[lxc-devel] [PATCH] lxc-busybox: add OpenSSH support
Stéphane Graber
stgraber at ubuntu.com
Wed Apr 22 16:33:50 UTC 2015
On Wed, Apr 22, 2015 at 02:53:32PM +0000, Bogdan Purcareata wrote:
> Add an additional template parameter for SSH support in the container. Currently
> this can be implemented using the Dropbear or OpenSSH utility. The respective
> tool needs to be available on the host Linux.
>
> If the parameter is omitted, the template will look for the Dropbear utility on
> the host and install it if it is available (legacy behavior).
>
> Adding OpenSSH support has been done following the model in the lxc-sshd
> template.
>
> Signed-off-by: Bogdan Purcareata <bogdan.purcareata at freescale.com>
Acked-by: Stéphane Graber <stgraber at ubuntu.com>
> ---
> templates/lxc-busybox.in | 169 ++++++++++++++++++++++++++++++++++++++---------
> 1 file changed, 139 insertions(+), 30 deletions(-)
>
> diff --git a/templates/lxc-busybox.in b/templates/lxc-busybox.in
> index 3cfa958..37ec837 100644
> --- a/templates/lxc-busybox.in
> +++ b/templates/lxc-busybox.in
> @@ -22,6 +22,7 @@
>
> LXC_MAPPED_UID=
> LXC_MAPPED_GID=
> +SSH=
>
> # Make sure the usual locations are in PATH
> export PATH=$PATH:/usr/sbin:/usr/bin:/sbin:/bin
> @@ -168,6 +169,116 @@ EOF
> return $res
> }
>
> +install_dropbear()
> +{
> + # copy dropbear binary
> + cp $(which dropbear) $rootfs/usr/sbin
> + if [ $? -ne 0 ]; then
> + echo "Failed to copy dropbear in the rootfs"
> + return 1
> + fi
> +
> + # make symlinks to various ssh utilities
> + utils="\
> + $rootfs/usr/bin/dbclient \
> + $rootfs/usr/bin/scp \
> + $rootfs/usr/bin/ssh \
> + $rootfs/usr/sbin/dropbearkey \
> + $rootfs/usr/sbin/dropbearconvert \
> + "
> + echo $utils | xargs -n1 ln -s /usr/sbin/dropbear
> +
> + # add necessary config files
> + mkdir $rootfs/etc/dropbear
> + dropbearkey -t rsa -f $rootfs/etc/dropbear/dropbear_rsa_host_key > /dev/null 2>&1
> + dropbearkey -t dss -f $rootfs/etc/dropbear/dropbear_dss_host_key > /dev/null 2>&1
> +
> + echo "'dropbear' ssh utility installed"
> +
> + return 0
> +}
> +
> +install_openssh()
> +{
> + # tools to be installed
> + server_utils="sshd"
> + client_utils="\
> + ssh \
> + scp \
> + sftp \
> + ssh-add \
> + ssh-agent \
> + ssh-keygen \
> + ssh-keyscan \
> + ssh-argv0 \
> + ssh-copy-id \
> + "
> +
> + # new folders used by ssh
> + ssh_tree="\
> +$rootfs/etc/ssh \
> +$rootfs/var/empty/sshd \
> +$rootfs/var/lib/empty/sshd \
> +$rootfs/var/run/sshd \
> +"
> +
> + # create folder structure
> + mkdir -p $ssh_tree
> + if [ $? -ne 0 ]; then
> + return 1
> + fi
> +
> + # copy binaries
> + for bin in $server_utils $client_utils; do
> + tool_path=`which $bin`
> + cp $tool_path $rootfs/$tool_path
> + if [ $? -ne 0 ]; then
> + echo "Unable to copy $tool_path in the rootfs"
> + return 1
> + fi
> + done
> +
> + # add user and group
> + cat <<EOF >> $rootfs/etc/passwd
> +sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
> +EOF
> +
> + cat <<EOF >> $rootfs/etc/group
> +sshd:x:74:
> +EOF
> +
> + # generate container keys
> + ssh-keygen -t rsa -N "" -f $rootfs/etc/ssh/ssh_host_rsa_key >/dev/null 2>&1
> + ssh-keygen -t dsa -N "" -f $rootfs/etc/ssh/ssh_host_dsa_key >/dev/null 2>&1
> +
> + # by default setup root password with no password
