[mirror_lxc.git] / templates / lxc-sshd.in

#!/bin/bash

#
# lxc: linux Container library

# Authors:
# Daniel Lezcano <daniel.lezcano@free.fr>

# This library is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public
# License as published by the Free Software Foundation; either
# version 2.1 of the License, or (at your option) any later version.

# This library is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
# Lesser General Public License for more details.

# You should have received a copy of the GNU Lesser General Public
# License along with this library; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA

# Detect use under userns (unsupported)
for arg in "$@"; do
    [ "$arg" = "--" ] && break
    if [ "$arg" = "--mapped-uid" -o "$arg" = "--mapped-gid" ]; then
        echo "This template can't be used for unprivileged containers." 1>&2
        echo "You may want to try the \"download\" template instead." 1>&2
        exit 1
    fi
done

# Make sure the usual locations are in PATH
export PATH=$PATH:/usr/sbin:/usr/bin:/sbin:/bin

install_sshd()
{
    rootfs=$1

    tree="\
$rootfs/var/empty/sshd \
$rootfs/var/lib/empty/sshd \
$rootfs/etc/init.d \
$rootfs/etc/rc.d \
$rootfs/etc/ssh \
$rootfs/etc/sysconfig/network-scripts \
$rootfs/dev/shm \
$rootfs/run/sshd \
$rootfs/proc \
$rootfs/sys \
$rootfs/bin \
$rootfs/sbin \
$rootfs/usr \
$rootfs/tmp \
$rootfs/home \
$rootfs/root \
$rootfs/lib \
$rootfs/lib64"

    mkdir -p $tree
    if [ $? -ne 0 ]; then
        return 1
    fi

    ln -s /run $rootfs/var/run
    if [ $? -ne 0 ]; then
        return 1
    fi

    return 0
}

configure_sshd()
{
    rootfs=$1

    cat <<EOF > $rootfs/etc/passwd
root:x:0:0:root:/root:/bin/bash
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
EOF

    cat <<EOF > $rootfs/etc/group
root:x:0:root
sshd:x:74:
EOF

ssh-keygen -t rsa -N "" -f $rootfs/etc/ssh/ssh_host_rsa_key
ssh-keygen -t dsa -N "" -f $rootfs/etc/ssh/ssh_host_dsa_key

    # by default setup root password with no password
    cat <<EOF > $rootfs/etc/ssh/sshd_config
Port 22
Protocol 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
UsePrivilegeSeparation yes
SyslogFacility AUTH
LogLevel INFO
LoginGraceTime 120
PermitRootLogin yes
StrictModes yes
PubkeyAuthentication yes
IgnoreRhosts yes
HostbasedAuthentication no
PermitEmptyPasswords yes
ChallengeResponseAuthentication no
EOF

    if [ -n "$auth_key" -a -f "$auth_key" ]; then
        u_path="/root/.ssh"
        root_u_path="$rootfs/$u_path"
        mkdir -p $root_u_path
        cp $auth_key "$root_u_path/authorized_keys"
        chown -R 0:0 "$rootfs/$u_path"
        chmod 700 "$rootfs/$u_path"
        echo "Inserted SSH public key from $auth_key into $rootfs/$u_path"
    fi

    return 0
}

copy_configuration()
{
    path=$1
    rootfs=$2
    name=$3

    init_path=$(realpath --relative-to=/ $(readlink -f /sbin/init))

    grep -q "^lxc.rootfs.path" $path/config 2>/dev/null || echo "lxc.rootfs.path = $rootfs" >> $path/config
cat <<EOF >> $path/config
lxc.uts.name = $name
lxc.pty.max = 1024
lxc.cap.drop = sys_module mac_admin mac_override sys_time

