[Lxc-users] [PATCH 1/9] several templates updates

Serge Hallyn serge at hallyn.com
Thu Apr 26 05:09:33 UTC 2012


From: Serge Hallyn <serge.hallyn at ubuntu.com>

Here are some template updates from the ubuntu package:

lxc-busybox: check separately for lib64 existence
lxc-sshd: allow specifying ssh key, and run dhclient if no static ip is defined
lxc-ubuntu:
   1. set -e
   2. handle resolv.conf being a symbolic link
   3. install a bound user's shell in container
   4. always add sudo group (Stéphane Graber <stgraber at ubuntu.com>)
   5. don't define ubuntu user if there is a bound user
   6. put the bound user in sudo group

Signed-off-by: Serge Hallyn <serge.hallyn at ubuntu.com>
Cc: Stéphane Graber <stgraber at ubuntu.com>
---
 templates/lxc-busybox.in |    5 +++
 templates/lxc-sshd.in    |   37 ++++++++++++++++++--
 templates/lxc-ubuntu.in  |   86 ++++++++++++++++++++++++++++++++++------------
 3 files changed, 103 insertions(+), 25 deletions(-)

diff --git a/templates/lxc-busybox.in b/templates/lxc-busybox.in
index 720ceef..ef356db 100644
--- a/templates/lxc-busybox.in
+++ b/templates/lxc-busybox.in
@@ -245,6 +245,11 @@ fi
 if [ -d "/lib64" ] && [ -d "$rootfs/lib64" ]; then
 cat <<EOF >> $path/config
 lxc.mount.entry=/lib64 $rootfs/lib64 none ro,bind 0 0
+EOF
+fi
+
+if [ -d "/usr/lib64" ] && [ -d "$rootfs/usr/lib64" ]; then
+cat <<EOF >> $path/config
 lxc.mount.entry=/usr/lib64 $rootfs/usr/lib64 none ro,bind 0 0
 EOF
 fi
diff --git a/templates/lxc-sshd.in b/templates/lxc-sshd.in
index bd5d293..749d08a 100644
--- a/templates/lxc-sshd.in
+++ b/templates/lxc-sshd.in
@@ -88,6 +88,16 @@ HostbasedAuthentication no
 PermitEmptyPasswords yes
 ChallengeResponseAuthentication no
 EOF
+    if [ -n "$auth_key" -a -f "$auth_key" ]; then
+       u_path="/root/.ssh"
+       root_u_path="$rootfs/$u_path"
+       mkdir -p $root_u_path
+       cp $auth_key "$root_u_path/authorized_keys"
+       chown -R 0:0 "$rootfs/$u_path"
+       chmod 700 "$rootfs/$u_path"
+
+       echo "Inserted SSH public key from $auth_key into /home/ubuntu/.ssh/authorized_keys"
+    fi
     return 0
 }
 
@@ -108,8 +118,12 @@ lxc.mount.entry=/usr /$rootfs/usr none ro,bind 0 0
 lxc.mount.entry=/sbin $rootfs/sbin none ro,bind 0 0
 lxc.mount.entry=tmpfs $rootfs/var/run/sshd tmpfs mode=0644 0 0
 lxc.mount.entry=@LXCTEMPLATEDIR@/lxc-sshd $rootfs/sbin/init none bind 0 0
+lxc.mount.entry=proc proc proc nodev,noexec,nosuid 0 0
 EOF
 
+# if no .ipv4 section in config, then have the container run dhcp
+grep -q "^lxc.network.ipv4" $path/config || touch $rootfs/run-dhcp
+
 if [ "$(uname -m)" = "x86_64" ]; then
     cat <<EOF >> $path/config
 lxc.mount.entry=/lib64 $rootfs/lib64 none ro,bind 0 0
@@ -120,12 +134,12 @@ fi
 usage()
 {
     cat <<EOF
-$1 -h|--help -p|--path=<path>
+$1 -h|--help -p|--path=<path> [-S|--auth-key=ssh-pub-key]
 EOF
     return 0
 }
 