> + cat <<EOF > $rootfs/etc/ssh/sshd_config
> +Port 22
> +Protocol 2
> +HostKey /etc/ssh/ssh_host_rsa_key
> +HostKey /etc/ssh/ssh_host_dsa_key
> +UsePrivilegeSeparation yes
> +KeyRegenerationInterval 3600
> +ServerKeyBits 768
> +SyslogFacility AUTH
> +LogLevel INFO
> +LoginGraceTime 120
> +PermitRootLogin yes
> +StrictModes yes
> +RSAAuthentication yes
> +PubkeyAuthentication yes
> +IgnoreRhosts yes
> +RhostsRSAAuthentication no
> +HostbasedAuthentication no
> +PermitEmptyPasswords yes
> +ChallengeResponseAuthentication no
> +EOF
> +
> + echo "'OpenSSH' utility installed"
> +
> + return 0
> +}
> +
> configure_busybox()
> {
> rootfs=$1
> @@ -238,34 +349,6 @@ EOF
> lxc-unshare -s MOUNT -- /bin/sh < $CHPASSWD_FILE
> rm $CHPASSWD_FILE
>
> - # add ssh functionality if dropbear package available on host
> - which dropbear >/dev/null 2>&1
> - if [ $? -eq 0 ]; then
> - # copy dropbear binary
> - cp $(which dropbear) $rootfs/usr/sbin
> - if [ $? -ne 0 ]; then
> - echo "Failed to copy dropbear in the rootfs"
> - return 1
> - fi
> -
> - # make symlinks to various ssh utilities
> - utils="\
> - $rootfs/usr/bin/dbclient \
> - $rootfs/usr/bin/scp \
> - $rootfs/usr/bin/ssh \
> - $rootfs/usr/sbin/dropbearkey \
> - $rootfs/usr/sbin/dropbearconvert \
> - "
> - echo $utils | xargs -n1 ln -s /usr/sbin/dropbear
> -
> - # add necessary config files
> - mkdir $rootfs/etc/dropbear
> - dropbearkey -t rsa -f $rootfs/etc/dropbear/dropbear_rsa_host_key > /dev/null 2>&1
> - dropbearkey -t dss -f $rootfs/etc/dropbear/dropbear_dss_host_key > /dev/null 2>&1
> -
> - echo "'dropbear' ssh utility installed"
> - fi
> -
> return 0
> }
>
> @@ -324,12 +407,12 @@ remap_userns()
> usage()
> {
> cat <<EOF
> -$1 -h|--help -p|--path=<path>
> +$1 -h|--help -p|--path=<path> -s|--ssh={dropbear,openssh}
> EOF
> return 0
> }
>
> -options=$(getopt -o hp:n: -l help,rootfs:,path:,name:,mapped-uid:,mapped-gid: -- "$@")
> +options=$(getopt -o hp:n:s: -l help,rootfs:,path:,name:,mapped-uid:,mapped-gid:,ssh: -- "$@")
> if [ $? -ne 0 ]; then
> usage $(basename $0)
> exit 1
> @@ -345,6 +428,7 @@ do
> -n|--name) name=$2; shift 2;;
> --mapped-uid) LXC_MAPPED_UID=$2; shift 2;;
> --mapped-gid) LXC_MAPPED_GID=$2; shift 2;;
> + -s|--ssh) SSH=$2; shift 2;;
> --) shift 1; break ;;
> *) break ;;
> esac
> @@ -393,3 +477,28 @@ if [ $? -ne 0 ]; then
> echo "failed to remap files to user"
> exit 1
> fi
> +
> +if [ -n "$SSH" ]; then
> + case "$SSH" in
> + "dropbear")
> + install_dropbear
> + if [ $? -ne 0 ]; then
> + echo "Unable to install 'dropbear' ssh utility"
> + exit 1
> + fi ;;
> + "openssh")
> + install_openssh
> + if [ $? -ne 0 ]; then
> + echo "Unable to install 'OpenSSH' utility"
> + exit 1
> + fi ;;
> + *)
> + echo "$SSH: unrecognized ssh utility"
> + exit 1
> + esac
> +else
> + which dropbear >/dev/null 2>&1
> + if [ $? -eq 0 ]; then
> + install_dropbear
> + fi
> +fi
> --
> 2.1.4
>
> _______________________________________________
> lxc-devel mailing list
> lxc-devel at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-devel
--
Stéphane Graber
Ubuntu developer
http://www.ubuntu.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20150422/877513f7/attachment.sig>
More information about the lxc-devel
mailing list