# When using LXC with apparmor, uncomment the next line to run unconfined:
#lxc.apparmor.profile = unconfined

lxc.mount.entry = /dev dev none ro,bind 0 0
lxc.mount.entry = /lib lib none ro,bind 0 0
lxc.mount.entry = /bin bin none ro,bind 0 0
lxc.mount.entry = /usr usr none ro,bind 0 0
lxc.mount.entry = /sbin sbin none ro,bind 0 0
lxc.mount.entry = tmpfs run/sshd tmpfs mode=0644 0 0
lxc.mount.entry = @LXCTEMPLATEDIR@/lxc-sshd $init_path none ro,bind 0 0
lxc.mount.entry = /etc/init.d etc/init.d none ro,bind 0 0

lxc.mount.auto = cgroup:mixed proc:mixed sys:mixed
EOF

    # Oracle Linux and Fedora need the following two bind mounted
    if [ -d /etc/sysconfig/network-scripts ]; then
        cat <<EOF >> $path/config
lxc.mount.entry = /etc/sysconfig/network-scripts etc/sysconfig/network-scripts none ro,bind 0 0
EOF
    fi

    if [ -d /etc/rc.d ]; then
        cat <<EOF >> $path/config
lxc.mount.entry = /etc/rc.d etc/rc.d none ro,bind 0 0
EOF
    fi

    # if no .ipv4 section in config, then have the container run dhcp
    grep -q "^lxc.net.0.ipv4.address" $path/config || touch $rootfs/run-dhcp

    if [ "$(uname -m)" = "x86_64" ]; then
        cat <<EOF >> $path/config
lxc.mount.entry = /lib64 lib64 none ro,bind 0 0
EOF
    fi
}

usage()
{
    cat <<EOF
$1 -h|--help -p|--path=<path> [--rootfs=<path>]
EOF
    return 0
}

check_for_cmd()
{
    cmd_path=`type $1`
    if [ $? -ne 0 ]; then
        echo "The command '$1' $cmd_path is not accessible on the system"
        exit 1
    fi
    # we use cut instead of awk because awk is alternatives symlink on ubuntu
    # and /etc/alternatives isn't bind mounted
    cmd_path=`echo $cmd_path |cut -d ' ' -f 3`
}

options=$(getopt -o hp:n:S: -l help,rootfs:,path:,name:,auth-key: -- "$@")
if [ $? -ne 0 ]; then
        usage $(basename $0)
    exit 1
fi
eval set -- "$options"

while true
do
    case "$1" in
        -h|--help)      usage $0 && exit 0;;
        -p|--path)      path=$2; shift 2;;
        --rootfs)       rootfs=$2; shift 2;;
        -n|--name)      name=$2; shift 2;;
        -S|--auth-key)  auth_key=$2; shift 2;;
        --)             shift 1; break ;;
        *)              break ;;
    esac
done

if [ "$(id -u)" != "0" ]; then
    echo "This script should be run as 'root'"
    exit 1
fi

if [ $0 = "/sbin/init" ]; then

    PATH="$PATH:/bin:/sbin:/usr/sbin"
    check_for_cmd @SBINDIR@/init.lxc
    check_for_cmd sshd
    sshd_path=$cmd_path

    # run dhcp?
    if [ -f /run-dhcp ]; then
        check_for_cmd dhclient
        check_for_cmd ifconfig
        touch /etc/fstab
        rm -f /dhclient.conf
        cat > /dhclient.conf << EOF
send host-name = gethostname();
EOF
        ifconfig eth0 up
        dhclient eth0 -cf /dhclient.conf
        echo "Container IP address:"
        ifconfig eth0 |grep inet
    fi

    exec @SBINDIR@/init.lxc -- $sshd_path
    exit 1
fi

if [ -z "$path" ]; then
    echo "'path' parameter is required"
    exit 1
fi

# detect rootfs
config="$path/config"
if [ -z "$rootfs" ]; then
    if grep -q '^lxc.rootfs.path' $config 2>/dev/null ; then
        rootfs=$(awk -F= '/^lxc.rootfs.path =/{ print $2 }' $config)
    else
        rootfs=$path/rootfs
    fi
fi

install_sshd $rootfs
if [ $? -ne 0 ]; then
    echo "failed to install sshd's rootfs"
    exit 1
fi

configure_sshd $rootfs
if [ $? -ne 0 ]; then
    echo "failed to configure sshd template"
    exit 1
fi

