LXC Container login on host tty

Similar Messages

• [Solved] Decrypt files securely inside lxc container.

  Hi, this is my first question, I've been using Arch for 5 years now, thanks for all your hard work!
  I'm trying to setup an lxc container to securely view encrypted files(gpg keys encrypted with cryptsetup and a loopback device), I've done so already using cryptsetup, the only issue is that after I decrypt the device from inside the container, it is available from the host as /dev/mapper/name and I can mount it and view it's contents.
  Is there any way to set cgroups to deny host and allow lxc container to access this device, maybe I can change /dev permissions so only root on host can access? I would prefer that not even root on host can access it but I know I'm asking too much, I can do this with qemu or other VMs but there is a lot of overhead.
  If you happen to know of any way I can access files from inside lxc container but block access to host even if it is after mounting the device, I would like to hear you out.
  I'm running an archlinux host and archlinux lxc container with grsecurity-pax enabled.
  Feel free to ask any questions if it's not clear .
  Thank you for your time, and kudos for your great work with this distro.
  Last edited by freetoken (2014-09-18 07:57:46)

  Progress!
  $ ls -la /dev/mapper/name
  lrwxrwxrwx 1 root root 7 Sep 16 09:21 /dev/mapper/name -> ../dm-0
  $ ls -la /dev/dm-0
  brw-rw---- 1 root disk 254, 0 Sep 16 09:21 /dev/dm-0
  $ rm /dev/mapper/name
  $ rm /dev/dm-0
  voila!
  The device is still there but it's not visible and user would need to have root permissions to run mknod and restore dm-0.
  Also very interesting read about cgroups for anyone interested: https://www.kernel.org/doc/Documentatio … groups.txt
  I'm wondering if there is any damage from doing this, since the data is backed up I guess I don't care too much and will test it for a while.
  If anyone has any ideas or knows some cool feature I'm missing let me know.
  Will mark as solved in 24 hours after more testing and in case something unexpected happens.

• Is it possible to run an application from a user or container login script?

  Is it possible to run an application from a user login script or a container login script?
  A "Force Run" application object works fine if the user's workstation is setup to auto-load "Application Window" or "Application Explorer" but in this case I'd like to run an application when someone does a manual login (ie. they right-click red "N" and choose "Novell Login...")
  Using a User Package's "Scheduled Action Policy" and the Event=Login also does not work when a user logs in manually. This type of Event seems to only apply when the user first logs into the workstation, not at a manual login.
  Thanks,
  Marc

  > Is it possible to run an application from a user login script or a
  container login script?
  Yes, see the documentation:
  http://www.novell.com/documentation/...a/a7q6999.html
  Regards
  Rolf Lidvall
  Swedish Radio (Ltd)

