[Lxc-users] [PATCH 1/9] several templates updates

Serge Hallyn serge.hallyn at canonical.com
Fri May 25 15:37:31 UTC 2012 

Hi Daniel,

have you had a chance to look at this patchset?  (In particular
Stéphane noticed that lxc-shudown, introduced in patch 8 of this
set, isn't yet upstream)

I can manuall re-send them to lxc-devel if you prefer.

thanks,
-serge

Quoting Serge Hallyn (serge at hallyn.com):
> From: Serge Hallyn <serge.hallyn at ubuntu.com>
> 
> Here are some template updates from the ubuntu package:
> 
> lxc-busybox: check separately for lib64 existence
> lxc-sshd: allow specifying ssh key, and run dhclient if no static ip is defined
> lxc-ubuntu:
>    1. set -e
>    2. handle resolv.conf being a symbolic link
>    3. install a bound user's shell in container
>    4. always add sudo group (Stéphane Graber <stgraber at ubuntu.com>)
>    5. don't define ubuntu user if there is a bound user
>    6. put the bound user in sudo group
> 
> Signed-off-by: Serge Hallyn <serge.hallyn at ubuntu.com>
> Cc: Stéphane Graber <stgraber at ubuntu.com>
> ---
>  templates/lxc-busybox.in |    5 +++
>  templates/lxc-sshd.in    |   37 ++++++++++++++++++--
>  templates/lxc-ubuntu.in  |   86 ++++++++++++++++++++++++++++++++++------------
>  3 files changed, 103 insertions(+), 25 deletions(-)
> 
> diff --git a/templates/lxc-busybox.in b/templates/lxc-busybox.in
> index 720ceef..ef356db 100644
> --- a/templates/lxc-busybox.in
> +++ b/templates/lxc-busybox.in
> @@ -245,6 +245,11 @@ fi
>  if [ -d "/lib64" ] && [ -d "$rootfs/lib64" ]; then
>  cat <<EOF >> $path/config
>  lxc.mount.entry=/lib64 $rootfs/lib64 none ro,bind 0 0
> +EOF
> +fi
> +
> +if [ -d "/usr/lib64" ] && [ -d "$rootfs/usr/lib64" ]; then
> +cat <<EOF >> $path/config
>  lxc.mount.entry=/usr/lib64 $rootfs/usr/lib64 none ro,bind 0 0
>  EOF
>  fi
> diff --git a/templates/lxc-sshd.in b/templates/lxc-sshd.in
> index bd5d293..749d08a 100644
> --- a/templates/lxc-sshd.in
> +++ b/templates/lxc-sshd.in
> @@ -88,6 +88,16 @@ HostbasedAuthentication no
>  PermitEmptyPasswords yes
>  ChallengeResponseAuthentication no
>  EOF
> +    if [ -n "$auth_key" -a -f "$auth_key" ]; then
> +       u_path="/root/.ssh"
> +       root_u_path="$rootfs/$u_path"
> +       mkdir -p $root_u_path
> +       cp $auth_key "$root_u_path/authorized_keys"
> +       chown -R 0:0 "$rootfs/$u_path"
> +       chmod 700 "$rootfs/$u_path"
> +
> +       echo "Inserted SSH public key from $auth_key into /home/ubuntu/.ssh/authorized_keys"
> +    fi
>      return 0
>  }
>  
> @@ -108,8 +118,12 @@ lxc.mount.entry=/usr /$rootfs/usr none ro,bind 0 0
>  lxc.mount.entry=/sbin $rootfs/sbin none ro,bind 0 0
>  lxc.mount.entry=tmpfs $rootfs/var/run/sshd tmpfs mode=0644 0 0
>  lxc.mount.entry=@LXCTEMPLATEDIR@/lxc-sshd $rootfs/sbin/init none bind 0 0
> +lxc.mount.entry=proc proc proc nodev,noexec,nosuid 0 0
>  EOF
>  
> +# if no .ipv4 section in config, then have the container run dhcp
> +grep -q "^lxc.network.ipv4" $path/config || touch $rootfs/run-dhcp
> +
>  if [ "$(uname -m)" = "x86_64" ]; then
>      cat <<EOF >> $path/config
>  lxc.mount.entry=/lib64 $rootfs/lib64 none ro,bind 0 0
> @@ -120,12 +134,12 @@ fi
>  usage()
>  {
>      cat <<EOF
> -$1 -h|--help -p|--path=<path>
> +$1 -h|--help -p|--path=<path> [-S|--auth-key=ssh-pub-key]
