sshd verifies it can drop privileges, so --no-container-remap-root is required.
Root cause
After allocating a new pty, sshd will try to chown it for the target user, this doesn't work under pyxis because we are inside a user namespace with only one mapped group, so the tty group isn't available. enroot doesn't have this problem because it always apply the seccomp filter to fake those calls, whereas pyxis only applies this filter when remapping the user as root.
Workaround
Use srun enroot start pyxis_ubuntu /usr/sbin/sshd -d -p 2222 instead.
Fix
Always apply the seccomp filter in pyxis, like enroot is doing.
Description
@lstuber and @3XX0 reported the following issue when trying to ssh to an openssh server running inside a pyxis container:
From the terminal running sshd:
sshd verifies it can drop privileges, so
--no-container-remap-root
is required.Root cause
After allocating a new pty, sshd will try to
chown
it for the target user, this doesn't work under pyxis because we are inside a user namespace with only one mapped group, so thetty
group isn't available. enroot doesn't have this problem because it always apply the seccomp filter to fake those calls, whereas pyxis only applies this filter when remapping the user as root.Workaround
Use
srun enroot start pyxis_ubuntu /usr/sbin/sshd -d -p 2222
instead.Fix
Always apply the seccomp filter in pyxis, like enroot is doing.