• [SOLVED] systemd 208 journald process CPU spike on LXC container start

  Hi,
  The problem is that whenever I start an LXC container, systemd-journald process goes on 100% CPU utilization and only stops when I stop the container.
  Setup details:
  % cat /var/lib/lxc/projects/config
  lxc.network.type = veth
  lxc.arch = x86_64
  lxc.utsname = projects
  lxc.network.link = virbr3
  lxc.network.flags = up
  lxc.network.ipv4 = 192.168.200.11
  lxc.rootfs = /mnt/lxc/projects
  lxc.pts = 1000
  lxc.autodev = 1
  lxc.cgroup.memory.limit_in_bytes = 256M
  The rootfs indicated is on a logical volume, /dev/mapper/virtual-projects.
  Details of journal when the spike happened:
  -- Logs begin at Sun 2013-08-04 07:19:25 IST. --
  Oct 05 09:03:30 core systemd[1]: Unit [email protected] entered failed state.
  Oct 05 09:03:30 core kernel: virbr3: port 2(vethl7BeWT) entered disabled state
  Oct 05 09:03:30 core kernel: device vethl7BeWT left promiscuous mode
  Oct 05 09:03:30 core kernel: virbr3: port 2(vethl7BeWT) entered disabled state
  Oct 05 09:03:31 core ntpd[813]: Deleting interface #13 vethl7BeWT, fe80::fcf2:f2ff:fea0:9473#123, interface stats: received=0, sent=0, dropped=0, active_time=11 secs
  Oct 05 09:03:31 core ntpd[813]: peers refreshed
  Oct 05 09:03:40 core dbus-daemon[533]: dbus[533]: [system] Activating via systemd: service name='org.freedesktop.ModemManager1' unit='dbus-org.freedesktop.ModemManager1.service'
  Oct 05 09:03:40 core dbus[533]: [system] Activating via systemd: service name='org.freedesktop.ModemManager1' unit='dbus-org.freedesktop.ModemManager1.service'
  Oct 05 09:03:40 core dbus[533]: [system] Activation via systemd failed for unit 'dbus-org.freedesktop.ModemManager1.service': Unit dbus-org.freedesktop.ModemManager1.service failed to load: No such file or directory.
  Oct 05 09:03:40 core dbus-daemon[533]: dbus[533]: [system] Activation via systemd failed for unit 'dbus-org.freedesktop.ModemManager1.service': Unit dbus-org.freedesktop.ModemManager1.service failed to load: No such file or directory.
  Oct 05 09:05:30 core systemd[1]: Starting Linux Container projects...
  Oct 05 09:05:30 core systemd[1]: Started Linux Container projects.
  Oct 05 09:05:30 core systemd-sysctl[4562]: Overwriting earlier assignment of kernel/sysrq in file '/etc/sysctl.d/zz-sysctl.conf'.
  Oct 05 09:05:30 core kernel: device vethmHU7wo entered promiscuous mode
  Oct 05 09:05:30 core kernel: IPv6: ADDRCONF(NETDEV_UP): vethmHU7wo: link is not ready
  Oct 05 09:05:30 core NetworkManager[521]: <warn> /sys/devices/virtual/net/vethSIUSbq: couldn't determine device driver; ignoring...
  Oct 05 09:05:30 core systemd-sysctl[4564]: Overwriting earlier assignment of kernel/sysrq in file '/etc/sysctl.d/zz-sysctl.conf'.
  Oct 05 09:05:30 core kernel: virbr3: topology change detected, propagating
  Oct 05 09:05:30 core kernel: virbr3: port 2(vethmHU7wo) entered forwarding state
  Oct 05 09:05:30 core kernel: virbr3: port 2(vethmHU7wo) entered forwarding state
  Oct 05 09:05:30 core kernel: virbr3: port 2(vethmHU7wo) entered disabled state
  Oct 05 09:05:30 core NetworkManager[521]: <warn> /sys/devices/virtual/net/vethmHU7wo: couldn't determine device driver; ignoring...
  Oct 05 09:05:30 core kernel: IPv6: ADDRCONF(NETDEV_CHANGE): vethmHU7wo: link becomes ready
  Oct 05 09:05:30 core kernel: virbr3: topology change detected, propagating
  Oct 05 09:05:30 core kernel: virbr3: port 2(vethmHU7wo) entered forwarding state
  Oct 05 09:05:30 core kernel: virbr3: port 2(vethmHU7wo) entered forwarding state
  Oct 05 09:05:30 core libvirtd[809]: nl_recv returned with error: No buffer space available
  Oct 05 09:05:30 core upowerd[660]: (upowerd:660): UPower-Linux-WARNING **: treating add event as change event on /org/freedesktop/UPower/devices/line_power_AC0
  Oct 05 09:05:30 core systemd-logind[516]: Watching system buttons on /dev/input/event3 (Power Button)
  Oct 05 09:05:30 core upowerd[660]: (upowerd:660): UPower-Linux-WARNING **: treating add event as change event on /org/freedesktop/UPower/devices/battery_BAT0
  Oct 05 09:05:30 core systemd-logind[516]: Watching system buttons on /dev/input/event5 (Video Bus)
  Oct 05 09:05:30 core systemd-logind[516]: Watching system buttons on /dev/input/event2 (Sleep Button)
  Oct 05 09:05:30 core systemd-logind[516]: Watching system buttons on /dev/input/event1 (Lid Switch)
  Oct 05 09:05:30 core systemd-logind[516]: Watching system buttons on /dev/input/event4 (Video Bus)
  Oct 05 09:05:30 core mtp-probe[4711]: checking bus 3, device 4: "/sys/devices/pci0000:00/0000:00:1a.0/usb3/3-1/3-1.2"
  Oct 05 09:05:30 core mtp-probe[4712]: checking bus 3, device 5: "/sys/devices/pci0000:00/0000:00:1a.0/usb3/3-1/3-1.4"
  Oct 05 09:05:30 core mtp-probe[4711]: bus: 3, device: 4 was not an MTP device
  Oct 05 09:05:30 core mtp-probe[4712]: bus: 3, device: 5 was not an MTP device
  Oct 05 09:05:30 core systemd-udevd[4561]: error opening ATTR{/sys/devices/pci0000:00/0000:00:1a.0/usb3/3-1/3-1.4/3-1.4:1.0/host6/scsi_host/host6/link_power_management_policy} for writing: No such file or directory
  Oct 05 09:05:32 core ntpd[813]: Listen normally on 14 vethmHU7wo fe80::fcf0:74ff:fe68:aade UDP 123
  Oct 05 09:05:32 core ntpd[813]: peers refreshed
  Oct 05 09:05:32 core ntpd[813]: new interface(s) found: waking up resolver
  Oct 05 09:05:40 core dbus-daemon[533]: dbus[533]: [system] Activating via systemd: service name='org.freedesktop.ModemManager1' unit='dbus-org.freedesktop.ModemManager1.service'
  Oct 05 09:05:40 core dbus[533]: [system] Activating via systemd: service name='org.freedesktop.ModemManager1' unit='dbus-org.freedesktop.ModemManager1.service'
  Oct 05 09:05:40 core dbus[533]: [system] Activation via systemd failed for unit 'dbus-org.freedesktop.ModemManager1.service': Unit dbus-org.freedesktop.ModemManager1.service failed to load: No such file or directory.
  Oct 05 09:05:40 core dbus-daemon[533]: dbus[533]: [system] Activation via systemd failed for unit 'dbus-org.freedesktop.ModemManager1.service': Unit dbus-org.freedesktop.ModemManager1.service failed to load: No such file or directory.
  Oct 05 09:06:15 core kernel: EXT4-fs (dm-10): re-mounted. Opts: commit=600
  Oct 05 09:06:15 core kernel: EXT4-fs (dm-12): re-mounted. Opts: acl,commit=600
  Oct 05 09:06:15 core kernel: EXT4-fs (dm-18): re-mounted. Opts: commit=600
  Oct 05 09:06:15 core kernel: EXT4-fs (sda1): re-mounted. Opts: commit=600
  Oct 05 09:06:16 core kernel: EXT4-fs (sda4): re-mounted. Opts: acl,commit=600
  Oct 05 09:06:21 core kernel: EXT4-fs (dm-10): re-mounted. Opts: commit=0
  Oct 05 09:06:21 core kernel: EXT4-fs (dm-12): re-mounted. Opts: acl,commit=0
  Oct 05 09:06:21 core kernel: EXT4-fs (dm-18): re-mounted. Opts: commit=0
  Oct 05 09:06:21 core kernel: EXT4-fs (sda1): re-mounted. Opts: commit=0
  Oct 05 09:06:28 core kernel: EXT4-fs (dm-10): re-mounted. Opts: commit=600
  Oct 05 09:06:28 core kernel: EXT4-fs (dm-12): re-mounted. Opts: acl,commit=600
  Oct 05 09:06:28 core kernel: EXT4-fs (dm-18): re-mounted. Opts: commit=600
  Oct 05 09:06:28 core kernel: EXT4-fs (sda1): re-mounted. Opts: commit=600
  Oct 05 09:06:28 core kernel: EXT4-fs (sda4): re-mounted. Opts: acl,commit=600
  Oct 05 09:06:31 core kernel: EXT4-fs (dm-10): re-mounted. Opts: commit=0
  Oct 05 09:06:31 core kernel: EXT4-fs (dm-12): re-mounted. Opts: acl,commit=0
  Oct 05 09:06:31 core kernel: EXT4-fs (dm-18): re-mounted. Opts: commit=0
  Oct 05 09:06:31 core kernel: EXT4-fs (sda1): re-mounted. Opts: commit=0
  Oct 05 09:06:38 core systemd[1]: Stopping Linux Container projects...
  Oct 05 09:06:38 core systemd[1]: [email protected]: main process exited, code=exited, status=137/n/a
  Oct 05 09:06:38 core systemd[1]: Stopped Linux Container projects.
  Oct 05 09:06:38 core systemd[1]: Unit [email protected] entered failed state.
  Oct 05 09:06:38 core kernel: virbr3: port 2(vethmHU7wo) entered disabled state
  Oct 05 09:06:38 core kernel: device vethmHU7wo left promiscuous mode
  Oct 05 09:06:38 core kernel: virbr3: port 2(vethmHU7wo) entered disabled state
  Oct 05 09:06:39 core ntpd[813]: Deleting interface #14 vethmHU7wo, fe80::fcf0:74ff:fe68:aade#123, interface stats: received=0, sent=0, dropped=0, active_time=67 secs
  Oct 05 09:06:39 core ntpd[813]: peers refreshed
  Nothing really leaps out to me.
  This only happens on Systemd-208. Rolling back to systemd-207 resolved the issue for now, but I can't help but wonder if I won't have this problem again on systemd-209 or whatever. Is there any additional configuration that I need to do in order to get LXC working properly with systemd 208+?
  Also, I don't know if this is relevant, but I got some filesystem permissions warnings on upgrading (and later downgrading) systemd.
  Last edited by railmaniac (2013-10-12 14:03:47)

