[lxc-devel] [lxc/master] debian template: Allow to embed a SSH public key in the new container
zorun on Github
lxc-bot at linuxcontainers.org
Sun Feb 5 22:12:19 UTC 2017
A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 301 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20170205/eed00c2c/attachment.bin>
-------------- next part --------------
From 5aea9d28d13366c39ebf4cd8c019fbf1f7a97434 Mon Sep 17 00:00:00 2001
From: Baptiste Jonglez <git at bitsofnetworks.org>
Date: Sun, 5 Feb 2017 22:58:30 +0100
Subject: [PATCH] debian template: Allow to embed a SSH public key in the new
container
Signed-off-by: Baptiste Jonglez <git at bitsofnetworks.org>
---
templates/lxc-debian.in | 29 +++++++++++++++++++++++++++--
1 file changed, 27 insertions(+), 2 deletions(-)
diff --git a/templates/lxc-debian.in b/templates/lxc-debian.in
index 6bdf02d..d76b449 100644
--- a/templates/lxc-debian.in
+++ b/templates/lxc-debian.in
@@ -181,6 +181,15 @@ EOF
echo "Timezone in container is not configured. Adjust it manually."
fi
+ if [ -n "$authkey" ]; then
+ local ssh_dir_path="${rootfs}/root/.ssh"
+ mkdir -p "$ssh_dir_path"
+ cp "$authkey" "${ssh_dir_path}/authorized_keys"
+ chroot "$rootfs" chmod 700 "$ssh_dir_path"
+ chroot "$rootfs" chown -R root:root "$ssh_dir_path"
+ echo "Inserted SSH public key from '$authkey' into /root/.ssh/authorized_keys"
+ fi
+
return 0
}
@@ -599,7 +608,8 @@ Template specific options can be passed to lxc-create after a '--' like this:
lxc-create --name=NAME [-lxc-create-options] -- [-template-options]
-Usage: $1 -h|--help -p|--path=<path> [-c|--clean] [-a|--arch=<arch>] [-r|--release=<release>]
+Usage: $1 -h|--help -p|--path=<path> [-c|--clean] [-a|--arch=<arch>] [-S|--auth-key=<keyfile>]
+ [-r|--release=<release>]
[--mirror=<mirror>] [--security-mirror=<security mirror>]
[--package=<package_name1,package_name2,...>]
[-I|--interpreter-path=<interpreter path>]
@@ -609,6 +619,7 @@ Options :
-h, --help print this help text
-p, --path=PATH directory where config and rootfs of this VM will be kept
+ -S, --auth-key=KEYFILE SSH public key to inject into the container as the root user.
-a, --arch=ARCH The container architecture. Can be one of: i686, x86_64,
amd64, armhf, armel, powerpc. Defaults to host arch.
-r, --release=RELEASE Debian release. Can be one of: wheezy, jessie, stretch, sid.
@@ -637,7 +648,7 @@ EOF
return 0
}
-options=$(getopt -o hp:n:a:r:cI:F -l arch:,clean,help,enable-non-free,mirror:,name:,packages:,path:,release:,rootfs:,security-mirror:,interpreter-path:,flush-cache -- "$@")
+options=$(getopt -o hp:n:a:r:cI:FS: -l arch:,auth-key:,clean,help,enable-non-free,mirror:,name:,packages:,path:,release:,rootfs:,security-mirror:,interpreter-path:,flush-cache -- "$@")
if [ $? -ne 0 ]; then
usage "$(basename "$0")"
exit 1
@@ -673,6 +684,7 @@ do
--) shift 1; break ;;
-a|--arch) arch=$2; shift 2;;
+ -S|--auth-key) authkey=$2; shift 2;;
-I|--interpreter-path)
interpreter="$2"; shift 2;;
-c|--clean) clean=1; shift 1;;
@@ -754,6 +766,19 @@ if [ "$(id -u)" != "0" ]; then
exit 1
fi
+if [ -n "$authkey" ]; then
+ if [ ! -f "$authkey" ]; then
+ echo "SSH keyfile '$authkey' not found"
+ exit 1
+ fi
+ # This is mostly to prevent accidental uage of the private key instead
+ # of the public key.
+ if [ "${authkey: -4}" != ".pub" ]; then
+ echo "SSH keyfile '$authkey' does not end with '.pub'"
+ exit 1
+ fi
+fi
+
current_release=$(wget "${MIRROR}/dists/stable/Release" -O - 2> /dev/null | head |awk '/^Codename: (.*)$/ { print $2; }')
release=${release:-${current_release}}
valid_releases=('wheezy' 'jessie' 'stretch' 'sid')
More information about the lxc-devel
mailing list