-options=$(getopt -o hp:n: -l help,path:,name: -- "$@")
+options=$(getopt -o hp:n:S: -l help,path:,name:,auth-key: -- "$@")
 if [ $? -ne 0 ]; then
         usage $(basename $0)
 	exit 1
@@ -137,7 +151,8 @@ do
     case "$1" in
         -h|--help)      usage $0 && exit 0;;
         -p|--path)      path=$2; shift 2;;
-	-n|--name)      name=$2; shift 2;;
+        -n|--name)      name=$2; shift 2;;
+        -S|--auth-key)  auth_key=$2; shift 2;;
         --)             shift 1; break ;;
         *)              break ;;
     esac
@@ -162,6 +177,22 @@ if [ $0 == "/sbin/init" ]; then
 	exit 1
     fi
 
+    # run dhcp?
+    if [ -f /run-dhcp ]; then
+        type dhclient
+        if [ $? -ne 0 ]; then
+            echo "can't find dhclient"
+            exit 1
+        fi
+        touch /etc/fstab
+        rm -f /dhclient.conf
+        cat > /dhclient.conf << EOF
+send host-name "<hostname>";
+EOF
+        ifconfig eth0 up
+        dhclient eth0 -cf /dhclient.conf
+    fi
+
     exec @LXCINITDIR@/lxc-init -- /usr/sbin/sshd
     exit 1
 fi
diff --git a/templates/lxc-ubuntu.in b/templates/lxc-ubuntu.in
index 3e84e74..aab941f 100644
--- a/templates/lxc-ubuntu.in
+++ b/templates/lxc-ubuntu.in
@@ -24,6 +24,8 @@
 # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 
+set -e
+
 if [ -r /etc/default/lxc ]; then
     . /etc/default/lxc
 fi
@@ -52,11 +54,7 @@ EOF
 127.0.0.1 localhost $hostname
 EOF
 
-    if [ "$release" = "precise" ]; then
-        group="sudo"
-    else
-        group="admin"
-
+    if [ "$release" != "precise" ]; then
         # suppress log level output for udev
         sed -i "s/=\"err\"/=0/" $rootfs/etc/udev/udev.conf
 
@@ -65,17 +63,40 @@ EOF
         rm -f $rootfs/etc/init/tty{5,6}.conf
     fi
 
-    chroot $rootfs groupadd --system $group >/dev/null 2>&1 || true
-    chroot $rootfs useradd --create-home -s /bin/bash -G $group ubuntu
-    echo "ubuntu:ubuntu" | chroot $rootfs chpasswd
+    if [ -z "$bindhome" ]; then
+        chroot $rootfs useradd --create-home -s /bin/bash ubuntu
+        echo "ubuntu:ubuntu" | chroot $rootfs chpasswd
+    fi
+
+    return 0
+}
+
+# finish setting up the user in the container by injecting ssh key and
+# adding sudo group membership.
+# passed-in user is either 'ubuntu' or the user to bind in from host.
+finalize_user()
+{
+    user=$1
+
+    if [ "$release" = "precise" ]; then
+        groups="sudo"
+    else
+        groups="sudo admin"
+    fi
+
+    for group in $groups; do
+        chroot $rootfs groupadd --system $group >/dev/null 2>&1 || true
+        chroot $rootfs adduser ${user} $group >/dev/null 2>&1 || true
+    done
+
     if [ -n "$auth_key" -a -f "$auth_key" ]; then
-	u_path="/home/ubuntu/.ssh"
+    	u_path="/home/${user}/.ssh"
 	root_u_path="$rootfs/$u_path"
 	mkdir -p $root_u_path
 	cp $auth_key "$root_u_path/authorized_keys"
-	chroot $rootfs chown -R ubuntu: "$u_path"
+    	chroot $rootfs chown -R ${user}: "$u_path"
 