  Some journal entries from the guest
  There's a bunch of these:
  ct 12 18:52:24 projects systemd-udevd[30]: Failed to apply ACL on /dev/dri/card0: No such file or directory
  Oct 12 18:52:24 projects systemd-udevd[38]: Failed to apply ACL on /dev/snd/hwC0D3: No such file or directory
  Oct 12 18:52:24 projects systemd-udevd[42]: Failed to apply ACL on /dev/snd/pcmC0D0c: No such file or directory
  Oct 12 18:52:24 projects systemd-udevd[37]: Failed to apply ACL on /dev/snd/hwC0D0: No such file or directory
  Oct 12 18:52:24 projects systemd-udevd[44]: Failed to apply ACL on /dev/snd/pcmC0D3p: No such file or directory
  Oct 12 18:52:24 projects systemd-udevd[43]: Failed to apply ACL on /dev/snd/pcmC0D0p: No such file or directory
  Oct 12 18:52:24 projects systemd-udevd[31]: Failed to apply ACL on /dev/snd/controlC0: No such file or directory
  Oct 12 18:52:24 projects systemd-udevd[35]: inotify_add_watch(7, /dev/sda, 10) failed: No such file or directory
  Oct 12 18:52:24 projects systemd-udevd[36]: Failed to apply ACL on /dev/sr0: No such file or directory
  Oct 12 18:52:24 projects systemd-udevd[34]: Failed to apply ACL on /dev/sg1: No such file or directory
  Oct 12 18:52:24 projects systemd-udevd[28]: Error, opening device '/dev/input/event12': No such file or directory
  Oct 12 18:52:24 projects systemd-udevd[32]: Failed to apply ACL on /dev/video0: No such file or directory
  Oct 12 18:52:24 projects systemd-udevd[25]: inotify_add_watch(7, /dev/sdb, 10) failed: No such file or directory
  Oct 12 18:52:24 projects systemd-udevd[33]: Failed to apply ACL on /dev/kvm: No such file or directory
  Oct 12 18:52:24 projects systemd-udevd[29]: inotify_add_watch(7, /dev/sda1, 10) failed: No such file or directory
  Oct 12 18:52:24 projects systemd[1]: Listening on D-Bus System Message Bus Socket.
  Oct 12 18:52:24 projects systemd-udevd[30]: inotify_add_watch(7, /dev/sda2, 10) failed: No such file or directory
  Oct 12 18:52:24 projects systemd-udevd[27]: Failed to apply ACL on /dev/snd/timer: No such file or directory
  Oct 12 18:52:24 projects systemd[1]: Starting Sockets.
  Oct 12 18:52:24 projects systemd-udevd[35]: inotify_add_watch(7, /dev/sda4, 10) failed: No such file or directory
  Oct 12 18:52:24 projects systemd-udevd[31]: inotify_add_watch(7, /dev/sda3, 10) failed: No such file or directory
  And there's a bunch of these, which seems relevant since the logind part was changed in 208:
  Oct 12 18:52:24 projects systemd-logind[59]: New seat seat0.
  Oct 12 18:52:24 projects systemd[1]: Startup finished in 487ms.
  Oct 12 18:52:24 projects systemd-logind[59]: Failed to open event3: No such file or directory
  Oct 12 18:52:24 projects systemd-logind[59]: Failed to open event5: No such file or directory
  Oct 12 18:52:24 projects systemd-logind[59]: Failed to open event4: No such file or directory
  Oct 12 18:52:24 projects systemd-logind[59]: Failed to open event1: No such file or directory
  Oct 12 18:52:24 projects systemd-logind[59]: Failed to open event2: No such file or directory
  Oct 12 18:52:26 projects systemd-journal[64]: Permanent journal is using 87.6M (max 30.0M, leaving 1.1G of free 4.4G, current limit 30.0M).
  Oct 12 18:52:26 projects systemd-journal[64]: Journal started
  Oct 12 18:52:26 projects systemd[1]: systemd-journald.service: main process exited, code=exited, status=1/FAILURE
  Oct 12 18:52:26 projects systemd[1]: Unit systemd-journald.service entered failed state.
  Oct 12 18:52:26 projects systemd[1]: Starting Trigger Flushing of Journal to Persistent Storage...
  Oct 12 18:52:26 projects systemd[1]: Started Trigger Flushing of Journal to Persistent Storage.
  Hmm, just noticed it says systemd-journald exited with FAILURE. This is probably pretty informative to someone.

• Ume.login.mdc.hosts - SSO Multiple Domain

  Hi,
  My Portal domain is xxxx.net and my ECC domain is xxxx.com
  I exported  the portal certificate into ECC and created parameters in RZ10 to create & accept SSO tickets.
  When i do the ECC System Connection tests in Portal, everything is good and successful. But when i run a Transaction iView, i get the ECC login screen.
  Based on SAP Documentation, i modified UME Property as "ume.login.mdc.hosts = xxxx.com:8036", but still i get the ECC login screen in portal when i run a transaction iView. Please advice.
  Thanks
  Vijay

  Not working on this right now

• LXC container arch linux does not offer login

  I am sure this is silly, but it still seems I cannot find my way out of it.
  I am trying to set up an archlinux container within Arch Linux. I have followed verbatim the wiki, and the added comment on how to circumvent new problems deriving from the introduction of systemd. The container installs without errors, and it starts without errors, and yet... the command lxc-console does not
  offer me a login prompt, it just stops at "Type <Ctrl+a q> to exit the console...".
  The machine is running (replies correctly to pings); I tried to install ssh server ab initio in the hope of connecting via ssh rather than console, but no luck there. I am stumped because I do not know how to diagnose this problem. The only thing I did  "not" do, of those suggested in the wiki, is
  For a container to be able to use a host's virtual console it must not be in use by the host. This will most likely require the host's /etc/inittab to be modified to ensure no getty or other process runs on any virtual console that is to be used by the container.
  After editing the host's /etc/inittab file, issung a killall -HUP init will terminate any getty processes that are no longer configured and this will free up the virtual conosole for use by the container.
  Thanks for your help.

