[lxc-devel] [PATCH 2/3] Create per-container pacman host key
Leonid Isaev
lisaev at umail.iu.edu
Mon Mar 31 21:11:58 UTC 2014
Do not copy the pacman master key from the host, as this opens it to attacks; generate a new secret hostkey.
Signed-off-by: Leonid Isaev <lisaev at umail.iu.edu>
---
templates/lxc-archlinux.in | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/templates/lxc-archlinux.in b/templates/lxc-archlinux.in
index 5aa9e53..6046c94 100644
--- a/templates/lxc-archlinux.in
+++ b/templates/lxc-archlinux.in
@@ -107,6 +107,9 @@ ln -s /dev/null /etc/systemd/system/systemd-udevd-kernel.socket
ln -s /dev/null /etc/systemd/system/proc-sys-fs-binfmt_misc.automount
# set default systemd target
ln -s /lib/systemd/system/multi-user.target /etc/systemd/system/default.target
+# initialize pacman keyring
+pacman-key --init
+pacman-key --populate archlinux
EOF
return 0
}
@@ -172,7 +175,8 @@ install_arch() {
pacman_config="${container_pacman_config}"
fi
- if ! pacstrap -dcC "${pacman_config}" "${rootfs_path}" ${base_packages[@]}; then
+ if ! pacstrap -dcGC "${pacman_config}" "${rootfs_path}" \
+ ${base_packages[@]}; then
echo "Failed to install container packages"
return 1
fi
--
1.8.5.3
--
Leonid Isaev
GnuPG key fingerprint: C0DF 20D0 C075 C3F1 E1BE 775A A7AE F6CB 164B 5A6D
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20140331/36ca5db1/attachment.pgp>
More information about the lxc-devel
mailing list