From: Serge Hallyn <serge.hal...@ubuntu.com>
Here are some template updates from the ubuntu package:
lxc-busybox: check separately for lib64 existence
lxc-sshd: allow specifying ssh key, and run dhclient if no static ip is defined
lxc-ubuntu:
1. set -e
2. handle resolv.conf being a symbolic link
3. install a bound user's shell in container
4. always add sudo group (Stéphane Graber <stgra...@ubuntu.com>)
5. don't define ubuntu user if there is a bound user
6. put the bound user in sudo group
Signed-off-by: Serge Hallyn <serge.hal...@ubuntu.com>
Cc: Stéphane Graber <stgra...@ubuntu.com>
---
templates/lxc-busybox.in | 5 +++
templates/lxc-sshd.in | 37 ++++++++++++++++++--
templates/lxc-ubuntu.in | 86 ++++++++++++++++++++++++++++++++++------------
3 files changed, 103 insertions(+), 25 deletions(-)
diff --git a/templates/lxc-busybox.in b/templates/lxc-busybox.in
index 720ceef..ef356db 100644
--- a/templates/lxc-busybox.in
+++ b/templates/lxc-busybox.in
@@ -245,6 +245,11 @@ fi
if [ -d "/lib64" ] && [ -d "$rootfs/lib64" ]; then
cat <<EOF >> $path/config
lxc.mount.entry=/lib64 $rootfs/lib64 none ro,bind 0 0
+EOF
+fi
+
+if [ -d "/usr/lib64" ] && [ -d "$rootfs/usr/lib64" ]; then
+cat <<EOF >> $path/config
lxc.mount.entry=/usr/lib64 $rootfs/usr/lib64 none ro,bind 0 0
EOF
fi
diff --git a/templates/lxc-sshd.in b/templates/lxc-sshd.in
index bd5d293..749d08a 100644
--- a/templates/lxc-sshd.in
+++ b/templates/lxc-sshd.in
@@ -88,6 +88,16 @@ HostbasedAuthentication no
PermitEmptyPasswords yes
ChallengeResponseAuthentication no
EOF
+ if [ -n "$auth_key" -a -f "$auth_key" ]; then
+ u_path="/root/.ssh"
+ root_u_path="$rootfs/$u_path"
+ mkdir -p $root_u_path
+ cp $auth_key "$root_u_path/authorized_keys"
+ chown -R 0:0 "$rootfs/$u_path"
+ chmod 700 "$rootfs/$u_path"
+
+ echo "Inserted SSH public key from $auth_key into
/home/ubuntu/.ssh/authorized_keys"
+ fi
return 0
}
@@ -108,8 +118,12 @@ lxc.mount.entry=/usr /$rootfs/usr none ro,bind 0 0
lxc.mount.entry=/sbin $rootfs/sbin none ro,bind 0 0
lxc.mount.entry=tmpfs $rootfs/var/run/sshd tmpfs mode=0644 0 0
lxc.mount.entry=@LXCTEMPLATEDIR@/lxc-sshd $rootfs/sbin/init none bind 0 0
+lxc.mount.entry=proc proc proc nodev,noexec,nosuid 0 0
EOF
+# if no .ipv4 section in config, then have the container run dhcp
+grep -q "^lxc.network.ipv4" $path/config || touch $rootfs/run-dhcp
+
if [ "$(uname -m)" = "x86_64" ]; then
cat <<EOF >> $path/config
lxc.mount.entry=/lib64 $rootfs/lib64 none ro,bind 0 0
@@ -120,12 +134,12 @@ fi
usage()
{
cat <<EOF
-$1 -h|--help -p|--path=<path>
+$1 -h|--help -p|--path=<path> [-S|--auth-key=ssh-pub-key]
EOF
return 0
}
-options=$(getopt -o hp:n: -l help,path:,name: -- "$@")
+options=$(getopt -o hp:n:S: -l help,path:,name:,auth-key: -- "$@")
if [ $? -ne 0 ]; then
usage $(basename $0)
exit 1
@@ -137,7 +151,8 @@ do
case "$1" in
-h|--help) usage $0 && exit 0;;
-p|--path) path=$2; shift 2;;
- -n|--name) name=$2; shift 2;;
+ -n|--name) name=$2; shift 2;;
+ -S|--auth-key) auth_key=$2; shift 2;;
--) shift 1; break ;;
*) break ;;
esac
@@ -162,6 +177,22 @@ if [ $0 == "/sbin/init" ]; then
exit 1
fi
+ # run dhcp?
+ if [ -f /run-dhcp ]; then
+ type dhclient
+ if [ $? -ne 0 ]; then
+ echo "can't find dhclient"
+ exit 1
+ fi
+ touch /etc/fstab
+ rm -f /dhclient.conf
+ cat > /dhclient.conf << EOF
+send host-name "<hostname>";
+EOF
+ ifconfig eth0 up
+ dhclient eth0 -cf /dhclient.conf
+ fi
+
exec @LXCINITDIR@/lxc-init -- /usr/sbin/sshd
exit 1
fi
diff --git a/templates/lxc-ubuntu.in b/templates/lxc-ubuntu.in
index 3e84e74..aab941f 100644
--- a/templates/lxc-ubuntu.in
+++ b/templates/lxc-ubuntu.in
@@ -24,6 +24,8 @@
# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
#
+set -e
+
if [ -r /etc/default/lxc ]; then
. /etc/default/lxc
fi
@@ -52,11 +54,7 @@ EOF
127.0.0.1 localhost $hostname
EOF
- if [ "$release" = "precise" ]; then
- group="sudo"
- else
- group="admin"
-
+ if [ "$release" != "precise" ]; then
# suppress log level output for udev
sed -i "s/=\"err\"/=0/" $rootfs/etc/udev/udev.conf
@@ -65,17 +63,40 @@ EOF
rm -f $rootfs/etc/init/tty{5,6}.conf
fi
- chroot $rootfs groupadd --system $group >/dev/null 2>&1 || true
- chroot $rootfs useradd --create-home -s /bin/bash -G $group ubuntu
- echo "ubuntu:ubuntu" | chroot $rootfs chpasswd
+ if [ -z "$bindhome" ]; then
+ chroot $rootfs useradd --create-home -s /bin/bash ubuntu
+ echo "ubuntu:ubuntu" | chroot $rootfs chpasswd
+ fi
+
+ return 0
+}
+
+# finish setting up the user in the container by injecting ssh key and
+# adding sudo group membership.
