Hi Daniel,
have you had a chance to look at this patchset? (In particular
Stéphane noticed that lxc-shudown, introduced in patch 8 of this
set, isn't yet upstream)
I can manuall re-send them to lxc-devel if you prefer.
thanks,
-serge
Quoting Serge Hallyn (se...@hallyn.com):
> From: Serge Hallyn <serge.hal...@ubuntu.com>
>
> Here are some template updates from the ubuntu package:
>
> lxc-busybox: check separately for lib64 existence
> lxc-sshd: allow specifying ssh key, and run dhclient if no static ip is
> defined
> lxc-ubuntu:
> 1. set -e
> 2. handle resolv.conf being a symbolic link
> 3. install a bound user's shell in container
> 4. always add sudo group (Stéphane Graber <stgra...@ubuntu.com>)
> 5. don't define ubuntu user if there is a bound user
> 6. put the bound user in sudo group
>
> Signed-off-by: Serge Hallyn <serge.hal...@ubuntu.com>
> Cc: Stéphane Graber <stgra...@ubuntu.com>
> ---
> templates/lxc-busybox.in | 5 +++
> templates/lxc-sshd.in | 37 ++++++++++++++++++--
> templates/lxc-ubuntu.in | 86
> ++++++++++++++++++++++++++++++++++------------
> 3 files changed, 103 insertions(+), 25 deletions(-)
>
> diff --git a/templates/lxc-busybox.in b/templates/lxc-busybox.in
> index 720ceef..ef356db 100644
> --- a/templates/lxc-busybox.in
> +++ b/templates/lxc-busybox.in
> @@ -245,6 +245,11 @@ fi
> if [ -d "/lib64" ] && [ -d "$rootfs/lib64" ]; then
> cat <<EOF >> $path/config
> lxc.mount.entry=/lib64 $rootfs/lib64 none ro,bind 0 0
> +EOF
> +fi
> +
> +if [ -d "/usr/lib64" ] && [ -d "$rootfs/usr/lib64" ]; then
> +cat <<EOF >> $path/config
> lxc.mount.entry=/usr/lib64 $rootfs/usr/lib64 none ro,bind 0 0
> EOF
> fi
> diff --git a/templates/lxc-sshd.in b/templates/lxc-sshd.in
> index bd5d293..749d08a 100644
> --- a/templates/lxc-sshd.in
> +++ b/templates/lxc-sshd.in
> @@ -88,6 +88,16 @@ HostbasedAuthentication no
> PermitEmptyPasswords yes
> ChallengeResponseAuthentication no
> EOF
> + if [ -n "$auth_key" -a -f "$auth_key" ]; then
> + u_path="/root/.ssh"
> + root_u_path="$rootfs/$u_path"
> + mkdir -p $root_u_path
> + cp $auth_key "$root_u_path/authorized_keys"
> + chown -R 0:0 "$rootfs/$u_path"
> + chmod 700 "$rootfs/$u_path"
> +
> + echo "Inserted SSH public key from $auth_key into
> /home/ubuntu/.ssh/authorized_keys"
> + fi
> return 0
> }
>
> @@ -108,8 +118,12 @@ lxc.mount.entry=/usr /$rootfs/usr none ro,bind 0 0
> lxc.mount.entry=/sbin $rootfs/sbin none ro,bind 0 0
> lxc.mount.entry=tmpfs $rootfs/var/run/sshd tmpfs mode=0644 0 0
> lxc.mount.entry=@LXCTEMPLATEDIR@/lxc-sshd $rootfs/sbin/init none bind 0 0
> +lxc.mount.entry=proc proc proc nodev,noexec,nosuid 0 0
> EOF
>
> +# if no .ipv4 section in config, then have the container run dhcp
> +grep -q "^lxc.network.ipv4" $path/config || touch $rootfs/run-dhcp
> +
> if [ "$(uname -m)" = "x86_64" ]; then
> cat <<EOF >> $path/config
> lxc.mount.entry=/lib64 $rootfs/lib64 none ro,bind 0 0
> @@ -120,12 +134,12 @@ fi
> usage()
> {
> cat <<EOF
> -$1 -h|--help -p|--path=<path>
> +$1 -h|--help -p|--path=<path> [-S|--auth-key=ssh-pub-key]
> EOF
> return 0
> }
>
> -options=$(getopt -o hp:n: -l help,path:,name: -- "$@")
> +options=$(getopt -o hp:n:S: -l help,path:,name:,auth-key: -- "$@")
> if [ $? -ne 0 ]; then
> usage $(basename $0)
> exit 1
> @@ -137,7 +151,8 @@ do
> case "$1" in
> -h|--help) usage $0 && exit 0;;
> -p|--path) path=$2; shift 2;;
> - -n|--name) name=$2; shift 2;;
> + -n|--name) name=$2; shift 2;;
> + -S|--auth-key) auth_key=$2; shift 2;;
> --) shift 1; break ;;
> *) break ;;
> esac
> @@ -162,6 +177,22 @@ if [ $0 == "/sbin/init" ]; then
> exit 1
> fi
>
> + # run dhcp?