  I'm not sure if you've tried Docker yet, but it took about 3 minutes to have a working Arch Docker container on my Ubuntu 12.04 server:
  # docker pull base/arch
  # docker run -i -t base/arch /bin/bash
  [root@c21eea45fb46 /]# pacman -Syu
  :: Synchronizing package databases...
  core 106.7 KiB 617K/s 00:00 [###############################################] 100%
  extra 1533.7 KiB 2.15M/s 00:01 [###############################################] 100%
  community 2.1 MiB 2022K/s 00:01 [###############################################] 100%
  :: Starting full system upgrade...
  resolving dependencies...
  looking for inter-conflicts...
  Packages (11): archlinux-keyring-20140220-1 curl-7.35.0-1 e2fsprogs-1.42.9-1 gcc-libs-4.8.2-8 glibc-2.19-2 libgcrypt-1.6.1-1
  libldap-2.4.39-1 libsasl-2.1.26-7 linux-api-headers-3.13.2-1 pam-1.1.8-3 util-linux-2.24.1-1
  Total Download Size: 14.53 MiB
  Total Installed Size: 60.52 MiB
  Net Upgrade Size: 0.35 MiB
  :: Proceed with installation? [Y/n]
  :: Retrieving packages ...
  archlinux-keyring-20140220-1-any 432.6 KiB 968K/s 00:00 [###############################################] 100%
  curl-7.35.0-1-x86_64 471.5 KiB 2.19M/s 00:00 [###############################################] 100%
  Scott

• [SOLVED] Unable to install packages in lxc container

  tl;dr: lxc-console should be used for logging in, not lxc-attach. Also, I had to do some additional work to get the tty to work in systemd, and I plan to update the wiki soon.
  I created a container using the following command:
  # lxc-create -n test -t archlinux
  Once created and configured, I started the container daemonized, and attached:
  # lxc-start -n test -d
  # lxc-attach --clear-env -n test -- su - root
  However, I am unable to install any software packages because GPG isn't working properly
  [root@test ~]# pacman -Syu openssh
  :: Synchronizing package databases...
  core is up to date
  extra is up to date
  community is up to date
  multilib is up to date
  :: Starting full system upgrade...
  resolving dependencies...
  looking for inter-conflicts...
  Packages (3): ldns-1.6.17-1 libedit-20130601_3.1-1 openssh-6.5p1-2
  Total Installed Size: 6.08 MiB
  :: Proceed with installation? [Y/n]
  (3/3) checking keys in keyring [###########################] 100%
  (3/3) checking package integrity [###########################] 100%
  error: GPGME error: Inappropriate ioctl for device
  error: GPGME error: Inappropriate ioctl for device
  error: GPGME error: Inappropriate ioctl for device
  error: libedit: missing required signature
  :: File /var/cache/pacman/pkg/libedit-20130601_3.1-1-x86_64.pkg.tar.xz is corrupted (invalid or corrupted package (PGP signature)).
  Do you want to delete it? [Y/n]
  error: ldns: missing required signature
  :: File /var/cache/pacman/pkg/ldns-1.6.17-1-x86_64.pkg.tar.xz is corrupted (invalid or corrupted package (PGP signature)).
  Do you want to delete it? [Y/n]
  error: openssh: missing required signature
  :: File /var/cache/pacman/pkg/openssh-6.5p1-2-x86_64.pkg.tar.xz is corrupted (invalid or corrupted package (PGP signature)).
  Do you want to delete it? [Y/n]
  error: failed to commit transaction (invalid or corrupted package (PGP signature))
  Errors occurred, no packages were upgraded.
  error: segmentation fault
  Please submit a full bug report with --debug if appropriate.
  The container config is as follows:
  lxc.utsname=test
  lxc.autodev=1
  lxc.tty=1
  lxc.pts=1024
  lxc.rootfs=/var/lib/lxc/test/rootfs
  lxc.mount=/var/lib/lxc/test/fstab
  lxc.cap.drop=mknod sys_module mac_admin mac_override
  lxc.kmsg=0
  lxc.stopsignal=SIGRTMIN+4
  #networking
  lxc.network.type=veth
  lxc.network.link=br0
  lxc.network.flags=up
  lxc.network.name=eth0
  lxc.network.ipv4=10.10.209.2/24
  lxc.network.ipv4.gateway=10.10.209.1
  lxc.network.mtu=1500
  #cgroups
  lxc.cgroup.devices.deny = a
  lxc.cgroup.devices.allow = c *:* m
  lxc.cgroup.devices.allow = b *:* m
  lxc.cgroup.devices.allow = c 1:3 rwm
  lxc.cgroup.devices.allow = c 1:5 rwm
  lxc.cgroup.devices.allow = c 1:7 rwm
  lxc.cgroup.devices.allow = c 1:8 rwm
  lxc.cgroup.devices.allow = c 1:9 rwm
  lxc.cgroup.devices.allow = c 1:9 rwm
  lxc.cgroup.devices.allow = c 4:1 rwm
  lxc.cgroup.devices.allow = c 5:0 rwm
  lxc.cgroup.devices.allow = c 5:1 rwm
  lxc.cgroup.devices.allow = c 5:2 rwm
  lxc.cgroup.devices.allow = c 136:* rwm
  Has anyone else experienced this? I've searched the web for solutions to the GPG error, and most of them relate to GPG not working in a chroot because the right things don't exist in /dev. However, I was under the impression that lxc.autodev=1 would take care of this, and indeed /dev/pts, etc. all exist in the container.
  Last edited by archtaku (2014-02-07 23:19:12)

