[Lxc-users] [PATCH 1/9] several templates updates
Serge Hallyn
serge at hallyn.com
Thu Apr 26 05:09:33 UTC 2012
From: Serge Hallyn <serge.hallyn at ubuntu.com>
Here are some template updates from the ubuntu package:
lxc-busybox: check separately for lib64 existence
lxc-sshd: allow specifying ssh key, and run dhclient if no static ip is defined
lxc-ubuntu:
1. set -e
2. handle resolv.conf being a symbolic link
3. install a bound user's shell in container
4. always add sudo group (Stéphane Graber <stgraber at ubuntu.com>)
5. don't define ubuntu user if there is a bound user
6. put the bound user in sudo group
Signed-off-by: Serge Hallyn <serge.hallyn at ubuntu.com>
Cc: Stéphane Graber <stgraber at ubuntu.com>
---
templates/lxc-busybox.in | 5 +++
templates/lxc-sshd.in | 37 ++++++++++++++++++--
templates/lxc-ubuntu.in | 86 ++++++++++++++++++++++++++++++++++------------
3 files changed, 103 insertions(+), 25 deletions(-)
diff --git a/templates/lxc-busybox.in b/templates/lxc-busybox.in
index 720ceef..ef356db 100644
--- a/templates/lxc-busybox.in
+++ b/templates/lxc-busybox.in
@@ -245,6 +245,11 @@ fi
if [ -d "/lib64" ] && [ -d "$rootfs/lib64" ]; then
cat <<EOF >> $path/config
lxc.mount.entry=/lib64 $rootfs/lib64 none ro,bind 0 0
+EOF
+fi
+
+if [ -d "/usr/lib64" ] && [ -d "$rootfs/usr/lib64" ]; then
+cat <<EOF >> $path/config
lxc.mount.entry=/usr/lib64 $rootfs/usr/lib64 none ro,bind 0 0
EOF
fi
diff --git a/templates/lxc-sshd.in b/templates/lxc-sshd.in
index bd5d293..749d08a 100644
--- a/templates/lxc-sshd.in
+++ b/templates/lxc-sshd.in
@@ -88,6 +88,16 @@ HostbasedAuthentication no
PermitEmptyPasswords yes
ChallengeResponseAuthentication no
EOF
+ if [ -n "$auth_key" -a -f "$auth_key" ]; then
+ u_path="/root/.ssh"
+ root_u_path="$rootfs/$u_path"
+ mkdir -p $root_u_path
+ cp $auth_key "$root_u_path/authorized_keys"
+ chown -R 0:0 "$rootfs/$u_path"
+ chmod 700 "$rootfs/$u_path"
+
+ echo "Inserted SSH public key from $auth_key into /home/ubuntu/.ssh/authorized_keys"
+ fi
return 0
}
@@ -108,8 +118,12 @@ lxc.mount.entry=/usr /$rootfs/usr none ro,bind 0 0
lxc.mount.entry=/sbin $rootfs/sbin none ro,bind 0 0
lxc.mount.entry=tmpfs $rootfs/var/run/sshd tmpfs mode=0644 0 0
lxc.mount.entry=@LXCTEMPLATEDIR@/lxc-sshd $rootfs/sbin/init none bind 0 0
+lxc.mount.entry=proc proc proc nodev,noexec,nosuid 0 0
EOF
+# if no .ipv4 section in config, then have the container run dhcp
+grep -q "^lxc.network.ipv4" $path/config || touch $rootfs/run-dhcp
+
if [ "$(uname -m)" = "x86_64" ]; then
cat <<EOF >> $path/config
lxc.mount.entry=/lib64 $rootfs/lib64 none ro,bind 0 0
@@ -120,12 +134,12 @@ fi
usage()
{
cat <<EOF
-$1 -h|--help -p|--path=<path>
+$1 -h|--help -p|--path=<path> [-S|--auth-key=ssh-pub-key]
EOF
return 0
}
-options=$(getopt -o hp:n: -l help,path:,name: -- "$@")
+options=$(getopt -o hp:n:S: -l help,path:,name:,auth-key: -- "$@")
if [ $? -ne 0 ]; then
usage $(basename $0)
exit 1
@@ -137,7 +151,8 @@ do
case "$1" in
-h|--help) usage $0 && exit 0;;
-p|--path) path=$2; shift 2;;
- -n|--name) name=$2; shift 2;;
+ -n|--name) name=$2; shift 2;;
+ -S|--auth-key) auth_key=$2; shift 2;;
--) shift 1; break ;;
*) break ;;
esac
@@ -162,6 +177,22 @@ if [ $0 == "/sbin/init" ]; then
exit 1
fi
+ # run dhcp?