> + if [ -f /run-dhcp ]; then
> + type dhclient
> + if [ $? -ne 0 ]; then
> + echo "can't find dhclient"
> + exit 1
> + fi
> + touch /etc/fstab
> + rm -f /dhclient.conf
> + cat > /dhclient.conf << EOF
> +send host-name "<hostname>";
> +EOF
> + ifconfig eth0 up
> + dhclient eth0 -cf /dhclient.conf
> + fi
> +
> exec @LXCINITDIR@/lxc-init -- /usr/sbin/sshd
> exit 1
> fi
> diff --git a/templates/lxc-ubuntu.in b/templates/lxc-ubuntu.in
> index 3e84e74..aab941f 100644
> --- a/templates/lxc-ubuntu.in
> +++ b/templates/lxc-ubuntu.in
> @@ -24,6 +24,8 @@
> # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
> #
>
> +set -e
> +
> if [ -r /etc/default/lxc ]; then
> . /etc/default/lxc
> fi
> @@ -52,11 +54,7 @@ EOF
> 127.0.0.1 localhost $hostname
> EOF
>
> - if [ "$release" = "precise" ]; then
> - group="sudo"
> - else
> - group="admin"
> -
> + if [ "$release" != "precise" ]; then
> # suppress log level output for udev
> sed -i "s/=\"err\"/=0/" $rootfs/etc/udev/udev.conf
>
> @@ -65,17 +63,40 @@ EOF
> rm -f $rootfs/etc/init/tty{5,6}.conf
> fi
>
> - chroot $rootfs groupadd --system $group >/dev/null 2>&1 || true
> - chroot $rootfs useradd --create-home -s /bin/bash -G $group ubuntu
> - echo "ubuntu:ubuntu" | chroot $rootfs chpasswd
> + if [ -z "$bindhome" ]; then
> + chroot $rootfs useradd --create-home -s /bin/bash ubuntu
> + echo "ubuntu:ubuntu" | chroot $rootfs chpasswd
> + fi
> +
> + return 0
> +}
> +
> +# finish setting up the user in the container by injecting ssh key and
> +# adding sudo group membership.
> +# passed-in user is either 'ubuntu' or the user to bind in from host.