  x33a wrote:
  Try
  # pacman-key --refresh-keys
  from within the container. Though, I do notice a segmentation fault, so I am not sure if it'll work.
  I just did this, and the command succeeded:
  gpg: refreshing 75 keys from hkp://pool.sks-keyservers.net
  gpg: requesting key 5263801D from hkp server pool.sks-keyservers.net
  gpg: requesting key FFF979E7 from hkp server pool.sks-keyservers.net
  gpg: requesting key CDFD6BB0 from hkp server pool.sks-keyservers.net
  gpg: requesting key 4C7EA887 from hkp server pool.sks-keyservers.net
  ... snip ...
  gpg: Total number processed: 74
  gpg: unchanged: 74
  However, the installation still failed.
  I was able to get pacman to install openssh by turning off signature verification. I then ssh'ed into the container, turned signature verification back on, and was able to install other packages just fine.
  So the issue seems to be with how lxc-attach connects to the container. A temporary solution would be:
  Add openssh to the list of packages installed when running lxc-create.
  # lxc-create -n test -t archlinux -- -P vim,openssh
  Attach to the container and run systemctl enable sshd.service, and set a root password
  Detach, then ssh into container and go about your business.
  However, I'd rather have the option of not using sshd on the container, and still be able to install packages, so I don't necessarily consider this problem solved yet.
  Can anyone shed some light on what I might be doing wrong when I attach to the container?
  Last edited by archtaku (2014-02-07 16:46:52)

• No login available on ttys (systemd)

  Hello,
  I can no longer login to ttys (ctrl + alt + F1 - this is called a "tty" right?).
  If I switch to one of the ttys I can still read some bootup messages I think.
  The last one says
  [OK] listening on delayed shutdown socket
  No login prompt or blinking cursor at all. all ttys (tty1 - tty6) look that way. If it may help understanding my problem I can type all of that messages into a post...
  There is no problem switching back to X  waiting on tty7. This makes me believe I do not have broken keyboard config or stuff.
  Has anyone a hint, were i can look for some log output what i going wrong when I hit ctrl + alt + f[0-6]?
  some research:
  ben # systemctl list-units | egrep -i "tty|login"
  sys-devi...tty-ttyS0.device loaded active plugged /sys/devices/platform/serial8250/tty/ttyS0
  sys-devi...tty-ttyS1.device loaded active plugged /sys/devices/platform/serial8250/tty/ttyS1
  sys-devi...tty-ttyS2.device loaded active plugged /sys/devices/platform/serial8250/tty/ttyS2
  sys-devi...tty-ttyS3.device loaded active plugged /sys/devices/platform/serial8250/tty/ttyS3
  [email protected] loaded active running Getty on tty1
  [email protected] loaded active running Getty on tty2
  [email protected] loaded active running Getty on tty3
  [email protected] loaded active running Getty on tty4
  [email protected] loaded active running Getty on tty5
  [email protected] loaded active running Getty on tty6
  systemd-logind.service loaded active running Login Service
  getty.target loaded active active Login Prompts
  ben # ps au | grep tty
  root 365 0.0 0.0 9848 804 tty1 Ss+ 18:34 0:00 /sbin/agetty --noclear tty1 38400 linux
  root 379 1.5 0.7 212552 123820 tty7 Rs+ 18:34 0:36 /usr/bin/X :0 vt7 -nolisten tcp -auth /var/run/xauth/A:0-BKoSkc
  root 482 0.0 0.0 9848 796 tty3 Ss+ 18:35 0:00 /sbin/agetty --noclear tty3 38400 linux
  root 483 0.0 0.0 9848 792 tty4 Ss+ 18:35 0:00 /sbin/agetty --noclear tty4 38400 linux
  root 484 0.0 0.0 9848 800 tty5 Ss+ 18:35 0:00 /sbin/agetty --noclear tty5 38400 linux
  root 485 0.0 0.0 9848 800 tty6 Ss+ 18:35 0:00 /sbin/agetty --noclear tty6 38400 linux
  root 6130 0.0 0.0 9848 804 tty2 Ss+ 18:52 0:00 /sbin/agetty --noclear tty2 38400 linux
  root 9777 0.0 0.0 14692 1128 pts/0 S+ 19:14 0:00 grep --colour=auto tty
  ben # cat /etc/systemd/logind.conf | grep -v "^#"
  [Login]
  NAutoVTs=6
  ReserveVT=6
  ben # systemctl status systemd-logind
  systemd-logind.service - Login Service
  Loaded: loaded (/usr/lib/systemd/system/systemd-logind.service; static)
  Active: active (running) since Di 2013-08-20 18:34:55 CEST; 41min ago
  Docs: man:systemd-logind.service(8)
  man:logind.conf(5)
  [url]http://www.freedesktop.org/wiki/Software/systemd/multiseat[/url]
  Main PID: 360 (systemd-logind)
  CGroup: name=systemd:/system/systemd-logind.service
  └─360 /usr/lib/systemd/systemd-logind
  Aug 20 18:35:06 bendude systemd-logind[360]: New session 1 of user ben.
  Aug 20 18:35:06 bendude systemd-logind[360]: Linked /tmp/.X11-unix/X0 to /run/user/1000/X11-display.
  And general system info
  ben # uname -a
  Linux ben 3.10.7-1-ARCH #1 SMP PREEMPT Thu Aug 15 11:55:34 CEST 2013 x86_64 GNU/Linux
  ben # pacman -Qsi systemd
  local/initscripts 2012.10.1-1
  System initialization/bootup scripts
  local/lib32-systemd 204-1
  system and service manager (32-bit)
  local/systemd 204-3
  system and service manager
  local/systemd-sysvcompat 204-3 (base)
  sysvinit compat for systemd
  Thanks in advance,
  Ben

