[lxc-devel] [PATCH] lxc-archlinux.in: update securetty when lxc.devttydir is set

Alexander Vladimirov alexander.idkfa.vladimirov at gmail.com
Thu Jun 26 14:26:24 UTC 2014


Giving a fresh look uncovers subtle bug sneaked in:
+            echo "${devttydir}/${devtty}tty${i} " >>
"${rootfs_path}/etc/securetty"
should read as
+            echo "${devttydir}/tty${i} " >> "${rootfs_path}/etc/securetty"

Should I resend the patch, or could it be fixed during merge?

Best regards,
Alexander


2014-06-26 21:53 GMT+08:00 Stéphane Graber <stgraber at ubuntu.com>:
> On Thu, Jun 26, 2014 at 03:43:11PM +0800, Alexander Vladimirov wrote:
>> Update container's /etc/securetty to allow console logins when lxc.devttydir is not empty.
>> Also use config entries provided by shared and common configuration files.
>>
>> Signed-off-by: Alexander Vladimirov <alexander.idkfa.vladimirov at gmail.com>
>
> Oops, sorry for breaking this with my other change, I usually added a
> lxc.devttydir= in that case but I apparently forgot to do so for Arch...
>
> Acked-by: Stéphane Graber <stgraber at ubuntu.com>
>
>> ---
>>  config/templates/archlinux.common.conf.in |  3 +++
>>  templates/lxc-archlinux.in                | 19 ++++++++++++++++---
>>  2 files changed, 19 insertions(+), 3 deletions(-)
>>
>> diff --git a/config/templates/archlinux.common.conf.in b/config/templates/archlinux.common.conf.in
>> index 7c950e7..0be1958 100644
>> --- a/config/templates/archlinux.common.conf.in
>> +++ b/config/templates/archlinux.common.conf.in
>> @@ -17,6 +17,9 @@ lxc.stopsignal=SIGRTMIN+14
>>  # Mount entries
>>  lxc.mount.auto = proc:mixed sys:ro
>>
>> +# Uncomment to disable creating tty devices subdirectory in /dev
>> +# lxc.devttydir =
>> +
>>  # Capabilities
>>  # Uncomment these if you don't run anything that needs the capability, and
>>  # would like the container to run with less privilege.
>> diff --git a/templates/lxc-archlinux.in b/templates/lxc-archlinux.in
>> index 6f3ce2e..5ee4a30 100644
>> --- a/templates/lxc-archlinux.in
>> +++ b/templates/lxc-archlinux.in
>> @@ -44,6 +44,7 @@ default_path="@LXCPATH@"
>>  default_locale="en-US.UTF-8"
>>  default_timezone="UTC"
>>  pacman_config="/etc/pacman.conf"
>> +common_config="@LXCTEMPLATECONFIG@/common.conf"
>>  shared_config="@LXCTEMPLATECONFIG@/archlinux.common.conf"
>>
>>  # by default, install 'base' except the kernel
>> @@ -104,11 +105,23 @@ sed -e 's/^ConditionPathExists=/# ConditionPathExists=/' \
>>      > /etc/systemd/system/getty\@.service
>>  EOF
>>      # enable getty on active ttys
>> -    nttys=$(grep lxc.tty ${config_path}/config | cut -d= -f 2 | tr -d "[:blank:]")
>> +    local nttys=$(cat "${config_path}/config" ${shared_config} ${common_config} | grep "^lxc.tty" | head -n1 | cut -d= -f2 | tr -d "[:blank:]")
>> +    local devttydir=$(cat "${config_path}/config" ${shared_config} ${common_config} | grep "^lxc.devttydir" | head -n1 | cut -d= -f2 | tr -d "[:blank:]")
>> +    local devtty=""
>> +    # bind getty instances to /dev/<devttydir>/tty* if lxc.devttydir is set
>> +    [ -n "${devttydir}" ] && devtty="${devttydir}-"
>>      if [ ${nttys:-0} -gt 1 ]; then
>> -      ( cd ${rootfs_path}/etc/systemd/system/getty.target.wants
>> -        for i in $(seq 1 $nttys); do ln -sf ../getty\@.service getty at tty${i}.service; done )
>> +      ( cd "${rootfs_path}/etc/systemd/system/getty.target.wants"
>> +        for i in $(seq 1 $nttys); do ln -sf "../getty at .service" "getty@${devtty}tty${i}.service"; done )
>>      fi
>> +    # update securetty to allow console login if devttydir is set
>> +    if [ -n "${devttydir}" ]; then
>> +        for i in $(seq 1 ${nttys:-1}); do
>> +            echo "${devttydir}/${devtty}tty${i}" >> "${rootfs_path}/etc/securetty"
>> +        done
>> +    fi
>> +    [ -n "${devttydir}" ] && echo "${devttydir}/console" >> "${rootfs_path}/etc/securetty"
>> +    # Arch default configuration allows only tty1-6 for login
>>      [ ${nttys:-0} -gt 6 ] && echo \
>>        "You may want to modify container's /etc/securetty \
>>        file to allow root logins on tty7 and higher"
>> --
>> 2.0.0
>>
>> _______________________________________________
>> lxc-devel mailing list
>> lxc-devel at lists.linuxcontainers.org
>> http://lists.linuxcontainers.org/listinfo/lxc-devel
>
> --
> Stéphane Graber
> Ubuntu developer
> http://www.ubuntu.com
>
> _______________________________________________
> lxc-devel mailing list
> lxc-devel at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-devel
>


More information about the lxc-devel mailing list