From: Serge Hallyn <serge.hal...@ubuntu.com>

Here are some template updates from the ubuntu package:

lxc-busybox: check separately for lib64 existence
lxc-sshd: allow specifying ssh key, and run dhclient if no static ip is defined
lxc-ubuntu:
   1. set -e
   2. handle resolv.conf being a symbolic link
   3. install a bound user's shell in container
   4. always add sudo group (St├ęphane Graber <stgra...@ubuntu.com>)
   5. don't define ubuntu user if there is a bound user
   6. put the bound user in sudo group

Signed-off-by: Serge Hallyn <serge.hal...@ubuntu.com>
Cc: St├ęphane Graber <stgra...@ubuntu.com>
---
 templates/lxc-busybox.in |    5 +++
 templates/lxc-sshd.in    |   37 ++++++++++++++++++--
 templates/lxc-ubuntu.in  |   86 ++++++++++++++++++++++++++++++++++------------
 3 files changed, 103 insertions(+), 25 deletions(-)

diff --git a/templates/lxc-busybox.in b/templates/lxc-busybox.in
index 720ceef..ef356db 100644
--- a/templates/lxc-busybox.in
+++ b/templates/lxc-busybox.in
@@ -245,6 +245,11 @@ fi
 if [ -d "/lib64" ] && [ -d "$rootfs/lib64" ]; then
 cat <<EOF >> $path/config
 lxc.mount.entry=/lib64 $rootfs/lib64 none ro,bind 0 0
+EOF
+fi
+
+if [ -d "/usr/lib64" ] && [ -d "$rootfs/usr/lib64" ]; then
+cat <<EOF >> $path/config
 lxc.mount.entry=/usr/lib64 $rootfs/usr/lib64 none ro,bind 0 0
 EOF
 fi
diff --git a/templates/lxc-sshd.in b/templates/lxc-sshd.in
index bd5d293..749d08a 100644
--- a/templates/lxc-sshd.in
+++ b/templates/lxc-sshd.in
@@ -88,6 +88,16 @@ HostbasedAuthentication no
 PermitEmptyPasswords yes
 ChallengeResponseAuthentication no
 EOF
+    if [ -n "$auth_key" -a -f "$auth_key" ]; then
+       u_path="/root/.ssh"
+       root_u_path="$rootfs/$u_path"
+       mkdir -p $root_u_path
+       cp $auth_key "$root_u_path/authorized_keys"
+       chown -R 0:0 "$rootfs/$u_path"
+       chmod 700 "$rootfs/$u_path"
+
+       echo "Inserted SSH public key from $auth_key into 
/home/ubuntu/.ssh/authorized_keys"
+    fi
     return 0
 }
 
@@ -108,8 +118,12 @@ lxc.mount.entry=/usr /$rootfs/usr none ro,bind 0 0
 lxc.mount.entry=/sbin $rootfs/sbin none ro,bind 0 0
 lxc.mount.entry=tmpfs $rootfs/var/run/sshd tmpfs mode=0644 0 0
 lxc.mount.entry=@LXCTEMPLATEDIR@/lxc-sshd $rootfs/sbin/init none bind 0 0
+lxc.mount.entry=proc proc proc nodev,noexec,nosuid 0 0
 EOF
 
+# if no .ipv4 section in config, then have the container run dhcp
+grep -q "^lxc.network.ipv4" $path/config || touch $rootfs/run-dhcp
+
 if [ "$(uname -m)" = "x86_64" ]; then
     cat <<EOF >> $path/config
 lxc.mount.entry=/lib64 $rootfs/lib64 none ro,bind 0 0
@@ -120,12 +134,12 @@ fi
 usage()
 {
     cat <<EOF
-$1 -h|--help -p|--path=<path>
+$1 -h|--help -p|--path=<path> [-S|--auth-key=ssh-pub-key]
 EOF
     return 0
 }
 
-options=$(getopt -o hp:n: -l help,path:,name: -- "$@")
+options=$(getopt -o hp:n:S: -l help,path:,name:,auth-key: -- "$@")
 if [ $? -ne 0 ]; then
         usage $(basename $0)
        exit 1
@@ -137,7 +151,8 @@ do
     case "$1" in
         -h|--help)      usage $0 && exit 0;;
         -p|--path)      path=$2; shift 2;;
-       -n|--name)      name=$2; shift 2;;
+        -n|--name)      name=$2; shift 2;;
+        -S|--auth-key)  auth_key=$2; shift 2;;
         --)             shift 1; break ;;
         *)              break ;;
     esac
@@ -162,6 +177,22 @@ if [ $0 == "/sbin/init" ]; then
        exit 1
     fi
 
+    # run dhcp?
+    if [ -f /run-dhcp ]; then
+        type dhclient
+        if [ $? -ne 0 ]; then
+            echo "can't find dhclient"
+            exit 1
+        fi
+        touch /etc/fstab
+        rm -f /dhclient.conf
+        cat > /dhclient.conf << EOF
+send host-name "<hostname>";
+EOF
+        ifconfig eth0 up
+        dhclient eth0 -cf /dhclient.conf
+    fi
+
     exec @LXCINITDIR@/lxc-init -- /usr/sbin/sshd
     exit 1
 fi
diff --git a/templates/lxc-ubuntu.in b/templates/lxc-ubuntu.in
index 3e84e74..aab941f 100644
--- a/templates/lxc-ubuntu.in
+++ b/templates/lxc-ubuntu.in
@@ -24,6 +24,8 @@
 # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 
+set -e
+
 if [ -r /etc/default/lxc ]; then
     . /etc/default/lxc
 fi
@@ -52,11 +54,7 @@ EOF
 127.0.0.1 localhost $hostname
 EOF
 