copy_configuration $path $rootfs $name
if [ $? -ne 0 ]; then
    echo "failed to write configuration file"
    exit 1
fi
Commit	Line	Data
c9844b87	1	#!/bin/bash
c9844b87	2
418c73ad DL	3	#
	4	# lxc: linux Container library
	5
	6	# Authors:
	7	# Daniel Lezcano <daniel.lezcano@free.fr>
	8
	9	# This library is free software; you can redistribute it and/or
	10	# modify it under the terms of the GNU Lesser General Public
	11	# License as published by the Free Software Foundation; either
	12	# version 2.1 of the License, or (at your option) any later version.
	13
	14	# This library is distributed in the hope that it will be useful,
	15	# but WITHOUT ANY WARRANTY; without even the implied warranty of
	16	# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
	17	# Lesser General Public License for more details.
	18
	19	# You should have received a copy of the GNU Lesser General Public
	20	# License along with this library; if not, write to the Free Software
250b1eec	21	# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
418c73ad	22
8ec981fc	23	# Detect use under userns (unsupported)
c63c04fc	24	for arg in "$@"; do
96283b54 SG	25	[ "$arg" = "--" ] && break
96283b54 SG	26	if [ "$arg" = "--mapped-uid" -o "$arg" = "--mapped-gid" ]; then
8ec981fc SG	27	echo "This template can't be used for unprivileged containers." 1>&2
	28	echo "You may want to try the \"download\" template instead." 1>&2
	29	exit 1
	30	fi
	31	done
	32
207bf0e4 SG	33	# Make sure the usual locations are in PATH
	34	export PATH=$PATH:/usr/sbin:/usr/bin:/sbin:/bin
	35
418c73ad DL	36	install_sshd()
	37	{
	38	rootfs=$1
	39
	40	tree="\
418c73ad DL	41	$rootfs/var/empty/sshd \
418c73ad DL	42	$rootfs/var/lib/empty/sshd \
18efb001 DE	43	$rootfs/etc/init.d \
18efb001 DE	44	$rootfs/etc/rc.d \
418c73ad	45	$rootfs/etc/ssh \
18efb001	46	$rootfs/etc/sysconfig/network-scripts \
418c73ad	47	$rootfs/dev/shm \
a0430b2f	48	$rootfs/run/sshd \
418c73ad	49	$rootfs/proc \
18efb001	50	$rootfs/sys \
418c73ad DL	51	$rootfs/bin \
	52	$rootfs/sbin \
	53	$rootfs/usr \
	54	$rootfs/tmp \
	55	$rootfs/home \
	56	$rootfs/root \
	57	$rootfs/lib \
	58	$rootfs/lib64"
	59
	60	mkdir -p $tree
	61	if [ $? -ne 0 ]; then
14d9c0f0	62	return 1
c9844b87	63	fi
c9844b87	64
a0430b2f NM	65	ln -s /run $rootfs/var/run
	66	if [ $? -ne 0 ]; then
	67	return 1
	68	fi
	69
418c73ad	70	return 0
c9844b87	71	}
c9844b87	72
418c73ad DL	73	configure_sshd()
	74	{
	75	rootfs=$1
c9844b87	76
418c73ad DL	77	cat <<EOF > $rootfs/etc/passwd
	78	root:x:0:0:root:/root:/bin/bash
	79	sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
	80	EOF
c9844b87	81
418c73ad DL	82	cat <<EOF > $rootfs/etc/group
	83	root:x:0:root
	84	sshd:x:74:
	85	EOF
c9844b87	86
18efb001 DE	87	ssh-keygen -t rsa -N "" -f $rootfs/etc/ssh/ssh_host_rsa_key
18efb001 DE	88	ssh-keygen -t dsa -N "" -f $rootfs/etc/ssh/ssh_host_dsa_key
418c73ad DL	89
	90	# by default setup root password with no password
	91	cat <<EOF > $rootfs/etc/ssh/sshd_config
	92	Port 22
