[lxc-devel] [PATCH] fix sshd template

Serge Hallyn serge.hallyn at ubuntu.com
Mon Jul 8 14:55:57 UTC 2013 

Quoting Dwight Engen (dwight.engen at oracle.com):
> Commit a0a2066d introduced an lxc subdir into the lxc-init path, but
> this was never reflected in the sshd template. Add it there.

Hm, looking at that commit, it seems like choose_init() should
also search for LXCINITDIR "/lxc-init".  Is there any reason
not to?

> Don't have ssh-keygen ask for passphrase since host keys are not
> supposed to use them.
> 
> Don't try to symlink kmsg since /dev is bind mounted readonly.
> 
> Read-only bind mount some extra /etc directories, and sysfs which are
> needed by dhclient on Fedora and Oracle Linux. Fix mounting of /proc.
> 
> Find sshd in more places by adding some common paths to $PATH, and
> use the found path to it instead of hardcoded /usr/sbin.
> 
> Check for ifconfig command, and print out container's IP address.
> 
> Signed-off-by: Dwight Engen <dwight.engen at oracle.com>

Thanks, Dwight.

Acked-by: Serge E. Hallyn <serge.hallyn at ubuntu.com>

> ---
>  templates/lxc-sshd.in | 64 +++++++++++++++++++++++++++++++++++----------------
>  1 file changed, 44 insertions(+), 20 deletions(-)
> 
> diff --git a/templates/lxc-sshd.in b/templates/lxc-sshd.in
> index 5400156..9e0f698 100644
> --- a/templates/lxc-sshd.in
> +++ b/templates/lxc-sshd.in
> @@ -28,10 +28,14 @@ install_sshd()
>  $rootfs/var/run/sshd \
>  $rootfs/var/empty/sshd \
>  $rootfs/var/lib/empty/sshd \
> +$rootfs/etc/init.d \
> +$rootfs/etc/rc.d \
>  $rootfs/etc/ssh \
> +$rootfs/etc/sysconfig/network-scripts \
>  $rootfs/dev/shm \
>  $rootfs/run/shm \
>  $rootfs/proc \
> +$rootfs/sys \
>  $rootfs/bin \
>  $rootfs/sbin \
>  $rootfs/usr \
> @@ -63,8 +67,8 @@ root:x:0:root
>  sshd:x:74:
>  EOF
>  
> -ssh-keygen -t rsa -f $rootfs/etc/ssh/ssh_host_rsa_key
> -ssh-keygen -t dsa -f $rootfs/etc/ssh/ssh_host_dsa_key
> +ssh-keygen -t rsa -N "" -f $rootfs/etc/ssh/ssh_host_rsa_key
> +ssh-keygen -t dsa -N "" -f $rootfs/etc/ssh/ssh_host_dsa_key
>  
>      # by default setup root password with no password
>      cat <<EOF > $rootfs/etc/ssh/sshd_config
> @@ -112,6 +116,7 @@ copy_configuration()
>  cat <<EOF >> $path/config
>  lxc.utsname = $name
>  lxc.pts = 1024
> +lxc.kmsg = 0
>  lxc.cap.drop = sys_module mac_admin mac_override sys_time
>  
>  # When using LXC with apparmor, uncomment the next line to run unconfined:
> @@ -124,9 +129,24 @@ lxc.mount.entry = /usr usr none ro,bind 0 0
>  lxc.mount.entry = /sbin sbin none ro,bind 0 0
>  lxc.mount.entry = tmpfs var/run/sshd tmpfs mode=0644 0 0
>  lxc.mount.entry = @LXCTEMPLATEDIR@/lxc-sshd sbin/init none bind 0 0
> -lxc.mount.entry = proc $rootfs/proc proc nodev,noexec,nosuid 0 0
> +lxc.mount.entry = proc proc proc nodev,noexec,nosuid 0 0
> +lxc.mount.entry = sysfs sys sysfs ro 0 0
> +lxc.mount.entry = /etc/init.d etc/init.d none ro,bind 0 0
>  EOF
>  
> +    # Oracle Linux and Fedora need the following two bind mounted
> +    if [ -d /etc/sysconfig/network-scripts ]; then
> +        cat <<EOF >> $path/config
> +lxc.mount.entry = /etc/sysconfig/network-scripts etc/sysconfig/network-scripts none ro,bind 0 0
> +EOF
> +    fi
> +
> +    if [ -d /etc/rc.d ]; then
> +        cat <<EOF >> $path/config
> +lxc.mount.entry = /etc/rc.d etc/rc.d none ro,bind 0 0
> +EOF
> +    fi
> +
>      # if no .ipv4 section in config, then have the container run dhcp
>      grep -q "^lxc.network.ipv4" $path/config || touch $rootfs/run-dhcp
>  
> @@ -145,6 +165,18 @@ EOF
>      return 0
>  }
>  
> +check_for_cmd()
> +{
> +    cmd_path=`type $1`
> +    if [ $? -ne 0 ]; then
> +        echo "The command '$1' $cmd_path is not accessible on the system"
> +        exit 1
> +    fi
> +    # we use cut instead of awk because awk is alternatives symlink on ubuntu
> +    # and /etc/alternatives isn't bind mounted
> +    cmd_path=`echo $cmd_path |cut -d ' ' -f 3`
> +}
> +
>  options=$(getopt -o hp:n:S: -l help,rootfs:,path:,name:,auth-key: -- "$@")
>  if [ $? -ne 0 ]; then
>          usage $(basename $0)
> @@ -172,25 +204,15 @@ fi
>  
>  if [ $0 == "/sbin/init" ]; then
>  
> -    type @LXCINITDIR@/lxc-init
> -    if [ $? -ne 0 ]; then
> -        echo "'lxc-init is not accessible on the system"
> -        exit 1
> -    fi
> -
> -    type sshd
> -    if [ $? -ne 0 ]; then
> -        echo "'sshd' is not accessible on the system "
> -        exit 1
> -    fi
> +    PATH="$PATH:/bin:/sbin:/usr/sbin"
> +    check_for_cmd @LXCINITDIR@/lxc/lxc-init
> +    check_for_cmd sshd
> +    sshd_path=$cmd_path
>  
>      # run dhcp?
>      if [ -f /run-dhcp ]; then
> -        type dhclient
> -        if [ $? -ne 0 ]; then
> -            echo "can't find dhclient"
> -            exit 1
> -        fi
> +        check_for_cmd dhclient
> +        check_for_cmd ifconfig
>          touch /etc/fstab
>          rm -f /dhclient.conf
>          cat > /dhclient.conf << EOF
> @@ -198,9 +220,11 @@ send host-name "<hostname>";
>  EOF
>          ifconfig eth0 up
>          dhclient eth0 -cf /dhclient.conf
> +	echo "Container IP address:"
> +        ifconfig eth0 |grep inet
>      fi
>  
> -    exec @LXCINITDIR@/lxc-init -- /usr/sbin/sshd
> +    exec @LXCINITDIR@/lxc/lxc-init -- $sshd_path
>      exit 1
>  fi
>  
> -- 
> 1.8.1.4
> 
> 
> ------------------------------------------------------------------------------
> This SF.net email is sponsored by Windows:
> 
> Build for Windows Store.
> 
> http://p.sf.net/sfu/windows-dev2dev
> _______________________________________________
> Lxc-devel mailing list
> Lxc-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/lxc-devel

More information about the lxc-devel mailing list