[lxc-devel] [PATCH] lxc-archlinux.in: update securetty when lxc.devttydir is set
Stéphane Graber
stgraber at ubuntu.com
Thu Jun 26 14:43:48 UTC 2014
On Thu, Jun 26, 2014 at 10:26:24PM +0800, Alexander Vladimirov wrote:
> Giving a fresh look uncovers subtle bug sneaked in:
> + echo "${devttydir}/${devtty}tty${i} " >>
> "${rootfs_path}/etc/securetty"
> should read as
> + echo "${devttydir}/tty${i} " >> "${rootfs_path}/etc/securetty"
>
> Should I resend the patch, or could it be fixed during merge?
I'll fix it when I apply it in a bit.
>
> Best regards,
> Alexander
>
>
> 2014-06-26 21:53 GMT+08:00 Stéphane Graber <stgraber at ubuntu.com>:
> > On Thu, Jun 26, 2014 at 03:43:11PM +0800, Alexander Vladimirov wrote:
> >> Update container's /etc/securetty to allow console logins when lxc.devttydir is not empty.
> >> Also use config entries provided by shared and common configuration files.
> >>
> >> Signed-off-by: Alexander Vladimirov <alexander.idkfa.vladimirov at gmail.com>
> >
> > Oops, sorry for breaking this with my other change, I usually added a
> > lxc.devttydir= in that case but I apparently forgot to do so for Arch...
> >
> > Acked-by: Stéphane Graber <stgraber at ubuntu.com>
> >
> >> ---
> >> config/templates/archlinux.common.conf.in | 3 +++
> >> templates/lxc-archlinux.in | 19 ++++++++++++++++---
> >> 2 files changed, 19 insertions(+), 3 deletions(-)
> >>
> >> diff --git a/config/templates/archlinux.common.conf.in b/config/templates/archlinux.common.conf.in
> >> index 7c950e7..0be1958 100644
> >> --- a/config/templates/archlinux.common.conf.in
> >> +++ b/config/templates/archlinux.common.conf.in
> >> @@ -17,6 +17,9 @@ lxc.stopsignal=SIGRTMIN+14
> >> # Mount entries
> >> lxc.mount.auto = proc:mixed sys:ro
> >>
> >> +# Uncomment to disable creating tty devices subdirectory in /dev
> >> +# lxc.devttydir =
> >> +
> >> # Capabilities
> >> # Uncomment these if you don't run anything that needs the capability, and
> >> # would like the container to run with less privilege.
> >> diff --git a/templates/lxc-archlinux.in b/templates/lxc-archlinux.in
> >> index 6f3ce2e..5ee4a30 100644
> >> --- a/templates/lxc-archlinux.in
> >> +++ b/templates/lxc-archlinux.in
> >> @@ -44,6 +44,7 @@ default_path="@LXCPATH@"
> >> default_locale="en-US.UTF-8"
> >> default_timezone="UTC"
> >> pacman_config="/etc/pacman.conf"
> >> +common_config="@LXCTEMPLATECONFIG@/common.conf"
> >> shared_config="@LXCTEMPLATECONFIG@/archlinux.common.conf"
> >>
> >> # by default, install 'base' except the kernel
> >> @@ -104,11 +105,23 @@ sed -e 's/^ConditionPathExists=/# ConditionPathExists=/' \
> >> > /etc/systemd/system/getty\@.service
> >> EOF
> >> # enable getty on active ttys
> >> - nttys=$(grep lxc.tty ${config_path}/config | cut -d= -f 2 | tr -d "[:blank:]")
> >> + local nttys=$(cat "${config_path}/config" ${shared_config} ${common_config} | grep "^lxc.tty" | head -n1 | cut -d= -f2 | tr -d "[:blank:]")
> >> + local devttydir=$(cat "${config_path}/config" ${shared_config} ${common_config} | grep "^lxc.devttydir" | head -n1 | cut -d= -f2 | tr -d "[:blank:]")
> >> + local devtty=""
> >> + # bind getty instances to /dev/<devttydir>/tty* if lxc.devttydir is set
> >> + [ -n "${devttydir}" ] && devtty="${devttydir}-"
> >> if [ ${nttys:-0} -gt 1 ]; then
> >> - ( cd ${rootfs_path}/etc/systemd/system/getty.target.wants
> >> - for i in $(seq 1 $nttys); do ln -sf ../getty\@.service getty at tty${i}.service; done )
> >> + ( cd "${rootfs_path}/etc/systemd/system/getty.target.wants"
> >> + for i in $(seq 1 $nttys); do ln -sf "../getty at .service" "getty@${devtty}tty${i}.service"; done )
> >> fi
> >> + # update securetty to allow console login if devttydir is set
> >> + if [ -n "${devttydir}" ]; then
> >> + for i in $(seq 1 ${nttys:-1}); do
> >> + echo "${devttydir}/${devtty}tty${i}" >> "${rootfs_path}/etc/securetty"
> >> + done
> >> + fi
> >> + [ -n "${devttydir}" ] && echo "${devttydir}/console" >> "${rootfs_path}/etc/securetty"
> >> + # Arch default configuration allows only tty1-6 for login
> >> [ ${nttys:-0} -gt 6 ] && echo \
> >> "You may want to modify container's /etc/securetty \
> >> file to allow root logins on tty7 and higher"
> >> --
> >> 2.0.0
> >>
> >> _______________________________________________
> >> lxc-devel mailing list
> >> lxc-devel at lists.linuxcontainers.org
> >> http://lists.linuxcontainers.org/listinfo/lxc-devel
> >
> > --
> > Stéphane Graber
> > Ubuntu developer
> > http://www.ubuntu.com
> >
> > _______________________________________________
> > lxc-devel mailing list
> > lxc-devel at lists.linuxcontainers.org
> > http://lists.linuxcontainers.org/listinfo/lxc-devel
> >
> _______________________________________________
> lxc-devel mailing list
> lxc-devel at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-devel
--
Stéphane Graber
Ubuntu developer
http://www.ubuntu.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20140626/ad0d2e51/attachment.sig>
More information about the lxc-devel
mailing list