[Lxc-users] [PATCH 1/9] several templates updates
Serge Hallyn
serge.hallyn at canonical.com
Fri May 25 15:37:31 UTC 2012
Hi Daniel,
have you had a chance to look at this patchset? (In particular
Stéphane noticed that lxc-shudown, introduced in patch 8 of this
set, isn't yet upstream)
I can manuall re-send them to lxc-devel if you prefer.
thanks,
-serge
Quoting Serge Hallyn (serge at hallyn.com):
> From: Serge Hallyn <serge.hallyn at ubuntu.com>
>
> Here are some template updates from the ubuntu package:
>
> lxc-busybox: check separately for lib64 existence
> lxc-sshd: allow specifying ssh key, and run dhclient if no static ip is defined
> lxc-ubuntu:
> 1. set -e
> 2. handle resolv.conf being a symbolic link
> 3. install a bound user's shell in container
> 4. always add sudo group (Stéphane Graber <stgraber at ubuntu.com>)
> 5. don't define ubuntu user if there is a bound user
> 6. put the bound user in sudo group
>
> Signed-off-by: Serge Hallyn <serge.hallyn at ubuntu.com>
> Cc: Stéphane Graber <stgraber at ubuntu.com>
> ---
> templates/lxc-busybox.in | 5 +++
> templates/lxc-sshd.in | 37 ++++++++++++++++++--
> templates/lxc-ubuntu.in | 86 ++++++++++++++++++++++++++++++++++------------
> 3 files changed, 103 insertions(+), 25 deletions(-)
>
> diff --git a/templates/lxc-busybox.in b/templates/lxc-busybox.in
> index 720ceef..ef356db 100644
> --- a/templates/lxc-busybox.in
> +++ b/templates/lxc-busybox.in
> @@ -245,6 +245,11 @@ fi
> if [ -d "/lib64" ] && [ -d "$rootfs/lib64" ]; then
> cat <<EOF >> $path/config
> lxc.mount.entry=/lib64 $rootfs/lib64 none ro,bind 0 0
> +EOF
> +fi
> +
> +if [ -d "/usr/lib64" ] && [ -d "$rootfs/usr/lib64" ]; then
> +cat <<EOF >> $path/config
> lxc.mount.entry=/usr/lib64 $rootfs/usr/lib64 none ro,bind 0 0
> EOF
> fi
> diff --git a/templates/lxc-sshd.in b/templates/lxc-sshd.in
> index bd5d293..749d08a 100644
> --- a/templates/lxc-sshd.in
> +++ b/templates/lxc-sshd.in
> @@ -88,6 +88,16 @@ HostbasedAuthentication no
> PermitEmptyPasswords yes
> ChallengeResponseAuthentication no
> EOF
> + if [ -n "$auth_key" -a -f "$auth_key" ]; then
> + u_path="/root/.ssh"
> + root_u_path="$rootfs/$u_path"
> + mkdir -p $root_u_path
> + cp $auth_key "$root_u_path/authorized_keys"
> + chown -R 0:0 "$rootfs/$u_path"
> + chmod 700 "$rootfs/$u_path"
> +
> + echo "Inserted SSH public key from $auth_key into /home/ubuntu/.ssh/authorized_keys"
> + fi
> return 0
> }
>
> @@ -108,8 +118,12 @@ lxc.mount.entry=/usr /$rootfs/usr none ro,bind 0 0
> lxc.mount.entry=/sbin $rootfs/sbin none ro,bind 0 0
> lxc.mount.entry=tmpfs $rootfs/var/run/sshd tmpfs mode=0644 0 0
> lxc.mount.entry=@LXCTEMPLATEDIR@/lxc-sshd $rootfs/sbin/init none bind 0 0
> +lxc.mount.entry=proc proc proc nodev,noexec,nosuid 0 0
> EOF
>
> +# if no .ipv4 section in config, then have the container run dhcp
> +grep -q "^lxc.network.ipv4" $path/config || touch $rootfs/run-dhcp
> +
> if [ "$(uname -m)" = "x86_64" ]; then
> cat <<EOF >> $path/config
> lxc.mount.entry=/lib64 $rootfs/lib64 none ro,bind 0 0
> @@ -120,12 +134,12 @@ fi
> usage()
> {
> cat <<EOF
> -$1 -h|--help -p|--path=<path>
> +$1 -h|--help -p|--path=<path> [-S|--auth-key=ssh-pub-key]
> EOF
> return 0
> }
>
> -options=$(getopt -o hp:n: -l help,path:,name: -- "$@")
> +options=$(getopt -o hp:n:S: -l help,path:,name:,auth-key: -- "$@")
> if [ $? -ne 0 ]; then
> usage $(basename $0)
> exit 1
> @@ -137,7 +151,8 @@ do
> case "$1" in
> -h|--help) usage $0 && exit 0;;
> -p|--path) path=$2; shift 2;;
> - -n|--name) name=$2; shift 2;;
> + -n|--name) name=$2; shift 2;;
> + -S|--auth-key) auth_key=$2; shift 2;;
> --) shift 1; break ;;
> *) break ;;
> esac
> @@ -162,6 +177,22 @@ if [ $0 == "/sbin/init" ]; then
> exit 1
> fi
>
> + # run dhcp?