	93	Protocol 2
	94	HostKey /etc/ssh/ssh_host_rsa_key
	95	HostKey /etc/ssh/ssh_host_dsa_key
	96	UsePrivilegeSeparation yes
418c73ad DL	97	SyslogFacility AUTH
	98	LogLevel INFO
	99	LoginGraceTime 120
	100	PermitRootLogin yes
	101	StrictModes yes
418c73ad DL	102	PubkeyAuthentication yes
418c73ad DL	103	IgnoreRhosts yes
418c73ad DL	104	HostbasedAuthentication no
	105	PermitEmptyPasswords yes
	106	ChallengeResponseAuthentication no
	107	EOF
337e1471 SG	108
	109	if [ -n "$auth_key" -a -f "$auth_key" ]; then
	110	u_path="/root/.ssh"
	111	root_u_path="$rootfs/$u_path"
	112	mkdir -p $root_u_path
	113	cp $auth_key "$root_u_path/authorized_keys"
	114	chown -R 0:0 "$rootfs/$u_path"
	115	chmod 700 "$rootfs/$u_path"
ca0a3364	116	echo "Inserted SSH public key from $auth_key into $rootfs/$u_path"
337e1471 SG	117	fi
337e1471 SG	118
418c73ad DL	119	return 0
418c73ad DL	120	}
c9844b87	121
418c73ad DL	122	copy_configuration()
	123	{
	124	path=$1
	125	rootfs=$2
	126	name=$3
	127
7e8aa95e NM	128	init_path=$(realpath --relative-to=/ $(readlink -f /sbin/init))
7e8aa95e NM	129
7a96a068	130	grep -q "^lxc.rootfs.path" $path/config 2>/dev/null \|\| echo "lxc.rootfs.path = $rootfs" >> $path/config
418c73ad	131	cat <<EOF >> $path/config
b67771bc	132	lxc.uts.name = $name
232763d6	133	lxc.pty.max = 1024
eee3ba81	134	lxc.cap.drop = sys_module mac_admin mac_override sys_time
f02ce27d SG	135
f02ce27d SG	136	# When using LXC with apparmor, uncomment the next line to run unconfined:
a1d5fdfd	137	#lxc.apparmor.profile = unconfined
f02ce27d	138
eba7df9e SG	139	lxc.mount.entry = /dev dev none ro,bind 0 0
	140	lxc.mount.entry = /lib lib none ro,bind 0 0
	141	lxc.mount.entry = /bin bin none ro,bind 0 0
	142	lxc.mount.entry = /usr usr none ro,bind 0 0
	143	lxc.mount.entry = /sbin sbin none ro,bind 0 0
a0430b2f	144	lxc.mount.entry = tmpfs run/sshd tmpfs mode=0644 0 0
7e8aa95e	145	lxc.mount.entry = @LXCTEMPLATEDIR@/lxc-sshd $init_path none ro,bind 0 0
18efb001	146	lxc.mount.entry = /etc/init.d etc/init.d none ro,bind 0 0
f24a52d5 SG	147
f24a52d5 SG	148	lxc.mount.auto = cgroup:mixed proc:mixed sys:mixed
c9844b87	149	EOF
c9844b87	150
18efb001 DE	151	# Oracle Linux and Fedora need the following two bind mounted
	152	if [ -d /etc/sysconfig/network-scripts ]; then
	153	cat <<EOF >> $path/config
	154	lxc.mount.entry = /etc/sysconfig/network-scripts etc/sysconfig/network-scripts none ro,bind 0 0
	155	EOF
	156	fi
	157
	158	if [ -d /etc/rc.d ]; then
	159	cat <<EOF >> $path/config
	160	lxc.mount.entry = /etc/rc.d etc/rc.d none ro,bind 0 0
	161	EOF
	162	fi
	163
337e1471	164	# if no .ipv4 section in config, then have the container run dhcp
9ff60df2	165	grep -q "^lxc.net.0.ipv4.address" $path/config \|\| touch $rootfs/run-dhcp
337e1471 SG	166
	167	if [ "$(uname -m)" = "x86_64" ]; then
	168	cat <<EOF >> $path/config
eba7df9e	169	lxc.mount.entry = /lib64 lib64 none ro,bind 0 0
c9844b87	170	EOF
337e1471	171	fi
c9844b87	172	}
c9844b87	173
418c73ad DL	174	usage()