-	echo "Inserted SSH public key from $auth_key into /home/ubuntu/.ssh/authorized_keys"
+    	echo "Inserted SSH public key from $auth_key into /home/${user}/.ssh/authorized_keys"
     fi
     return 0
 }
@@ -305,7 +326,7 @@ EOF
     cat <<EOF >> $path/config
 lxc.utsname = $name
 
-lxc.devttydir = $ttydir
+lxc.devttydir =$ttydir
 lxc.tty = 4
 lxc.pts = 1024
 lxc.rootfs = $rootfs
@@ -466,9 +487,13 @@ post_process()
             chroot $rootfs apt-get install --force-yes -y python-software-properties
             chroot $rootfs add-apt-repository ppa:ubuntu-virt/ppa
         fi
-        cp /etc/resolv.conf "${rootfs}/etc"
+        cresolvonf="${rootfs}/etc/resolv.conf"
+        mv $cresolvonf ${cresolvonf}.lxcbak
+        cat /etc/resolv.conf > ${cresolvonf}
         chroot $rootfs apt-get update
         chroot $rootfs apt-get install --force-yes -y lxcguest
+        rm -f ${cresolvonf}
+        mv ${cresolvonf}.lxcbak ${cresolvonf}
     fi
 
     # If the container isn't running a native architecture, setup multiarch
@@ -500,20 +525,31 @@ do_bindhome()
     user=$2
 
     # copy /etc/passwd, /etc/shadow, and /etc/group entries into container
-    pwd=`getent passwd $user`
-    if [ $? -ne 0 ]; then
-        echo 'Warning: failed to copy password entry for $user'
-	return
-    else
-        echo $pwd >> $rootfs/etc/passwd
+    pwd=`getent passwd $user` || { echo "Failed to copy password entry for $user"; false; }
+    echo $pwd >> $rootfs/etc/passwd
+
+    # make sure user's shell exists in the container
+    shell=`echo $pwd | cut -d: -f 7`
+    if [ ! -x $rootfs/$shell ]; then
+        echo "shell $shell for user $user was not found in the container."
+        pkg=`dpkg -S $(readlink -m $shell) | cut -d ':' -f1`
+        echo "Installing $pkg"
+        chroot $rootfs apt-get --force-yes -y install $pkg
     fi
+
     shad=`getent shadow $user`
-    echo $shad >> $rootfs/etc/shadow
+    echo "$shad" >> $rootfs/etc/shadow
 
     # bind-mount the user's path into the container's /home
     h=`getent passwd $user | cut -d: -f 6`
     mkdir -p $rootfs/$h
     echo "$h $rootfs/$h none bind 0 0" >> $path/fstab
+
+    # Make sure the group exists in container
+    chroot $rootfs getent group $user || { \
+        grp=`getent group $user`
+        echo "$grp" >> $rootfs/etc/group
+    }
 }
 
 usage()
@@ -524,6 +560,8 @@ $1 -h|--help [-a|--arch] [-b|--bindhome <user>] [--trim] [-d|--debug]
 release: lucid | maverick | natty | oneiric | precise
 trim: make a minimal (faster, but not upgrade-safe) container
 bindhome: bind <user>'s home into the container
+          The ubuntu user will not be created, and <user> will have
+	  sudo access.
 arch: amd64 or i386: defaults to host arch
 auth-key: SSH Public key file to inject into container
 EOF
@@ -645,8 +683,12 @@ if [ $? -ne 0 ]; then
 fi
 
 post_process $rootfs $release $trim_container
-if [ ! -z $bindhome ]; then
-	do_bindhome $rootfs $bindhome
+
+if [ -n "$bindhome" ]; then
+    do_bindhome $rootfs $bindhome
+    finalize_user $bindhome
+else
+    finalize_user ubuntu
 fi
 
 echo ""
-- 
1.7.9.5





More information about the lxc-users mailing list