> + if [ -f /run-dhcp ]; then
> + type dhclient
> + if [ $? -ne 0 ]; then
> + echo "can't find dhclient"
> + exit 1
> + fi
> + touch /etc/fstab
> + rm -f /dhclient.conf
> + cat > /dhclient.conf << EOF
> +send host-name "<hostname>";
> +EOF
> + ifconfig eth0 up
> + dhclient eth0 -cf /dhclient.conf
> + fi
> +
> exec @LXCINITDIR@/lxc-init -- /usr/sbin/sshd
> exit 1
> fi
> diff --git a/templates/lxc-ubuntu.in b/templates/lxc-ubuntu.in
> index 3e84e74..aab941f 100644
> --- a/templates/lxc-ubuntu.in
> +++ b/templates/lxc-ubuntu.in
> @@ -24,6 +24,8 @@
> # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
> #
>
> +set -e
> +
> if [ -r /etc/default/lxc ]; then
> . /etc/default/lxc
> fi
> @@ -52,11 +54,7 @@ EOF
> 127.0.0.1 localhost $hostname
> EOF
>
> - if [ "$release" = "precise" ]; then
> - group="sudo"
> - else
> - group="admin"
> -
> + if [ "$release" != "precise" ]; then
> # suppress log level output for udev
> sed -i "s/=\"err\"/=0/" $rootfs/etc/udev/udev.conf
>
> @@ -65,17 +63,40 @@ EOF
> rm -f $rootfs/etc/init/tty{5,6}.conf
> fi
>
> - chroot $rootfs groupadd --system $group >/dev/null 2>&1 || true
> - chroot $rootfs useradd --create-home -s /bin/bash -G $group ubuntu
> - echo "ubuntu:ubuntu" | chroot $rootfs chpasswd
> + if [ -z "$bindhome" ]; then
> + chroot $rootfs useradd --create-home -s /bin/bash ubuntu
> + echo "ubuntu:ubuntu" | chroot $rootfs chpasswd
> + fi
> +
> + return 0
> +}
> +
> +# finish setting up the user in the container by injecting ssh key and
> +# adding sudo group membership.
> +# passed-in user is either 'ubuntu' or the user to bind in from host.
