From: Serge Hallyn <serge.hal...@ubuntu.com> Here are some template updates from the ubuntu package:
lxc-busybox: check separately for lib64 existence lxc-sshd: allow specifying ssh key, and run dhclient if no static ip is defined lxc-ubuntu: 1. set -e 2. handle resolv.conf being a symbolic link 3. install a bound user's shell in container 4. always add sudo group (Stéphane Graber <stgra...@ubuntu.com>) 5. don't define ubuntu user if there is a bound user 6. put the bound user in sudo group Signed-off-by: Serge Hallyn <serge.hal...@ubuntu.com> Cc: Stéphane Graber <stgra...@ubuntu.com> --- templates/lxc-busybox.in | 5 +++ templates/lxc-sshd.in | 37 ++++++++++++++++++-- templates/lxc-ubuntu.in | 86 ++++++++++++++++++++++++++++++++++------------ 3 files changed, 103 insertions(+), 25 deletions(-) diff --git a/templates/lxc-busybox.in b/templates/lxc-busybox.in index 720ceef..ef356db 100644 --- a/templates/lxc-busybox.in +++ b/templates/lxc-busybox.in @@ -245,6 +245,11 @@ fi if [ -d "/lib64" ] && [ -d "$rootfs/lib64" ]; then cat <<EOF >> $path/config lxc.mount.entry=/lib64 $rootfs/lib64 none ro,bind 0 0 +EOF +fi + +if [ -d "/usr/lib64" ] && [ -d "$rootfs/usr/lib64" ]; then +cat <<EOF >> $path/config lxc.mount.entry=/usr/lib64 $rootfs/usr/lib64 none ro,bind 0 0 EOF fi diff --git a/templates/lxc-sshd.in b/templates/lxc-sshd.in index bd5d293..749d08a 100644 --- a/templates/lxc-sshd.in +++ b/templates/lxc-sshd.in @@ -88,6 +88,16 @@ HostbasedAuthentication no PermitEmptyPasswords yes ChallengeResponseAuthentication no EOF + if [ -n "$auth_key" -a -f "$auth_key" ]; then + u_path="/root/.ssh" + root_u_path="$rootfs/$u_path" + mkdir -p $root_u_path + cp $auth_key "$root_u_path/authorized_keys" + chown -R 0:0 "$rootfs/$u_path" + chmod 700 "$rootfs/$u_path" + + echo "Inserted SSH public key from $auth_key into /home/ubuntu/.ssh/authorized_keys" + fi return 0 } @@ -108,8 +118,12 @@ lxc.mount.entry=/usr /$rootfs/usr none ro,bind 0 0 lxc.mount.entry=/sbin $rootfs/sbin none ro,bind 0 0 lxc.mount.entry=tmpfs $rootfs/var/run/sshd tmpfs mode=0644 0 0 lxc.mount.entry=@LXCTEMPLATEDIR@/lxc-sshd $rootfs/sbin/init none bind 0 0 +lxc.mount.entry=proc proc proc nodev,noexec,nosuid 0 0 EOF +# if no .ipv4 section in config, then have the container run dhcp +grep -q "^lxc.network.ipv4" $path/config || touch $rootfs/run-dhcp + if [ "$(uname -m)" = "x86_64" ]; then cat <<EOF >> $path/config lxc.mount.entry=/lib64 $rootfs/lib64 none ro,bind 0 0 @@ -120,12 +134,12 @@ fi usage() { cat <<EOF -$1 -h|--help -p|--path=<path> +$1 -h|--help -p|--path=<path> [-S|--auth-key=ssh-pub-key] EOF return 0 } -options=$(getopt -o hp:n: -l help,path:,name: -- "$@") +options=$(getopt -o hp:n:S: -l help,path:,name:,auth-key: -- "$@") if [ $? -ne 0 ]; then usage $(basename $0) exit 1 @@ -137,7 +151,8 @@ do case "$1" in -h|--help) usage $0 && exit 0;; -p|--path) path=$2; shift 2;; - -n|--name) name=$2; shift 2;; + -n|--name) name=$2; shift 2;; + -S|--auth-key) auth_key=$2; shift 2;; --) shift 1; break ;; *) break ;; esac @@ -162,6 +177,22 @@ if [ $0 == "/sbin/init" ]; then exit 1 fi + # run dhcp? + if [ -f /run-dhcp ]; then + type dhclient + if [ $? -ne 0 ]; then + echo "can't find dhclient" + exit 1 + fi + touch /etc/fstab + rm -f /dhclient.conf + cat > /dhclient.conf << EOF +send host-name "<hostname>"; +EOF + ifconfig eth0 up + dhclient eth0 -cf /dhclient.conf + fi + exec @LXCINITDIR@/lxc-init -- /usr/sbin/sshd exit 1 fi diff --git a/templates/lxc-ubuntu.in b/templates/lxc-ubuntu.in index 3e84e74..aab941f 100644 --- a/templates/lxc-ubuntu.in +++ b/templates/lxc-ubuntu.in @@ -24,6 +24,8 @@ # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # +set -e + if [ -r /etc/default/lxc ]; then . /etc/default/lxc fi @@ -52,11 +54,7 @@ EOF 127.0.0.1 localhost $hostname EOF - if [ "$release" = "precise" ]; then - group="sudo" - else - group="admin" - + if [ "$release" != "precise" ]; then # suppress log level output for udev sed -i "s/=\"err\"/=0/" $rootfs/etc/udev/udev.conf @@ -65,17 +63,40 @@ EOF rm -f $rootfs/etc/init/tty{5,6}.conf fi - chroot $rootfs groupadd --system $group >/dev/null 2>&1 || true - chroot $rootfs useradd --create-home -s /bin/bash -G $group ubuntu - echo "ubuntu:ubuntu" | chroot $rootfs chpasswd + if [ -z "$bindhome" ]; then + chroot $rootfs useradd --create-home -s /bin/bash ubuntu + echo "ubuntu:ubuntu" | chroot $rootfs chpasswd + fi + + return 0 +} + +# finish setting up the user in the container by injecting ssh key and +# adding sudo group membership. +# passed-in user is either 'ubuntu' or the user to bind in from host. +finalize_user() +{ + user=$1 + + if [ "$release" = "precise" ]; then + groups="sudo" + else + groups="sudo admin" + fi + + for group in $groups; do + chroot $rootfs groupadd --system $group >/dev/null 2>&1 || true + chroot $rootfs adduser ${user} $group >/dev/null 2>&1 || true + done + if [ -n "$auth_key" -a -f "$auth_key" ]; then - u_path="/home/ubuntu/.ssh" + u_path="/home/${user}/.ssh" root_u_path="$rootfs/$u_path" mkdir -p $root_u_path cp $auth_key "$root_u_path/authorized_keys" - chroot $rootfs chown -R ubuntu: "$u_path" + chroot $rootfs chown -R ${user}: "$u_path" - echo "Inserted SSH public key from $auth_key into /home/ubuntu/.ssh/authorized_keys" + echo "Inserted SSH public key from $auth_key into /home/${user}/.ssh/authorized_keys" fi return 0 } @@ -305,7 +326,7 @@ EOF cat <<EOF >> $path/config lxc.utsname = $name -lxc.devttydir = $ttydir +lxc.devttydir =$ttydir lxc.tty = 4 lxc.pts = 1024 lxc.rootfs = $rootfs @@ -466,9 +487,13 @@ post_process() chroot $rootfs apt-get install --force-yes -y python-software-properties chroot $rootfs add-apt-repository ppa:ubuntu-virt/ppa fi - cp /etc/resolv.conf "${rootfs}/etc" + cresolvonf="${rootfs}/etc/resolv.conf" + mv $cresolvonf ${cresolvonf}.lxcbak + cat /etc/resolv.conf > ${cresolvonf} chroot $rootfs apt-get update chroot $rootfs apt-get install --force-yes -y lxcguest + rm -f ${cresolvonf} + mv ${cresolvonf}.lxcbak ${cresolvonf} fi # If the container isn't running a native architecture, setup multiarch @@ -500,20 +525,31 @@ do_bindhome() user=$2 # copy /etc/passwd, /etc/shadow, and /etc/group entries into container - pwd=`getent passwd $user` - if [ $? -ne 0 ]; then - echo 'Warning: failed to copy password entry for $user' - return - else - echo $pwd >> $rootfs/etc/passwd + pwd=`getent passwd $user` || { echo "Failed to copy password entry for $user"; false; } + echo $pwd >> $rootfs/etc/passwd + + # make sure user's shell exists in the container + shell=`echo $pwd | cut -d: -f 7` + if [ ! -x $rootfs/$shell ]; then + echo "shell $shell for user $user was not found in the container." + pkg=`dpkg -S $(readlink -m $shell) | cut -d ':' -f1` + echo "Installing $pkg" + chroot $rootfs apt-get --force-yes -y install $pkg fi + shad=`getent shadow $user` - echo $shad >> $rootfs/etc/shadow + echo "$shad" >> $rootfs/etc/shadow # bind-mount the user's path into the container's /home h=`getent passwd $user | cut -d: -f 6` mkdir -p $rootfs/$h echo "$h $rootfs/$h none bind 0 0" >> $path/fstab + + # Make sure the group exists in container + chroot $rootfs getent group $user || { \ + grp=`getent group $user` + echo "$grp" >> $rootfs/etc/group + } } usage() @@ -524,6 +560,8 @@ $1 -h|--help [-a|--arch] [-b|--bindhome <user>] [--trim] [-d|--debug] release: lucid | maverick | natty | oneiric | precise trim: make a minimal (faster, but not upgrade-safe) container bindhome: bind <user>'s home into the container + The ubuntu user will not be created, and <user> will have + sudo access. arch: amd64 or i386: defaults to host arch auth-key: SSH Public key file to inject into container EOF @@ -645,8 +683,12 @@ if [ $? -ne 0 ]; then fi post_process $rootfs $release $trim_container -if [ ! -z $bindhome ]; then - do_bindhome $rootfs $bindhome + +if [ -n "$bindhome" ]; then + do_bindhome $rootfs $bindhome + finalize_user $bindhome +else + finalize_user ubuntu fi echo "" -- 1.7.9.5 ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users