  Well, all ttys display the Welcome to Arch linux screen with the last message being
  [ OK ] Listening on LVM2 metadata daemon socket.
  [james@arch ~]$ systemctl list-units | egrep -i "tty|login"
  sys-devi...tty-ttyS1.device loaded active plugged /sys/devices/platform/serial8250/tty/ttyS1
  sys-devi...tty-ttyS2.device loaded active plugged /sys/devices/platform/serial8250/tty/ttyS2
  sys-devi...tty-ttyS3.device loaded active plugged /sys/devices/platform/serial8250/tty/ttyS3
  sys-devi...tty-ttyS0.device loaded active plugged /sys/devices/pnp0/00:0a/tty/ttyS0
  [email protected] loaded active running Getty on tty1
  [email protected] loaded active running Getty on tty2
  [email protected] loaded active running Getty on tty5
  systemd-logind.service loaded active running Login Service
  getty.target loaded active active Login Prompts
  with each getty@tty service being loaded when I try to access them
  [james@arch ~]$ ps au | grep tty
  root 264 0.0 0.0 7904 800 tty1 Ss+ 09:53 0:00 /sbin/agetty --noclear tty1 38400 linux
  root 273 12.9 2.1 502284 176900 tty7 Ss+ 09:53 0:58 /usr/sbin/X :0 -auth /run/lightdm/root/:0 -nolisten tcp vt7 -novtswitch
  root 947 0.0 0.0 7904 792 tty5 Ss+ 09:55 0:00 /sbin/agetty --noclear tty5 38400 linux
  root 1104 0.0 0.0 7904 796 tty2 Ss+ 09:58 0:00 /sbin/agetty --noclear tty2 38400 linux
  james 1145 0.0 0.0 10684 1072 pts/0 S+ 10:00 0:00 grep tty
  nothing set in logind.conf
  [james@arch ~]$ systemctl status systemd-logind
  systemd-logind.service - Login Service
  Loaded: loaded (/usr/lib/systemd/system/systemd-logind.service; static)
  Active: active (running) since Fri 2013-08-23 09:53:18 NZST; 11min ago
  Docs: man:systemd-logind.service(8)
  man:logind.conf(5)
  http://www.freedesktop.org/wiki/Software/systemd/multiseat
  Main PID: 257 (systemd-logind)
  CGroup: name=systemd:/system/systemd-logind.service
  └─257 /usr/lib/systemd/systemd-logind
  [james@arch ~]$ uname -a
  Linux arch 3.10.7-1-ARCH #1 SMP PREEMPT Thu Aug 15 11:55:34 CEST 2013 x86_64 GNU/Linux
  [james@arch ~]$ pacman -Qsi systemd
  local/lib32-systemd 204-1
  system and service manager (32-bit)
  local/netctl 1.3-1 (base)
  Profile based systemd network management
  local/systemd 204-3
  system and service manager
  local/systemd-sysvcompat 204-3 (base)
  sysvinit compat for systemd
  What other info can I give you?

• Possible to restrict logins on hosts w/ ACI?

  Greetings,
  My DS impelementation is beginning to mature some, and I'm not faced with the possibility that I may need to restrict logins on various hosts. My current setup is using LDAP netgroups to define who can log in to which server, but now I'm being asked to restrict it even further...some people in those netgroups will be explicitly disallowed from logging into some servers (think about contractors working with an already established team...you may not want them logging into just any server simply because they're part of a netgroup that can).
  So, what I'm looking to do is set up ACI's to say something like "User X can log into servers A, B, and C, but none other".
  Any ideas? I've tried creating ACI's using the ACI-builder, and I've done so at both the leaf entry and at the branch point, and I can still log into any server that that user's netgroup allows. So, either my ACI's are not built properly, or I"m not putting them in the right place. I suppose another possibility is that this type of access restriction isn't possible, but I'd have guessed that this was part of the point of ACI's :)
  Thanks!
  Patrick

  Hi Tom,
  Thank you for posting in Windows Server Forum.
  For your environment, I would suggest you to use following command.
  Firstly find user session ID with: Query Session /Server:Servername
  For disconnecting existing login: 
  Disconnect-RDUser -HostServer sessionhost.contoso.com -UnifiedSessionID 2
  For sending message to users:
  Send-RDUserMessage -HostServer "rdsh.contoso.com" -UnifiedSessionID 1 -MessageTitle "Message from Administrator" –MessageBody "Please save your work. You will be logged off in 10 minutes"
  You can deny new user logons by specifying user login mode.
  Change Logon /Disable
  http://technet.microsoft.com/en-us/library/bb490792.aspx
  Hope it helps!
  Thanks.
  Dharmesh Solanki
  TechNet Community Support

• How to propagate JSP-Container-Login and EJB-Lookup?

  I think I have a very common problem which should be solved by multitudes of developers, but still I can't find sufficient info how to solve it. Here is my problem:
  - My App consists of 2 different EARs, one Web-EAR and one EJB-EAR
  - The Webapp uses digest authentication through web.xml security-constraint
  - Currently both EARs are using xml-based security-provider (jazn)
  - Any user has to log in to the webapp (this works)
  - the webapp delegates business-logic to EJB3 stateless SessionBeans
  - as long as I hardcode principal and password on the creation of the InitialContext, the authentication on the EJB-container works also fine
  - what I need is a propagation of the logged in webapp user to the EJB-container
  - I switched on subject-propagation as described in OC4J security guide chapter 18
  The problem: The propagation doesnt seem to work as expected. I still have to use (hardcoded) user/password credentials upon InitalContext-creation.
  - How can I reassure that subjectpropagation is switched in?
  - How do I have to instantiate the InitialContext in order to use propagation?
  This is what I do now:
  Properties p = new Properties();
  p.put(Context.INITIAL_CONTEXT_FACTORY, "oracle.j2ee.rmi.RMIInitialContextFactory");
  p.put(Context.PROVIDER_URL, ormi://localhost:23791/EJB-EAR);
  p.put(Context.SECURITY_PRINCIPAL, "myuser");
  p.put(Context.SECURITY_CREDENTIALS, "mypassword");
  Context = new InitialContext(p);
  When loggin into the web-container, the password of the logged-in user is not accessible anymore. Because of that I thought automatic subject-propagation shouold solve my problem. Did I misunderstood the concept of subjectpropagation (using ORMI)

  So far I have achived the following, but my problem is not really solved:
  As long as I use EJBs within the same EAR of my webapp everthing is fine.
  No need to proved credentials with the instantiation of the InitialContext. Also subject-propagation is not needed.
  At the moment I split ejb and webapp into separate EAR on the same OC4J-instance, I have to use the RMIInitialcontextFactory, to get acces to the EJBs at all. Subject-Propagation is obviusly on, because without the call of Subject.getSubject(AccessController.getContext) delivers null!
  So the remaining question is, how do I initiate the subject-propagation over RMI? Is there a special name under which I have to put my subject? Do I have to execute the actual ejb-method-call by subject.doAs.. and thus have to provide a wrapper for my EJB as a ProtectedObject?
  Anybody?