> +finalize_user()
> +{
> + user=$1
> +
> + if [ "$release" = "precise" ]; then
> + groups="sudo"
> + else
> + groups="sudo admin"
> + fi
> +
> + for group in $groups; do
> + chroot $rootfs groupadd --system $group >/dev/null 2>&1 || true
> + chroot $rootfs adduser ${user} $group >/dev/null 2>&1 || true
> + done
> +
> if [ -n "$auth_key" -a -f "$auth_key" ]; then
> - u_path="/home/ubuntu/.ssh"
> + u_path="/home/${user}/.ssh"
> root_u_path="$rootfs/$u_path"
> mkdir -p $root_u_path
> cp $auth_key "$root_u_path/authorized_keys"
> - chroot $rootfs chown -R ubuntu: "$u_path"
> + chroot $rootfs chown -R ${user}: "$u_path"
>
> - echo "Inserted SSH public key from $auth_key into /home/ubuntu/.ssh/authorized_keys"
> + echo "Inserted SSH public key from $auth_key into /home/${user}/.ssh/authorized_keys"
> fi
> return 0
> }
> @@ -305,7 +326,7 @@ EOF
> cat <<EOF >> $path/config
> lxc.utsname = $name
>
> -lxc.devttydir = $ttydir
> +lxc.devttydir =$ttydir
> lxc.tty = 4
> lxc.pts = 1024
> lxc.rootfs = $rootfs
> @@ -466,9 +487,13 @@ post_process()
> chroot $rootfs apt-get install --force-yes -y python-software-properties
> chroot $rootfs add-apt-repository ppa:ubuntu-virt/ppa
> fi
> - cp /etc/resolv.conf "${rootfs}/etc"
> + cresolvonf="${rootfs}/etc/resolv.conf"
> + mv $cresolvonf ${cresolvonf}.lxcbak
> + cat /etc/resolv.conf > ${cresolvonf}
> chroot $rootfs apt-get update
> chroot $rootfs apt-get install --force-yes -y lxcguest
> + rm -f ${cresolvonf}
> + mv ${cresolvonf}.lxcbak ${cresolvonf}
> fi
>
> # If the container isn't running a native architecture, setup multiarch
> @@ -500,20 +525,31 @@ do_bindhome()
> user=$2
>
> # copy /etc/passwd, /etc/shadow, and /etc/group entries into container
> - pwd=`getent passwd $user`
> - if [ $? -ne 0 ]; then
> - echo 'Warning: failed to copy password entry for $user'
> - return
> - else
> - echo $pwd >> $rootfs/etc/passwd
> + pwd=`getent passwd $user` || { echo "Failed to copy password entry for $user"; false; }
> + echo $pwd >> $rootfs/etc/passwd
> +
> + # make sure user's shell exists in the container
> + shell=`echo $pwd | cut -d: -f 7`
> + if [ ! -x $rootfs/$shell ]; then
> + echo "shell $shell for user $user was not found in the container."
> + pkg=`dpkg -S $(readlink -m $shell) | cut -d ':' -f1`
> + echo "Installing $pkg"
> + chroot $rootfs apt-get --force-yes -y install $pkg
> fi
> +
> shad=`getent shadow $user`
> - echo $shad >> $rootfs/etc/shadow
> + echo "$shad" >> $rootfs/etc/shadow
>
> # bind-mount the user's path into the container's /home
> h=`getent passwd $user | cut -d: -f 6`
> mkdir -p $rootfs/$h
> echo "$h $rootfs/$h none bind 0 0" >> $path/fstab
> +
> + # Make sure the group exists in container
> + chroot $rootfs getent group $user || { \
> + grp=`getent group $user`
> + echo "$grp" >> $rootfs/etc/group
> + }
> }
>
> usage()
> @@ -524,6 +560,8 @@ $1 -h|--help [-a|--arch] [-b|--bindhome <user>] [--trim] [-d|--debug]
> release: lucid | maverick | natty | oneiric | precise
> trim: make a minimal (faster, but not upgrade-safe) container
> bindhome: bind <user>'s home into the container
> + The ubuntu user will not be created, and <user> will have
> + sudo access.
> arch: amd64 or i386: defaults to host arch
> auth-key: SSH Public key file to inject into container
> EOF
> @@ -645,8 +683,12 @@ if [ $? -ne 0 ]; then
> fi
>
> post_process $rootfs $release $trim_container
> -if [ ! -z $bindhome ]; then
> - do_bindhome $rootfs $bindhome
> +
> +if [ -n "$bindhome" ]; then
> + do_bindhome $rootfs $bindhome
> + finalize_user $bindhome
> +else
> + finalize_user ubuntu
> fi
>
> echo ""
> --
> 1.7.9.5
>
More information about the lxc-users
mailing list