-    if [ "$release" = "precise" ]; then
-        group="sudo"
-    else
-        group="admin"
-
+    if [ "$release" != "precise" ]; then
         # suppress log level output for udev
         sed -i "s/=\"err\"/=0/" $rootfs/etc/udev/udev.conf
 
@@ -65,17 +63,40 @@ EOF
         rm -f $rootfs/etc/init/tty{5,6}.conf
     fi
 
-    chroot $rootfs groupadd --system $group >/dev/null 2>&1 || true
-    chroot $rootfs useradd --create-home -s /bin/bash -G $group ubuntu
-    echo "ubuntu:ubuntu" | chroot $rootfs chpasswd
+    if [ -z "$bindhome" ]; then
+        chroot $rootfs useradd --create-home -s /bin/bash ubuntu
+        echo "ubuntu:ubuntu" | chroot $rootfs chpasswd
+    fi
+
+    return 0
+}
+
+# finish setting up the user in the container by injecting ssh key and
+# adding sudo group membership.
+# passed-in user is either 'ubuntu' or the user to bind in from host.
+finalize_user()
+{
+    user=$1
+
+    if [ "$release" = "precise" ]; then
+        groups="sudo"
+    else
+        groups="sudo admin"
+    fi
+
+    for group in $groups; do
+        chroot $rootfs groupadd --system $group >/dev/null 2>&1 || true
+        chroot $rootfs adduser ${user} $group >/dev/null 2>&1 || true
+    done
+
     if [ -n "$auth_key" -a -f "$auth_key" ]; then
-       u_path="/home/ubuntu/.ssh"
+       u_path="/home/${user}/.ssh"
        root_u_path="$rootfs/$u_path"
        mkdir -p $root_u_path
        cp $auth_key "$root_u_path/authorized_keys"
-       chroot $rootfs chown -R ubuntu: "$u_path"
+       chroot $rootfs chown -R ${user}: "$u_path"
 
-       echo "Inserted SSH public key from $auth_key into 
/home/ubuntu/.ssh/authorized_keys"
+       echo "Inserted SSH public key from $auth_key into 
/home/${user}/.ssh/authorized_keys"
     fi
     return 0
 }
@@ -305,7 +326,7 @@ EOF
     cat <<EOF >> $path/config
 lxc.utsname = $name
 
-lxc.devttydir = $ttydir
+lxc.devttydir =$ttydir
 lxc.tty = 4
 lxc.pts = 1024
 lxc.rootfs = $rootfs
@@ -466,9 +487,13 @@ post_process()
             chroot $rootfs apt-get install --force-yes -y 
python-software-properties
             chroot $rootfs add-apt-repository ppa:ubuntu-virt/ppa
         fi
-        cp /etc/resolv.conf "${rootfs}/etc"
+        cresolvonf="${rootfs}/etc/resolv.conf"
+        mv $cresolvonf ${cresolvonf}.lxcbak
+        cat /etc/resolv.conf > ${cresolvonf}
         chroot $rootfs apt-get update
         chroot $rootfs apt-get install --force-yes -y lxcguest
+        rm -f ${cresolvonf}
+        mv ${cresolvonf}.lxcbak ${cresolvonf}
     fi
 
     # If the container isn't running a native architecture, setup multiarch
@@ -500,20 +525,31 @@ do_bindhome()
     user=$2
 
     # copy /etc/passwd, /etc/shadow, and /etc/group entries into container
-    pwd=`getent passwd $user`
-    if [ $? -ne 0 ]; then
-        echo 'Warning: failed to copy password entry for $user'
-       return
-    else
-        echo $pwd >> $rootfs/etc/passwd
+    pwd=`getent passwd $user` || { echo "Failed to copy password entry for 
$user"; false; }
+    echo $pwd >> $rootfs/etc/passwd
+
+    # make sure user's shell exists in the container
+    shell=`echo $pwd | cut -d: -f 7`
+    if [ ! -x $rootfs/$shell ]; then
+        echo "shell $shell for user $user was not found in the container."
+        pkg=`dpkg -S $(readlink -m $shell) | cut -d ':' -f1`
+        echo "Installing $pkg"
+        chroot $rootfs apt-get --force-yes -y install $pkg
     fi
+
     shad=`getent shadow $user`
-    echo $shad >> $rootfs/etc/shadow
+    echo "$shad" >> $rootfs/etc/shadow
 
     # bind-mount the user's path into the container's /home
     h=`getent passwd $user | cut -d: -f 6`
     mkdir -p $rootfs/$h
     echo "$h $rootfs/$h none bind 0 0" >> $path/fstab
+
+    # Make sure the group exists in container
+    chroot $rootfs getent group $user || { \
+        grp=`getent group $user`
+        echo "$grp" >> $rootfs/etc/group
+    }
 }
 
 usage()
@@ -524,6 +560,8 @@ $1 -h|--help [-a|--arch] [-b|--bindhome <user>] [--trim] 
[-d|--debug]
 release: lucid | maverick | natty | oneiric | precise
 trim: make a minimal (faster, but not upgrade-safe) container
 bindhome: bind <user>'s home into the container
+          The ubuntu user will not be created, and <user> will have
+         sudo access.
 arch: amd64 or i386: defaults to host arch
 auth-key: SSH Public key file to inject into container
 EOF
@@ -645,8 +683,12 @@ if [ $? -ne 0 ]; then
 fi
 
 post_process $rootfs $release $trim_container
-if [ ! -z $bindhome ]; then
-       do_bindhome $rootfs $bindhome
+
+if [ -n "$bindhome" ]; then
+    do_bindhome $rootfs $bindhome
+    finalize_user $bindhome
+else
+    finalize_user ubuntu
 fi
 
 echo ""
-- 
1.7.9.5


------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Lxc-users mailing list
Lxc-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-users

Reply via email to