>  EOF
>      return 0
>  }
>  
> -options=$(getopt -o hp:n: -l help,path:,name: -- "$@")
> +options=$(getopt -o hp:n:S: -l help,path:,name:,auth-key: -- "$@")
>  if [ $? -ne 0 ]; then
>          usage $(basename $0)
>  	exit 1
> @@ -137,7 +151,8 @@ do
>      case "$1" in
>          -h|--help)      usage $0 && exit 0;;
>          -p|--path)      path=$2; shift 2;;
> -	-n|--name)      name=$2; shift 2;;
> +        -n|--name)      name=$2; shift 2;;
> +        -S|--auth-key)  auth_key=$2; shift 2;;
>          --)             shift 1; break ;;
>          *)              break ;;
>      esac
> @@ -162,6 +177,22 @@ if [ $0 == "/sbin/init" ]; then
>  	exit 1
>      fi
>  
> +    # run dhcp?
> +    if [ -f /run-dhcp ]; then
> +        type dhclient
> +        if [ $? -ne 0 ]; then
> +            echo "can't find dhclient"
> +            exit 1
> +        fi
> +        touch /etc/fstab
> +        rm -f /dhclient.conf
> +        cat > /dhclient.conf << EOF
> +send host-name "<hostname>";
> +EOF
> +        ifconfig eth0 up
> +        dhclient eth0 -cf /dhclient.conf
> +    fi
> +
>      exec @LXCINITDIR@/lxc-init -- /usr/sbin/sshd
>      exit 1
>  fi
> diff --git a/templates/lxc-ubuntu.in b/templates/lxc-ubuntu.in
> index 3e84e74..aab941f 100644
> --- a/templates/lxc-ubuntu.in
> +++ b/templates/lxc-ubuntu.in
> @@ -24,6 +24,8 @@
>  # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
>  #
>  
> +set -e
> +
>  if [ -r /etc/default/lxc ]; then
>      . /etc/default/lxc
>  fi
> @@ -52,11 +54,7 @@ EOF
>  127.0.0.1 localhost $hostname
>  EOF
>  
> -    if [ "$release" = "precise" ]; then
> -        group="sudo"
> -    else
> -        group="admin"
> -
> +    if [ "$release" != "precise" ]; then
>          # suppress log level output for udev
>          sed -i "s/=\"err\"/=0/" $rootfs/etc/udev/udev.conf
>  
> @@ -65,17 +63,40 @@ EOF
>          rm -f $rootfs/etc/init/tty{5,6}.conf
>      fi
>  
> -    chroot $rootfs groupadd --system $group >/dev/null 2>&1 || true
> -    chroot $rootfs useradd --create-home -s /bin/bash -G $group ubuntu
> -    echo "ubuntu:ubuntu" | chroot $rootfs chpasswd
> +    if [ -z "$bindhome" ]; then
> +        chroot $rootfs useradd --create-home -s /bin/bash ubuntu
> +        echo "ubuntu:ubuntu" | chroot $rootfs chpasswd
> +    fi
> +
> +    return 0
> +}
> +
> +# finish setting up the user in the container by injecting ssh key and
> +# adding sudo group membership.
> +# passed-in user is either 'ubuntu' or the user to bind in from host.
> +finalize_user()
> +{
> +    user=$1
> +
> +    if [ "$release" = "precise" ]; then
> +        groups="sudo"
> +    else
> +        groups="sudo admin"
> +    fi
> +
> +    for group in $groups; do
> +        chroot $rootfs groupadd --system $group >/dev/null 2>&1 || true
> +        chroot $rootfs adduser ${user} $group >/dev/null 2>&1 || true
> +    done
> +
>      if [ -n "$auth_key" -a -f "$auth_key" ]; then
> -	u_path="/home/ubuntu/.ssh"
> +    	u_path="/home/${user}/.ssh"
>  	root_u_path="$rootfs/$u_path"
>  	mkdir -p $root_u_path
>  	cp $auth_key "$root_u_path/authorized_keys"
> -	chroot $rootfs chown -R ubuntu: "$u_path"
> +    	chroot $rootfs chown -R ${user}: "$u_path"
>  
> -	echo "Inserted SSH public key from $auth_key into /home/ubuntu/.ssh/authorized_keys"
