[lxc-devel] [PATCH 2/3] Create per-container pacman host key
Stéphane Graber
stgraber at ubuntu.com
Fri Apr 4 23:03:17 UTC 2014
On Mon, Mar 31, 2014 at 05:11:58PM -0400, Leonid Isaev wrote:
> Do not copy the pacman master key from the host, as this opens it to attacks; generate a new secret hostkey.
>
> Signed-off-by: Leonid Isaev <lisaev at umail.iu.edu>
Acked-by: Stéphane Graber <stgraber at ubuntu.com>
> ---
> templates/lxc-archlinux.in | 6 +++++-
> 1 file changed, 5 insertions(+), 1 deletion(-)
>
> diff --git a/templates/lxc-archlinux.in b/templates/lxc-archlinux.in
> index 5aa9e53..6046c94 100644
> --- a/templates/lxc-archlinux.in
> +++ b/templates/lxc-archlinux.in
> @@ -107,6 +107,9 @@ ln -s /dev/null /etc/systemd/system/systemd-udevd-kernel.socket
> ln -s /dev/null /etc/systemd/system/proc-sys-fs-binfmt_misc.automount
> # set default systemd target
> ln -s /lib/systemd/system/multi-user.target /etc/systemd/system/default.target
> +# initialize pacman keyring
> +pacman-key --init
> +pacman-key --populate archlinux
> EOF
> return 0
> }
> @@ -172,7 +175,8 @@ install_arch() {
> pacman_config="${container_pacman_config}"
> fi
>
> - if ! pacstrap -dcC "${pacman_config}" "${rootfs_path}" ${base_packages[@]}; then
> + if ! pacstrap -dcGC "${pacman_config}" "${rootfs_path}" \
> + ${base_packages[@]}; then
> echo "Failed to install container packages"
> return 1
> fi
> --
> 1.8.5.3
>
> --
> Leonid Isaev
> GnuPG key fingerprint: C0DF 20D0 C075 C3F1 E1BE 775A A7AE F6CB 164B 5A6D
--
Stéphane Graber
Ubuntu developer
http://www.ubuntu.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20140404/c8c47b2b/attachment-0001.pgp>
More information about the lxc-devel
mailing list