+ if [ -f /run-dhcp ]; then
+ type dhclient
+ if [ $? -ne 0 ]; then
+ echo "can't find dhclient"
+ exit 1
+ fi
+ touch /etc/fstab
+ rm -f /dhclient.conf
+ cat > /dhclient.conf << EOF
+send host-name "<hostname>";
+EOF
+ ifconfig eth0 up
+ dhclient eth0 -cf /dhclient.conf
+ fi
+
exec @LXCINITDIR@/lxc-init -- /usr/sbin/sshd
exit 1
fi
diff --git a/templates/lxc-ubuntu.in b/templates/lxc-ubuntu.in
index 3e84e74..aab941f 100644
--- a/templates/lxc-ubuntu.in
+++ b/templates/lxc-ubuntu.in
@@ -24,6 +24,8 @@
# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
#
+set -e
+
if [ -r /etc/default/lxc ]; then
. /etc/default/lxc
fi
@@ -52,11 +54,7 @@ EOF
127.0.0.1 localhost $hostname
EOF
- if [ "$release" = "precise" ]; then
- group="sudo"
- else
- group="admin"
-
+ if [ "$release" != "precise" ]; then
# suppress log level output for udev
sed -i "s/=\"err\"/=0/" $rootfs/etc/udev/udev.conf
@@ -65,17 +63,40 @@ EOF
rm -f $rootfs/etc/init/tty{5,6}.conf
fi
- chroot $rootfs groupadd --system $group >/dev/null 2>&1 || true
- chroot $rootfs useradd --create-home -s /bin/bash -G $group ubuntu
- echo "ubuntu:ubuntu" | chroot $rootfs chpasswd
+ if [ -z "$bindhome" ]; then
+ chroot $rootfs useradd --create-home -s /bin/bash ubuntu
+ echo "ubuntu:ubuntu" | chroot $rootfs chpasswd
+ fi
+
+ return 0
+}
+
+# finish setting up the user in the container by injecting ssh key and
+# adding sudo group membership.
+# passed-in user is either 'ubuntu' or the user to bind in from host.
+finalize_user()
+{
+ user=$1
+
+ if [ "$release" = "precise" ]; then
+ groups="sudo"
+ else
+ groups="sudo admin"
+ fi
+
+ for group in $groups; do
+ chroot $rootfs groupadd --system $group >/dev/null 2>&1 || true
+ chroot $rootfs adduser ${user} $group >/dev/null 2>&1 || true
+ done
+
if [ -n "$auth_key" -a -f "$auth_key" ]; then
- u_path="/home/ubuntu/.ssh"
+ u_path="/home/${user}/.ssh"
root_u_path="$rootfs/$u_path"
mkdir -p $root_u_path
cp $auth_key "$root_u_path/authorized_keys"
- chroot $rootfs chown -R ubuntu: "$u_path"
+ chroot $rootfs chown -R ${user}: "$u_path"
- echo "Inserted SSH public key from $auth_key into /home/ubuntu/.ssh/authorized_keys"
+ echo "Inserted SSH public key from $auth_key into /home/${user}/.ssh/authorized_keys"
fi
return 0
}
@@ -305,7 +326,7 @@ EOF
cat <<EOF >> $path/config
lxc.utsname = $name
-lxc.devttydir = $ttydir
+lxc.devttydir =$ttydir
lxc.tty = 4
lxc.pts = 1024
lxc.rootfs = $rootfs
@@ -466,9 +487,13 @@ post_process()
chroot $rootfs apt-get install --force-yes -y python-software-properties
chroot $rootfs add-apt-repository ppa:ubuntu-virt/ppa
fi
- cp /etc/resolv.conf "${rootfs}/etc"
+ cresolvonf="${rootfs}/etc/resolv.conf"
+ mv $cresolvonf ${cresolvonf}.lxcbak
+ cat /etc/resolv.conf > ${cresolvonf}
chroot $rootfs apt-get update
chroot $rootfs apt-get install --force-yes -y lxcguest
+ rm -f ${cresolvonf}
+ mv ${cresolvonf}.lxcbak ${cresolvonf}
fi
# If the container isn't running a native architecture, setup multiarch
@@ -500,20 +525,31 @@ do_bindhome()
user=$2
# copy /etc/passwd, /etc/shadow, and /etc/group entries into container
- pwd=`getent passwd $user`
- if [ $? -ne 0 ]; then
- echo 'Warning: failed to copy password entry for $user'
- return
- else
- echo $pwd >> $rootfs/etc/passwd
+ pwd=`getent passwd $user` || { echo "Failed to copy password entry for $user"; false; }
+ echo $pwd >> $rootfs/etc/passwd
+
+ # make sure user's shell exists in the container
+ shell=`echo $pwd | cut -d: -f 7`
+ if [ ! -x $rootfs/$shell ]; then
+ echo "shell $shell for user $user was not found in the container."
+ pkg=`dpkg -S $(readlink -m $shell) | cut -d ':' -f1`
+ echo "Installing $pkg"
+ chroot $rootfs apt-get --force-yes -y install $pkg
fi
+
shad=`getent shadow $user`
- echo $shad >> $rootfs/etc/shadow
+ echo "$shad" >> $rootfs/etc/shadow
# bind-mount the user's path into the container's /home
h=`getent passwd $user | cut -d: -f 6`
mkdir -p $rootfs/$h
echo "$h $rootfs/$h none bind 0 0" >> $path/fstab
+
+ # Make sure the group exists in container
+ chroot $rootfs getent group $user || { \
+ grp=`getent group $user`
+ echo "$grp" >> $rootfs/etc/group
+ }
}
usage()
@@ -524,6 +560,8 @@ $1 -h|--help [-a|--arch] [-b|--bindhome <user>] [--trim] [-d|--debug]
release: lucid | maverick | natty | oneiric | precise
trim: make a minimal (faster, but not upgrade-safe) container
bindhome: bind <user>'s home into the container
+ The ubuntu user will not be created, and <user> will have
+ sudo access.
arch: amd64 or i386: defaults to host arch
auth-key: SSH Public key file to inject into container
EOF
@@ -645,8 +683,12 @@ if [ $? -ne 0 ]; then
fi
post_process $rootfs $release $trim_container
-if [ ! -z $bindhome ]; then
- do_bindhome $rootfs $bindhome
+
+if [ -n "$bindhome" ]; then
+ do_bindhome $rootfs $bindhome
+ finalize_user $bindhome
+else
+ finalize_user ubuntu
fi
echo ""
--
1.7.9.5
More information about the lxc-users
mailing list