[lxc-devel] [PATCH] lxc-archlinux.in: update securetty when lxc.devttydir is set

Stéphane Graber stgraber at ubuntu.com
Thu Jun 26 14:43:48 UTC 2014


On Thu, Jun 26, 2014 at 10:26:24PM +0800, Alexander Vladimirov wrote:
> Giving a fresh look uncovers subtle bug sneaked in:
> +            echo "${devttydir}/${devtty}tty${i} " >>
> "${rootfs_path}/etc/securetty"
> should read as
> +            echo "${devttydir}/tty${i} " >> "${rootfs_path}/etc/securetty"
> 
> Should I resend the patch, or could it be fixed during merge?

I'll fix it when I apply it in a bit.

> 
> Best regards,
> Alexander
> 
> 
> 2014-06-26 21:53 GMT+08:00 Stéphane Graber <stgraber at ubuntu.com>:
> > On Thu, Jun 26, 2014 at 03:43:11PM +0800, Alexander Vladimirov wrote:
> >> Update container's /etc/securetty to allow console logins when lxc.devttydir is not empty.
> >> Also use config entries provided by shared and common configuration files.
> >>
> >> Signed-off-by: Alexander Vladimirov <alexander.idkfa.vladimirov at gmail.com>
> >
> > Oops, sorry for breaking this with my other change, I usually added a
> > lxc.devttydir= in that case but I apparently forgot to do so for Arch...
> >
> > Acked-by: Stéphane Graber <stgraber at ubuntu.com>
> >
> >> ---
> >>  config/templates/archlinux.common.conf.in |  3 +++
> >>  templates/lxc-archlinux.in                | 19 ++++++++++++++++---
> >>  2 files changed, 19 insertions(+), 3 deletions(-)
> >>
> >> diff --git a/config/templates/archlinux.common.conf.in b/config/templates/archlinux.common.conf.in
> >> index 7c950e7..0be1958 100644
> >> --- a/config/templates/archlinux.common.conf.in
> >> +++ b/config/templates/archlinux.common.conf.in
> >> @@ -17,6 +17,9 @@ lxc.stopsignal=SIGRTMIN+14
> >>  # Mount entries
> >>  lxc.mount.auto = proc:mixed sys:ro
> >>
> >> +# Uncomment to disable creating tty devices subdirectory in /dev
> >> +# lxc.devttydir =
> >> +
> >>  # Capabilities
> >>  # Uncomment these if you don't run anything that needs the capability, and
> >>  # would like the container to run with less privilege.
> >> diff --git a/templates/lxc-archlinux.in b/templates/lxc-archlinux.in
> >> index 6f3ce2e..5ee4a30 100644
> >> --- a/templates/lxc-archlinux.in
> >> +++ b/templates/lxc-archlinux.in
> >> @@ -44,6 +44,7 @@ default_path="@LXCPATH@"
> >>  default_locale="en-US.UTF-8"
> >>  default_timezone="UTC"
> >>  pacman_config="/etc/pacman.conf"
> >> +common_config="@LXCTEMPLATECONFIG@/common.conf"
> >>  shared_config="@LXCTEMPLATECONFIG@/archlinux.common.conf"
> >>
> >>  # by default, install 'base' except the kernel
> >> @@ -104,11 +105,23 @@ sed -e 's/^ConditionPathExists=/# ConditionPathExists=/' \
> >>      > /etc/systemd/system/getty\@.service
> >>  EOF
> >>      # enable getty on active ttys
> >> -    nttys=$(grep lxc.tty ${config_path}/config | cut -d= -f 2 | tr -d "[:blank:]")
> >> +    local nttys=$(cat "${config_path}/config" ${shared_config} ${common_config} | grep "^lxc.tty" | head -n1 | cut -d= -f2 | tr -d "[:blank:]")
> >> +    local devttydir=$(cat "${config_path}/config" ${shared_config} ${common_config} | grep "^lxc.devttydir" | head -n1 | cut -d= -f2 | tr -d "[:blank:]")
> >> +    local devtty=""
> >> +    # bind getty instances to /dev/<devttydir>/tty* if lxc.devttydir is set
> >> +    [ -n "${devttydir}" ] && devtty="${devttydir}-"
> >>      if [ ${nttys:-0} -gt 1 ]; then
> >> -      ( cd ${rootfs_path}/etc/systemd/system/getty.target.wants
> >> -        for i in $(seq 1 $nttys); do ln -sf ../getty\@.service getty at tty${i}.service; done )
> >> +      ( cd "${rootfs_path}/etc/systemd/system/getty.target.wants"
> >> +        for i in $(seq 1 $nttys); do ln -sf "../getty at .service" "getty@${devtty}tty${i}.service"; done )
> >>      fi
> >> +    # update securetty to allow console login if devttydir is set
> >> +    if [ -n "${devttydir}" ]; then
> >> +        for i in $(seq 1 ${nttys:-1}); do
> >> +            echo "${devttydir}/${devtty}tty${i}" >> "${rootfs_path}/etc/securetty"
> >> +        done
> >> +    fi
> >> +    [ -n "${devttydir}" ] && echo "${devttydir}/console" >> "${rootfs_path}/etc/securetty"
> >> +    # Arch default configuration allows only tty1-6 for login
> >>      [ ${nttys:-0} -gt 6 ] && echo \
> >>        "You may want to modify container's /etc/securetty \
> >>        file to allow root logins on tty7 and higher"
> >> --
> >> 2.0.0
> >>
> >> _______________________________________________
> >> lxc-devel mailing list
> >> lxc-devel at lists.linuxcontainers.org
> >> http://lists.linuxcontainers.org/listinfo/lxc-devel
> >
> > --
> > Stéphane Graber
> > Ubuntu developer
> > http://www.ubuntu.com
> >
> > _______________________________________________
> > lxc-devel mailing list
> > lxc-devel at lists.linuxcontainers.org
> > http://lists.linuxcontainers.org/listinfo/lxc-devel
> >
> _______________________________________________
> lxc-devel mailing list
> lxc-devel at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-devel

-- 
Stéphane Graber
Ubuntu developer
http://www.ubuntu.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20140626/ad0d2e51/attachment.sig>


More information about the lxc-devel mailing list