[lxc-devel] [PATCH] fix sshd template

Dwight Engen dwight.engen at oracle.com
Fri Jul 5 16:17:15 UTC 2013 

Commit a0a2066d introduced an lxc subdir into the lxc-init path, but
this was never reflected in the sshd template. Add it there.

Don't have ssh-keygen ask for passphrase since host keys are not
supposed to use them.

Don't try to symlink kmsg since /dev is bind mounted readonly.

Read-only bind mount some extra /etc directories, and sysfs which are
needed by dhclient on Fedora and Oracle Linux. Fix mounting of /proc.

Find sshd in more places by adding some common paths to $PATH, and
use the found path to it instead of hardcoded /usr/sbin.

Check for ifconfig command, and print out container's IP address.

Signed-off-by: Dwight Engen <dwight.engen at oracle.com>
---
 templates/lxc-sshd.in | 64 +++++++++++++++++++++++++++++++++++----------------
 1 file changed, 44 insertions(+), 20 deletions(-)

diff --git a/templates/lxc-sshd.in b/templates/lxc-sshd.in
index 5400156..9e0f698 100644
--- a/templates/lxc-sshd.in
+++ b/templates/lxc-sshd.in
@@ -28,10 +28,14 @@ install_sshd()
 $rootfs/var/run/sshd \
 $rootfs/var/empty/sshd \
 $rootfs/var/lib/empty/sshd \
+$rootfs/etc/init.d \
+$rootfs/etc/rc.d \
 $rootfs/etc/ssh \
+$rootfs/etc/sysconfig/network-scripts \
 $rootfs/dev/shm \
 $rootfs/run/shm \
 $rootfs/proc \
+$rootfs/sys \
 $rootfs/bin \
 $rootfs/sbin \
 $rootfs/usr \
@@ -63,8 +67,8 @@ root:x:0:root
 sshd:x:74:
 EOF
 
-ssh-keygen -t rsa -f $rootfs/etc/ssh/ssh_host_rsa_key
-ssh-keygen -t dsa -f $rootfs/etc/ssh/ssh_host_dsa_key
+ssh-keygen -t rsa -N "" -f $rootfs/etc/ssh/ssh_host_rsa_key
+ssh-keygen -t dsa -N "" -f $rootfs/etc/ssh/ssh_host_dsa_key
 
     # by default setup root password with no password
     cat <<EOF > $rootfs/etc/ssh/sshd_config
@@ -112,6 +116,7 @@ copy_configuration()
 cat <<EOF >> $path/config
 lxc.utsname = $name
 lxc.pts = 1024
+lxc.kmsg = 0
 lxc.cap.drop = sys_module mac_admin mac_override sys_time
 
 # When using LXC with apparmor, uncomment the next line to run unconfined:
@@ -124,9 +129,24 @@ lxc.mount.entry = /usr usr none ro,bind 0 0
 lxc.mount.entry = /sbin sbin none ro,bind 0 0
 lxc.mount.entry = tmpfs var/run/sshd tmpfs mode=0644 0 0
 lxc.mount.entry = @LXCTEMPLATEDIR@/lxc-sshd sbin/init none bind 0 0
-lxc.mount.entry = proc $rootfs/proc proc nodev,noexec,nosuid 0 0
+lxc.mount.entry = proc proc proc nodev,noexec,nosuid 0 0
+lxc.mount.entry = sysfs sys sysfs ro 0 0
+lxc.mount.entry = /etc/init.d etc/init.d none ro,bind 0 0
 EOF
 
+    # Oracle Linux and Fedora need the following two bind mounted
+    if [ -d /etc/sysconfig/network-scripts ]; then
+        cat <<EOF >> $path/config
+lxc.mount.entry = /etc/sysconfig/network-scripts etc/sysconfig/network-scripts none ro,bind 0 0
+EOF
+    fi
+
+    if [ -d /etc/rc.d ]; then
+        cat <<EOF >> $path/config
+lxc.mount.entry = /etc/rc.d etc/rc.d none ro,bind 0 0
+EOF
+    fi
+
     # if no .ipv4 section in config, then have the container run dhcp
     grep -q "^lxc.network.ipv4" $path/config || touch $rootfs/run-dhcp
 
@@ -145,6 +165,18 @@ EOF
     return 0
 }
 
+check_for_cmd()
+{
+    cmd_path=`type $1`
+    if [ $? -ne 0 ]; then
+        echo "The command '$1' $cmd_path is not accessible on the system"
+        exit 1
+    fi
+    # we use cut instead of awk because awk is alternatives symlink on ubuntu
+    # and /etc/alternatives isn't bind mounted
+    cmd_path=`echo $cmd_path |cut -d ' ' -f 3`
+}
+
 options=$(getopt -o hp:n:S: -l help,rootfs:,path:,name:,auth-key: -- "$@")
 if [ $? -ne 0 ]; then
         usage $(basename $0)
@@ -172,25 +204,15 @@ fi
 
 if [ $0 == "/sbin/init" ]; then
 
-    type @LXCINITDIR@/lxc-init
-    if [ $? -ne 0 ]; then
-        echo "'lxc-init is not accessible on the system"
-        exit 1
-    fi
-
-    type sshd
-    if [ $? -ne 0 ]; then
-        echo "'sshd' is not accessible on the system "
-        exit 1
-    fi
+    PATH="$PATH:/bin:/sbin:/usr/sbin"
+    check_for_cmd @LXCINITDIR@/lxc/lxc-init
+    check_for_cmd sshd
+    sshd_path=$cmd_path
 
     # run dhcp?
     if [ -f /run-dhcp ]; then
-        type dhclient
-        if [ $? -ne 0 ]; then
-            echo "can't find dhclient"
-            exit 1
-        fi
+        check_for_cmd dhclient
+        check_for_cmd ifconfig
         touch /etc/fstab
         rm -f /dhclient.conf
         cat > /dhclient.conf << EOF
@@ -198,9 +220,11 @@ send host-name "<hostname>";
 EOF
         ifconfig eth0 up
         dhclient eth0 -cf /dhclient.conf
+	echo "Container IP address:"
+        ifconfig eth0 |grep inet
     fi
 
-    exec @LXCINITDIR@/lxc-init -- /usr/sbin/sshd
+    exec @LXCINITDIR@/lxc/lxc-init -- $sshd_path
     exit 1
 fi
 
-- 
1.8.1.4

More information about the lxc-devel mailing list