• LDAP auth & limit logins per host

  I'm using LDAP auth. using ldapclient init to setup the ldap auth. Have a SunOne LDAP server.
  I'm interested in doing auth filters - like what Linux does with PAM. I've got PAM_LDAP to work, but since Sun does not use the OpenLDAP convention of /etc/ldap.conf - I can't setup the nss_user filters in there or nss_base_passwd dc=....
  does anyone know how to do this in Solaris? Can I enter something into the ldap_cred file? I tried to do a serviceSearchDescriptor and put passwd:dc=x,dc=y?one?(|(uid=x)(uid=y)) in the ldapCredFile but that gave me a search filter error
  I really do not want to use NetGroups.
  Thanks in advance. I have seem a few posts for this questions but no real answers.
  I can't believe that there is no way to do this...

  I actually was able to solve my problem. What I did was the following
  in my profile setup in the LDAP server I set
  servieSearchDescriptor: passwd:dc=x,dc=y,dc=x?sub?|(attribute1=value)(attribute2=value)
  This makes the password lookup look for the user only if a subsearch (sub) matches the attributes above.
  For example - I could limit logins to only the people who have a shell=/bin/bash by saying ...sub?|(loginShell=/bin/bash)(loginShell=/usr/bin/bash)
  I would also want to make a similar serviceSearchDescriptor line for shadow. So I would have two of these in my Profile on the LDAP server , one with passwd: and one with shadow:

• 10g R2 on W2K Server: Error: "Wrong Password" when Login at Host ID via IE

  When Installing Oracle 10g (10.2.0.1.0) on Windows 2000 Server SP4 System
  occurs the following Problem:
  After installing the database and when trying to configure a backup job via MS Internet Explorer Version 6.0, i get the following error:
  ERROR: Wrong password for user
  The passwort was correctly and the system worked in the domain, before the insallation startet.The user was the domain-administrator.
  Thanks Peter

  Peter - You're in the wrong forum. This one is for HTML DB.
  Scott

• [Solved]Login delay of up to 12 seconds even on TTY

  TL;DR
  Installed Qingy a while back, NVIDIA driver didn't like it, so I uninstalled it.
  Since have long login delay on my account, new accounts are fine.
  If I'm already logged in, this account is fine.
  Full details:
  Let's start from the top- My system was running great, and is still, as far as I can tell, running great.
  On login, I have a 8-12 second delay on my Rojikku account.
  This started happening after I attempted to install quingy (That was hell.)
  I did all sorts of stuff attempting to get the qingy gui to work, and I never did.
  I eventually undid everything, at least I believe I did, and uninstalled quingy.
  I started the whole qingy search because I heard slim was abandoned, and qingy sounded cool.
  I have since been using lightdm, which I thought was the problem.
  In the process of going to fix this problem, I logged out completely and went to login to the tty, when I discovered I have the issue.
  This issue WILL NOT happen if I am already logged in with my xsession started.
  For example, I am on tty2 with this i3 session open. If I switch to tty3, my login will be instant.
  If I close out of tty2, and login on any tty, it will take ten seconds or so.
  If I attempt to login on a new account I just made, the login is instant.
  I use the zsh shell. I assume everything outside of my shell is fairly irrelevant, though I have a couple user systemd processes.
  I couldn't find the issue on Google, though I have a basic understanding of "Something that needs to see I'm logged in isn't seeing it until it reloads after about ten seconds". That could be completely wrong.
  In case you're wondering, no, I didn't make any other major changes just before this started happening.
  I run the nvidia driver, which wasn't very compatible with qingy.
  My kernel is at 3.18.6-1-ARCH
  I'm running off an SSD, 30GB partition, and I have 16GB of RAM.
  My processor averages less than 20% load even when I'm doing a lot of stuff much more intensive than logging into a tty session.
  I use the i3 window manager, for those curious, and have xinit setup to allow me to choose between it and xfce4. I have xfce4 installed so that I am not missing any major dependencies- or at least am less likely to be, as far as I can tell.
  Last edited by Rojikku (2015-03-13 06:01:30)

  set -x was certainly interesting.
  There's, by my timing, around a five or six second delay, before a rainbow falls from the sky. Then it becomes a shell. The fact that a rainbow of text flew in out of nowhere slightly distracted my ability to count time. Is there some way I can log this output so I can analyze it?
  It's slightly too fast for me to see. By slightly, I mean a lot.
  As for log/journal, I have no idea how to access that... I tried a few things, not getting anything.

• Java Desktop System Login to Zone?

  Hi all.
  I have installed Solaris 10 (Kernel version: SunOS 5.10 Generic_137138-09) for i386. I have created a single non-global zone which runs happily and that non-global zone can be accessed with SSH remotely and locally by root. Zlogin also works for my zone. Additionally, the zone seems to be running an X server because if i "ssh -X myzone" I can run graphical applications in my zone (like xclock) from the Java Desktop System in my global zone.
  Now, what I would like to do, if possible, is to login with the full Java Desktop System to my non-global zone. When presented with the graphical login screen on the console I choose "Options" then "Remote Login" then "Choose Host From List", I see my non-global zone on the list. So I then highlight my non-global zone and click "OK". I am returned to the login screen. But it still says "Welcome to <my global zone>", and when I logon I am still in the global zone. I also tried typing in the non-global zone name in Options -> Remote Login -> Enter Host Name, but still no luck.
  So, what might I need to do to login with the Java Desktop System to my non-global zone?
  Thanks in advance!!
  John

  Is there any particular reason why you did the minimum install? I perform an "Entire Distribution without OEM SUpport" installation, and select everything except the Documentation (since there is no documentation CD - go figure) and the Java Enterprise System (since I do not need to run those servers). I do install the Companion CD which contains a lot of the software.
  When the installation is finished, the Java Desktop System is up and running, after tweaking XFree86, of course.
  Unless you are **REALLY** hurting for disk space, you might as well install the entire distribution. They claim that you need 9 GB or so, but in reality I've been able to install it on a 4 GB hard drive.
  As to where exactly it's located, I'm not sure because it's always been installed for me. If you can, reinstall with an Entire Distribution and the additional software selections that I mentioned. You'll have JDS.