	175	{
	176	cat <<EOF
1897e3bc	177	$1 -h\|--help -p\|--path=<path> [--rootfs=<path>]
418c73ad DL	178	EOF
	179	return 0
	180	}
c9844b87	181
18efb001 DE	182	check_for_cmd()
	183	{
	184	cmd_path=`type $1`
	185	if [ $? -ne 0 ]; then
	186	echo "The command '$1' $cmd_path is not accessible on the system"
	187	exit 1
	188	fi
	189	# we use cut instead of awk because awk is alternatives symlink on ubuntu
	190	# and /etc/alternatives isn't bind mounted
	191	cmd_path=`echo $cmd_path \|cut -d ' ' -f 3`
	192	}
	193
1897e3bc	194	options=$(getopt -o hp:n:S: -l help,rootfs:,path:,name:,auth-key: -- "$@")
418c73ad DL	195	if [ $? -ne 0 ]; then
418c73ad DL	196	usage $(basename $0)
337e1471	197	exit 1
418c73ad DL	198	fi
	199	eval set -- "$options"
	200
	201	while true
	202	do
	203	case "$1" in
	204	-h\|--help) usage $0 && exit 0;;
	205	-p\|--path) path=$2; shift 2;;
1897e3bc	206	--rootfs) rootfs=$2; shift 2;;
337e1471 SG	207	-n\|--name) name=$2; shift 2;;
337e1471 SG	208	-S\|--auth-key) auth_key=$2; shift 2;;
418c73ad DL	209	--) shift 1; break ;;
	210	*) break ;;
	211	esac
	212	done
c9844b87	213
418c73ad DL	214	if [ "$(id -u)" != "0" ]; then
	215	echo "This script should be run as 'root'"
	216	exit 1
	217	fi
c9844b87	218
17abf278	219	if [ $0 = "/sbin/init" ]; then
c9844b87	220
18efb001	221	PATH="$PATH:/bin:/sbin:/usr/sbin"
8a2fdf50	222	check_for_cmd @SBINDIR@/init.lxc
18efb001 DE	223	check_for_cmd sshd
18efb001 DE	224	sshd_path=$cmd_path
c9844b87	225
337e1471 SG	226	# run dhcp?
337e1471 SG	227	if [ -f /run-dhcp ]; then
18efb001 DE	228	check_for_cmd dhclient
18efb001 DE	229	check_for_cmd ifconfig
337e1471 SG	230	touch /etc/fstab
	231	rm -f /dhclient.conf
	232	cat > /dhclient.conf << EOF
b78b2e23	233	send host-name = gethostname();
337e1471 SG	234	EOF
	235	ifconfig eth0 up
	236	dhclient eth0 -cf /dhclient.conf
c01c25fc	237	echo "Container IP address:"
18efb001	238	ifconfig eth0 \|grep inet
337e1471 SG	239	fi
337e1471 SG	240
8a2fdf50	241	exec @SBINDIR@/init.lxc -- $sshd_path
418c73ad DL	242	exit 1
418c73ad DL	243	fi
c9844b87	244
418c73ad DL	245	if [ -z "$path" ]; then
	246	echo "'path' parameter is required"
	247	exit 1
	248	fi
c9844b87	249
1881820a SH	250	# detect rootfs
1881820a SH	251	config="$path/config"
1897e3bc	252	if [ -z "$rootfs" ]; then
7a96a068 CB	253	if grep -q '^lxc.rootfs.path' $config 2>/dev/null ; then
7a96a068 CB	254	rootfs=$(awk -F= '/^lxc.rootfs.path =/{ print $2 }' $config)
1897e3bc SH	255	else
	256	rootfs=$path/rootfs
	257	fi
1881820a	258	fi
c9844b87	259
418c73ad DL	260	install_sshd $rootfs
	261	if [ $? -ne 0 ]; then
	262	echo "failed to install sshd's rootfs"
	263	exit 1
	264	fi
c9844b87	265
418c73ad DL	266	configure_sshd $rootfs
	267	if [ $? -ne 0 ]; then
	268	echo "failed to configure sshd template"
	269	exit 1
c9844b87	270	fi
c9844b87	271
418c73ad DL	272	copy_configuration $path $rootfs $name
	273	if [ $? -ne 0 ]; then
	274	echo "failed to write configuration file"
c9844b87	275	exit 1
418c73ad	276	fi