> +finalize_user()
> +{
> + user=$1
> +
> + if [ "$release" = "precise" ]; then
> + groups="sudo"
> + else
> + groups="sudo admin"
> + fi
> +
> + for group in $groups; do
> + chroot $rootfs groupadd --system $group >/dev/null 2>&1 || true
> + chroot $rootfs adduser ${user} $group >/dev/null 2>&1 || true
> + done
> +
> if [ -n "$auth_key" -a -f "$auth_key" ]; then
> - u_path="/home/ubuntu/.ssh"
> + u_path="/home/${user}/.ssh"
> root_u_path="$rootfs/$u_path"
> mkdir -p $root_u_path
> cp $auth_key "$root_u_path/authorized_keys"
> - chroot $rootfs chown -R ubuntu: "$u_path"
> + chroot $rootfs chown -R ${user}: "$u_path"
>
> - echo "Inserted SSH public key from $auth_key into
> /home/ubuntu/.ssh/authorized_keys"
> + echo "Inserted SSH public key from $auth_key into
> /home/${user}/.ssh/authorized_keys"
> fi
> return 0
> }
> @@ -305,7 +326,7 @@ EOF
> cat <<EOF >> $path/config
> lxc.utsname = $name
>
> -lxc.devttydir = $ttydir
> +lxc.devttydir =$ttydir
> lxc.tty = 4
> lxc.pts = 1024
> lxc.rootfs = $rootfs
> @@ -466,9 +487,13 @@ post_process()
> chroot $rootfs apt-get install --force-yes -y
> python-software-properties
> chroot $rootfs add-apt-repository ppa:ubuntu-virt/ppa
> fi
> - cp /etc/resolv.conf "${rootfs}/etc"
> + cresolvonf="${rootfs}/etc/resolv.conf"
> + mv $cresolvonf ${cresolvonf}.lxcbak
> + cat /etc/resolv.conf > ${cresolvonf}
> chroot $rootfs apt-get update
> chroot $rootfs apt-get install --force-yes -y lxcguest
> + rm -f ${cresolvonf}
> + mv ${cresolvonf}.lxcbak ${cresolvonf}
> fi
>
> # If the container isn't running a native architecture, setup multiarch
> @@ -500,20 +525,31 @@ do_bindhome()
> user=$2
>
> # copy /etc/passwd, /etc/shadow, and /etc/group entries into container
> - pwd=`getent passwd $user`
> - if [ $? -ne 0 ]; then
> - echo 'Warning: failed to copy password entry for $user'
> - return
> - else
> - echo $pwd >> $rootfs/etc/passwd
> + pwd=`getent passwd $user` || { echo "Failed to copy password entry for
> $user"; false; }
> + echo $pwd >> $rootfs/etc/passwd
> +
> + # make sure user's shell exists in the container
> + shell=`echo $pwd | cut -d: -f 7`
> + if [ ! -x $rootfs/$shell ]; then
> + echo "shell $shell for user $user was not found in the container."
> + pkg=`dpkg -S $(readlink -m $shell) | cut -d ':' -f1`
> + echo "Installing $pkg"
> + chroot $rootfs apt-get --force-yes -y install $pkg
> fi
> +
> shad=`getent shadow $user`
> - echo $shad >> $rootfs/etc/shadow
> + echo "$shad" >> $rootfs/etc/shadow
>
> # bind-mount the user's path into the container's /home
> h=`getent passwd $user | cut -d: -f 6`
> mkdir -p $rootfs/$h
> echo "$h $rootfs/$h none bind 0 0" >> $path/fstab
> +
> + # Make sure the group exists in container
> + chroot $rootfs getent group $user || { \
> + grp=`getent group $user`
> + echo "$grp" >> $rootfs/etc/group
> + }
> }
>
> usage()
> @@ -524,6 +560,8 @@ $1 -h|--help [-a|--arch] [-b|--bindhome <user>] [--trim]
> [-d|--debug]
> release: lucid | maverick | natty | oneiric | precise
> trim: make a minimal (faster, but not upgrade-safe) container
> bindhome: bind <user>'s home into the container
> + The ubuntu user will not be created, and <user> will have
> + sudo access.
> arch: amd64 or i386: defaults to host arch
> auth-key: SSH Public key file to inject into container
> EOF
> @@ -645,8 +683,12 @@ if [ $? -ne 0 ]; then
> fi
>
> post_process $rootfs $release $trim_container
> -if [ ! -z $bindhome ]; then
> - do_bindhome $rootfs $bindhome
> +
> +if [ -n "$bindhome" ]; then
> + do_bindhome $rootfs $bindhome
> + finalize_user $bindhome
> +else
> + finalize_user ubuntu
> fi
>
> echo ""
> --
> 1.7.9.5
>
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Lxc-users mailing list
Lxc-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-users
