python3-chardet (3.0.4-4build1) ...
Setting up libwrap0:amd64 (7.6.q-30) ...
Setting up python3-certifi (2019.11.28-1) ...
Setting up python3-idna (2.8-1) ...
Setting up python3-urllib3 (1.25.8-2ubuntu0.1) ...
Setting up publicsuffix (20200303.0012-1) ...
Setting up ncurses-term (6.2-0ubuntu2) ...
Setting up openssh-server (1:8.2p1-4ubuntu0.3) ...
debconf: unable to initialize frontend: Dialog
debconf: (TERM is not set, so the dialog frontend is not usable.)
debconf: falling back to frontend: Readline
debconf: unable to initialize frontend: Readline
debconf: (Can't locate Term/ReadLine.pm in @INC (you may need to install the Term::ReadLine module) (@INC contains: /etc/perl /usr/local/lib/x86_64-linux-gnu/perl/5.30.0 /usr/local/share/perl/5.30.0 /usr/lib/x86_64-linux-gnu/perl5/5.30 /usr/share/perl5 /usr/lib/x86_64-linux-gnu/perl/5.30 /usr/share/perl/5.30 /usr/local/lib/site_perl /usr/lib/x86_64-linux-gnu/perl-base) at /usr/share/perl5/Debconf/FrontEnd/Readline.pm line 7.)
debconf: falling back to frontend: Teletype

Creating config file /etc/ssh/sshd_config with new version
Creating SSH2 RSA key; this may take some time ...
3072 SHA256:27lqODlID57AdXrz4AolGmHQ598wNNuajfKe3N51Lfc root@ubuntu-1 (RSA)
Creating SSH2 ECDSA key; this may take some time ...
256 SHA256:o9nI9MOW+HfzzqYal1dHID7jqr84a9HjU5MA5amI9Vo root@ubuntu-1 (ECDSA)
Creating SSH2 ED25519 key; this may take some time ...
256 SHA256:iaZgvwxOhTWwx3aulhN/7dOJZ8NNj9xMGIzzc+m39kM root@ubuntu-1 (ED25519)
Created symlink /etc/systemd/system/sshd.service → /lib/systemd/system/ssh.service.
Created symlink /etc/systemd/system/multi-user.target.wants/ssh.service → /lib/systemd/system/ssh.service.
rescue-ssh.target is a disabled or a static unit, not starting it.
Job for ssh.service failed because the control process exited with error code.
See "systemctl status ssh.service" and "journalctl -xe" for details.
invoke-rc.d: initscript ssh, action "start" failed.
● ssh.service - OpenBSD Secure Shell server
     Loaded: loaded (/lib/systemd/system/ssh.service; enabled; vendor preset: enabled)
    Drop-In: /run/systemd/system/service.d
             └─zzz-lxc-service.conf
     Active: activating (auto-restart) (Result: exit-code) since Mon 2021-08-30 12:21:07 UTC; 14ms ago
       Docs: man:sshd(8)
             man:sshd_config(5)
    Process: 937 ExecStartPre=/usr/sbin/sshd -t (code=exited, status=1/FAILURE)
dpkg: error processing package openssh-server (--configure):
 installed openssh-server package post-installation script subprocess returned error exit status 1
Setting up python3-requests (2.22.0-2ubuntu1) ...
Setting up ssh-import-id (5.10-0ubuntu1) ...
Attempting to convert /etc/ssh/ssh_import_id
Processing triggers for systemd (245.4-4ubuntu3.11) ...
Processing triggers for libc-bin (2.31-0ubuntu9.2) ...
Errors were encountered while processing:
 openssh-server
E: Sub-process /usr/bin/dpkg returned an error code (1)

On the example above, I am using apt-get instead of apt, because apt messes up the output on the browser terminal. Either way, both commands fail the same.

journalctl shows the following:

Code: Select all

Aug 30 12:22:42 ubuntu-1 systemd[1]: Starting OpenBSD Secure Shell server...
-- Subject: A start job for unit ssh.service has begun execution
-- Defined-By: systemd
-- Support: http://www.ubuntu.com/support
-- 
-- A start job for unit ssh.service has begun execution.
-- 
-- The job identifier is 679.
Aug 30 12:22:42 ubuntu-1 sshd[1283]: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Aug 30 12:22:42 ubuntu-1 sshd[1283]: @         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
Aug 30 12:22:42 ubuntu-1 sshd[1283]: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Aug 30 12:22:42 ubuntu-1 sshd[1283]: Permissions 0777 for '/etc/ssh/ssh_host_rsa_key' are too open.
Aug 30 12:22:42 ubuntu-1 sshd[1283]: It is required that your private key files are NOT accessible by others.
Aug 30 12:22:42 ubuntu-1 sshd[1283]: This private key will be ignored.
Aug 30 12:22:42 ubuntu-1 sshd[1283]: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Aug 30 12:22:42 ubuntu-1 sshd[1283]: @         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
Aug 30 12:22:42 ubuntu-1 sshd[1283]: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Aug 30 12:22:42 ubuntu-1 sshd[1283]: Permissions 0777 for '/etc/ssh/ssh_host_ecdsa_key' are too open.
Aug 30 12:22:42 ubuntu-1 sshd[1283]: It is required that your private key files are NOT accessible by others.
Aug 30 12:22:42 ubuntu-1 sshd[1283]: This private key will be ignored.
Aug 30 12:22:42 ubuntu-1 sshd[1283]: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Aug 30 12:22:42 ubuntu-1 sshd[1283]: @         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
Aug 30 12:22:42 ubuntu-1 sshd[1283]: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Aug 30 12:22:42 ubuntu-1 sshd[1283]: Permissions 0777 for '/etc/ssh/ssh_host_ed25519_key' are too open.
Aug 30 12:22:42 ubuntu-1 sshd[1283]: It is required that your private key files are NOT accessible by others.
Aug 30 12:22:42 ubuntu-1 sshd[1283]: This private key will be ignored.
Aug 30 12:22:42 ubuntu-1 sshd[1283]: sshd: no hostkeys available -- exiting.
Aug 30 12:22:42 ubuntu-1 systemd[1]: ssh.service: Control process exited, code=exited, status=1/FAILURE
-- Subject: Unit process exited
-- Defined-By: systemd
-- Support: http://www.ubuntu.com/support
-- 
-- An ExecStartPre= process belonging to unit ssh.service has exited.
-- 
-- The process' exit code is 'exited' and its exit status is 1.

This is a fresh install, without ever touching any of the permissions mentioned.
The exact same issue occurs with Debian 11 as well.

Here are the contents and permissions of /etc/ssh

Code: Select all

root@ubuntu-1:~# ls -lash /etc/ssh
total 155K
8.5K drwxr-xr-x+  4 root root   14 Aug 30 12:21 .
 49K drwxr-xr-x+ 63 root root  135 Aug 30 12:21 ..
 41K -rw-r--r--+  1 root root 523K Jul 23 12:55 moduli
4.5K -rw-r--r--+  1 root root 1.6K Jul 23 12:55 ssh_config
8.5K drwxr-xr-x+  2 root root    2 Jul 23 12:55 ssh_config.d
4.5K -rwxrwxrwx+  1 root root  505 Aug 30 12:21 ssh_host_ecdsa_key
4.5K -rwxrwxrwx+  1 root root  175 Aug 30 12:21 ssh_host_ecdsa_key.pub
4.5K -rwxrwxrwx+  1 root root  399 Aug 30 12:21 ssh_host_ed25519_key
4.5K -rwxrwxrwx+  1 root root   95 Aug 30 12:21 ssh_host_ed25519_key.pub
4.5K -rwxrwxrwx+  1 root root 2.6K Aug 30 12:21 ssh_host_rsa_key
4.5K -rwxrwxrwx+  1 root root  567 Aug 30 12:21 ssh_host_rsa_key.pub
4.5K -rw-rwxr--+  1 root root  342 Aug 30 12:21 ssh_import_id
4.5K -rw-rwxr--+  1 root root 3.3K Jul 23 12:55 sshd_config
8.5K drwxr-xr-x+  2 root root    2 Jul 23 12:55 sshd_config.d

Anyone knows what am I doing wrong here that messes up the permissions?

This is on a QNAP TS-h886 running QuTS Hero h4.5.3.1698 and Container Station V2.4.0.2316

[C2331]

Can a mod edit the title? I posted LCD instead of LXD

[OneCD]

Can a mod edit the title? I posted LCD instead of LXD

I’ve unlocked it for you. First posts here are usually locked to prevent later editing by spambot accounts, but your account looks legit.

[C2331]

Thanks

[jedimaster]

I have the same issue, and apparently there are several other threads active in this forum regarding this problem. Qnap needs to address this issue really fast; without the SSH a LXD container is totally useless.


update: I might add that I've tested this with different Linux distributions and versions, and the results are all the same.

[jedimaster]

This issue has been resolved with the latest Container Station update version 2.4.3.190, I just tested it and it works.