+# passed-in user is either 'ubuntu' or the user to bind in from host.
+finalize_user()
+{
+ user=$1
+
+ if [ "$release" = "precise" ]; then
+ groups="sudo"
+ else
+ groups="sudo admin"
+ fi
+
+ for group in $groups; do
+ chroot $rootfs groupadd --system $group >/dev/null 2>&1 || true
+ chroot $rootfs adduser ${user} $group >/dev/null 2>&1 || true
+ done
+
if [ -n "$auth_key" -a -f "$auth_key" ]; then
- u_path="/home/ubuntu/.ssh"
+ u_path="/home/${user}/.ssh"
root_u_path="$rootfs/$u_path"
mkdir -p $root_u_path
cp $auth_key "$root_u_path/authorized_keys"
- chroot $rootfs chown -R ubuntu: "$u_path"
+ chroot $rootfs chown -R ${user}: "$u_path"
- echo "Inserted SSH public key from $auth_key into
/home/ubuntu/.ssh/authorized_keys"
+ echo "Inserted SSH public key from $auth_key into
/home/${user}/.ssh/authorized_keys"
fi
return 0
}
@@ -305,7 +326,7 @@ EOF
cat <<EOF >> $path/config
lxc.utsname = $name
-lxc.devttydir = $ttydir
+lxc.devttydir =$ttydir
lxc.tty = 4
lxc.pts = 1024
lxc.rootfs = $rootfs
@@ -466,9 +487,13 @@ post_process()
chroot $rootfs apt-get install --force-yes -y
python-software-properties
chroot $rootfs add-apt-repository ppa:ubuntu-virt/ppa
fi
- cp /etc/resolv.conf "${rootfs}/etc"
+ cresolvonf="${rootfs}/etc/resolv.conf"
+ mv $cresolvonf ${cresolvonf}.lxcbak
+ cat /etc/resolv.conf > ${cresolvonf}
chroot $rootfs apt-get update
chroot $rootfs apt-get install --force-yes -y lxcguest
+ rm -f ${cresolvonf}
+ mv ${cresolvonf}.lxcbak ${cresolvonf}
fi
# If the container isn't running a native architecture, setup multiarch
@@ -500,20 +525,31 @@ do_bindhome()
user=$2
# copy /etc/passwd, /etc/shadow, and /etc/group entries into container
- pwd=`getent passwd $user`
- if [ $? -ne 0 ]; then
- echo 'Warning: failed to copy password entry for $user'
- return
- else
- echo $pwd >> $rootfs/etc/passwd
+ pwd=`getent passwd $user` || { echo "Failed to copy password entry for
$user"; false; }
+ echo $pwd >> $rootfs/etc/passwd
+
+ # make sure user's shell exists in the container
+ shell=`echo $pwd | cut -d: -f 7`
+ if [ ! -x $rootfs/$shell ]; then
+ echo "shell $shell for user $user was not found in the container."
+ pkg=`dpkg -S $(readlink -m $shell) | cut -d ':' -f1`
+ echo "Installing $pkg"
+ chroot $rootfs apt-get --force-yes -y install $pkg
fi
+
shad=`getent shadow $user`
- echo $shad >> $rootfs/etc/shadow
+ echo "$shad" >> $rootfs/etc/shadow
# bind-mount the user's path into the container's /home
h=`getent passwd $user | cut -d: -f 6`
mkdir -p $rootfs/$h
echo "$h $rootfs/$h none bind 0 0" >> $path/fstab
+
+ # Make sure the group exists in container
+ chroot $rootfs getent group $user || { \
+ grp=`getent group $user`
+ echo "$grp" >> $rootfs/etc/group
+ }
}
usage()
@@ -524,6 +560,8 @@ $1 -h|--help [-a|--arch] [-b|--bindhome <user>] [--trim]
[-d|--debug]
release: lucid | maverick | natty | oneiric | precise
trim: make a minimal (faster, but not upgrade-safe) container
bindhome: bind <user>'s home into the container
+ The ubuntu user will not be created, and <user> will have
+ sudo access.
arch: amd64 or i386: defaults to host arch
auth-key: SSH Public key file to inject into container
EOF
@@ -645,8 +683,12 @@ if [ $? -ne 0 ]; then
fi
post_process $rootfs $release $trim_container
-if [ ! -z $bindhome ]; then
- do_bindhome $rootfs $bindhome
+
+if [ -n "$bindhome" ]; then
+ do_bindhome $rootfs $bindhome
+ finalize_user $bindhome
+else
+ finalize_user ubuntu
fi
echo ""
--
1.7.9.5
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Lxc-users mailing list
Lxc-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-users