> +    	echo "Inserted SSH public key from $auth_key into /home/${user}/.ssh/authorized_keys"
>      fi
>      return 0
>  }
> @@ -305,7 +326,7 @@ EOF
>      cat <<EOF >> $path/config
>  lxc.utsname = $name
>  
> -lxc.devttydir = $ttydir
> +lxc.devttydir =$ttydir
>  lxc.tty = 4
>  lxc.pts = 1024
>  lxc.rootfs = $rootfs
> @@ -466,9 +487,13 @@ post_process()
>              chroot $rootfs apt-get install --force-yes -y python-software-properties
>              chroot $rootfs add-apt-repository ppa:ubuntu-virt/ppa
>          fi
> -        cp /etc/resolv.conf "${rootfs}/etc"
> +        cresolvonf="${rootfs}/etc/resolv.conf"
> +        mv $cresolvonf ${cresolvonf}.lxcbak
> +        cat /etc/resolv.conf > ${cresolvonf}
>          chroot $rootfs apt-get update
>          chroot $rootfs apt-get install --force-yes -y lxcguest
> +        rm -f ${cresolvonf}
> +        mv ${cresolvonf}.lxcbak ${cresolvonf}
>      fi
>  
>      # If the container isn't running a native architecture, setup multiarch
> @@ -500,20 +525,31 @@ do_bindhome()
>      user=$2
>  
>      # copy /etc/passwd, /etc/shadow, and /etc/group entries into container
> -    pwd=`getent passwd $user`
> -    if [ $? -ne 0 ]; then
> -        echo 'Warning: failed to copy password entry for $user'
> -	return
> -    else
> -        echo $pwd >> $rootfs/etc/passwd
> +    pwd=`getent passwd $user` || { echo "Failed to copy password entry for $user"; false; }
> +    echo $pwd >> $rootfs/etc/passwd
> +
> +    # make sure user's shell exists in the container
> +    shell=`echo $pwd | cut -d: -f 7`
> +    if [ ! -x $rootfs/$shell ]; then
> +        echo "shell $shell for user $user was not found in the container."
> +        pkg=`dpkg -S $(readlink -m $shell) | cut -d ':' -f1`
> +        echo "Installing $pkg"
> +        chroot $rootfs apt-get --force-yes -y install $pkg
>      fi
> +
>      shad=`getent shadow $user`
> -    echo $shad >> $rootfs/etc/shadow
> +    echo "$shad" >> $rootfs/etc/shadow
>  
>      # bind-mount the user's path into the container's /home
>      h=`getent passwd $user | cut -d: -f 6`
>      mkdir -p $rootfs/$h
>      echo "$h $rootfs/$h none bind 0 0" >> $path/fstab
> +
> +    # Make sure the group exists in container
> +    chroot $rootfs getent group $user || { \
> +        grp=`getent group $user`
> +        echo "$grp" >> $rootfs/etc/group
> +    }
>  }
>  
>  usage()
> @@ -524,6 +560,8 @@ $1 -h|--help [-a|--arch] [-b|--bindhome <user>] [--trim] [-d|--debug]
>  release: lucid | maverick | natty | oneiric | precise
>  trim: make a minimal (faster, but not upgrade-safe) container
>  bindhome: bind <user>'s home into the container
> +          The ubuntu user will not be created, and <user> will have
> +	  sudo access.
>  arch: amd64 or i386: defaults to host arch
>  auth-key: SSH Public key file to inject into container
>  EOF
> @@ -645,8 +683,12 @@ if [ $? -ne 0 ]; then
>  fi
>  
>  post_process $rootfs $release $trim_container
> -if [ ! -z $bindhome ]; then
> -	do_bindhome $rootfs $bindhome
> +
> +if [ -n "$bindhome" ]; then
> +    do_bindhome $rootfs $bindhome
> +    finalize_user $bindhome
> +else
> +    finalize_user ubuntu
>  fi
>  
>  echo ""
> -- 
> 1.7.9.5
>

More information about the lxc-users mailing list