• [SOLVED] [lxc] Problems with archlinux template (and systemd)

  Hello, recently I was pointed to lxc. I tried the archlinux and debian templates (ubuntu and fedora doesn't work because the "arch" command cannot be found but curently I don't care about these templates).
  The debian template seems to work just fine but the archlinux template doesn't.
  I think the main problem is that the arch-system runs with systemd while debian still uses initscripts. I found some resources saying that systemd does not work within a lxc-container while others say that some modifications have to be done in order to make systemd to work properly. But all modifications (I found) that should be made are already included in the archlinux template. But it is still not working for me. :-(
  The output is as follows:
  # sudo lxc-start -n test-arch
  systemd 203 running in system mode. (+PAM -LIBWRAP -AUDIT -SELINUX -IMA -SYSVINIT +LIBCRYPTSETUP +GCRYPT +ACL +XZ)
  Detected virtualization 'lxc'.
  Welcome to Arch Linux!
  Set hostname to <test-arch>.
  [ OK ] Reached target Remote File Systems.
  [ OK ] Listening on /dev/initctl Compatibility Named Pipe.
  [ OK ] Listening on Delayed Shutdown Socket.
  [ OK ] Listening on Journal Socket.
  Starting Journal Service...
  [ OK ] Started Journal Service.
  [ OK ] Reached target Paths.
  [ OK ] Reached target Encrypted Volumes.
  Starting Setup Virtual Console...
  [ OK ] Reached target Swap.
  Starting Remount Root and Kernel File Systems...
  Mounting Temporary Directory...
  systemd-journald.service: main process exited, code=exited, status=219/CGROUP
  Unit systemd-journald.service entered failed state.
  systemd-vconsole-setup.service: main process exited, code=exited, status=219/CGROUP
  [FAILED] Failed to start Setup Virtual Console.
  See 'systemctl status systemd-vconsole-setup.service' for details.
  Unit systemd-vconsole-setup.service entered failed state.
  systemd-remount-fs.service: main process exited, code=exited, status=219/CGROUP
  [FAILED] Failed to start Remount Root and Kernel File Systems.
  See 'systemctl status systemd-remount-fs.service' for details.
  Unit systemd-remount-fs.service entered failed state.
  tmp.mount mount process exited, code=exited status=219
  [FAILED] Failed to mount Temporary Directory.
  See 'systemctl status tmp.mount' for details.
  Unit tmp.mount entered failed state.
  [ OK ] Reached target Local File Systems (Pre).
  [ OK ] Reached target Local File Systems.
  Starting Trigger Flushing of Journal to Persistent Storage...
  Starting Recreate Volatile Files and Directories...
  Starting Load Random Seed...
  systemd-journal-flush.service: main process exited, code=exited, status=219/CGROUP
  [FAILED] Failed to start Trigger Flushing of Journal to Persistent Storage.
  See 'systemctl status systemd-journal-flush.service' for details.
  Unit systemd-journal-flush.service entered failed state.
  systemd-tmpfiles-setup.service: main process exited, code=exited, status=219/CGROUP
  [FAILED] Failed to start Recreate Volatile Files and Directories.
  See 'systemctl status systemd-tmpfiles-setup.service' for details.
  Unit systemd-tmpfiles-setup.service entered failed state.
  systemd-random-seed-load.service: main process exited, code=exited, status=219/CGROUP
  [FAILED] Failed to start Load Random Seed.
  See 'systemctl status systemd-random-seed-load.service' for details.
  Unit systemd-random-seed-load.service entered failed state.
  [ OK ] Reached target System Initialization.
  [ OK ] Reached target Timers.
  [ OK ] Listening on D-Bus System Message Bus Socket.
  [ OK ] Reached target Sockets.
  [ OK ] Reached target Basic System.
  Starting D-Bus System Message Bus...
  [ OK ] Started D-Bus System Message Bus.
  Starting Login Service...
  Starting Permit User Sessions...
  systemd-journald.service holdoff time over, scheduling restart.
  [ OK ] Stopped Trigger Flushing of Journal to Persistent Storage.
  Stopping Journal Service...
  [ OK ] Stopped Journal Service.
  Starting Journal Service...
  [ OK ] Started Journal Service.
  Starting Trigger Flushing of Journal to Persistent Storage...
  dbus.service: main process exited, code=exited, status=219/CGROUP
  Unit dbus.service entered failed state.
  systemd-logind.service: main process exited, code=exited, status=219/CGROUP
  [FAILED] Failed to start Login Service.
  See 'systemctl status systemd-logind.service' for details.
  Unit systemd-logind.service entered failed state.
  systemd-user-sessions.service: main process exited, code=exited, status=219/CGROUP
  [FAILED] Failed to start Permit User Sessions.
  See 'systemctl status systemd-user-sessions.service' for details.
  Unit systemd-user-sessions.service entered failed state.
  systemd-journald.service: main process exited, code=exited, status=219/CGROUP
  Unit systemd-journald.service entered failed state.
  systemd-journal-flush.service: main process exited, code=exited, status=219/CGROUP
  [FAILED] Failed to start Trigger Flushing of Journal to Persistent Storage.
  See 'systemctl status systemd-journal-flush.service' for details.
  Unit systemd-journal-flush.service entered failed state.
  Starting Getty on tty1...
  [ OK ] Started Getty on tty1.
  Starting Console Getty...
  [ OK ] Started Console Getty.
  [ OK ] Reached target Login Prompts.
  [ OK ] Reached target Multi-User System.
  I created the container with
  sudo lxc-create -t archlinux -n test-arch
  and did nothing more because it seems to me that nothing more should be needed.
  I read a lot and most readings say that one has to use initscripts because systemd is not working while others say systemd is working with modifications, e.g. https://wiki.archlinux.org/index.php/Lxc-systemd
  But above is everything I get, no login-prompt or anything else, it just hangs. Trying to invoke "lxc-stop -n test-arch" initiates the shutdown but then both terminals just hang and I have to kill the lxc-start process.
  I would like to know:
  1. is it possible to run a container with systemd? Or do I have to use initscripts?
  2. are there any modifications I have to do besides the modifications already provided by the archlinux template script (in order to use systemd)?
  3. what possibilities do I have to see what's missing or configured wrong?
  Thank you very much. ;-)
  // Edit:
  Ok, sorry for the noise.
  As a last chance I tried a fresh Arch installation within a VM and that works fine (I should have tried this first :-( ). It turned out that my problem is that I am running the ck-kernel which lacks support for "Cgroup sched" and "Cgroup cpu account".
  I will ask the ck-guy to support these options.
  Until then I will have to use the kernel from the core-repo.
  Last edited by m4ntiz (2013-05-20 12:38:52)

  Yes, that was it. Sometimes I don't see what is right in front of me. The devices work as expected, thank you Strike0.
  I have one question left. Now wifi and ethernet connection are established during boot (whenever possible). Is there a way to establish connections on demand? Is it possible to trigger the netcfg profile "ethernet-dhcp" when the cable is plugged in or "wireless-wpa" when in range?