]>
Commit | Line | Data |
---|---|---|
c9844b87 | 1 | #!/bin/bash |
2 | ||
418c73ad DL |
3 | # |
4 | # lxc: linux Container library | |
5 | ||
6 | # Authors: | |
7 | # Daniel Lezcano <daniel.lezcano@free.fr> | |
8 | ||
9 | # This library is free software; you can redistribute it and/or | |
10 | # modify it under the terms of the GNU Lesser General Public | |
11 | # License as published by the Free Software Foundation; either | |
12 | # version 2.1 of the License, or (at your option) any later version. | |
13 | ||
14 | # This library is distributed in the hope that it will be useful, | |
15 | # but WITHOUT ANY WARRANTY; without even the implied warranty of | |
16 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU | |
17 | # Lesser General Public License for more details. | |
18 | ||
19 | # You should have received a copy of the GNU Lesser General Public | |
20 | # License along with this library; if not, write to the Free Software | |
250b1eec | 21 | # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA |
418c73ad | 22 | |
8ec981fc | 23 | # Detect use under userns (unsupported) |
c63c04fc | 24 | for arg in "$@"; do |
96283b54 SG |
25 | [ "$arg" = "--" ] && break |
26 | if [ "$arg" = "--mapped-uid" -o "$arg" = "--mapped-gid" ]; then | |
8ec981fc SG |
27 | echo "This template can't be used for unprivileged containers." 1>&2 |
28 | echo "You may want to try the \"download\" template instead." 1>&2 | |
29 | exit 1 | |
30 | fi | |
31 | done | |
32 | ||
207bf0e4 SG |
33 | # Make sure the usual locations are in PATH |
34 | export PATH=$PATH:/usr/sbin:/usr/bin:/sbin:/bin | |
35 | ||
418c73ad DL |
36 | install_sshd() |
37 | { | |
38 | rootfs=$1 | |
39 | ||
40 | tree="\ | |
418c73ad DL |
41 | $rootfs/var/empty/sshd \ |
42 | $rootfs/var/lib/empty/sshd \ | |
18efb001 DE |
43 | $rootfs/etc/init.d \ |
44 | $rootfs/etc/rc.d \ | |
418c73ad | 45 | $rootfs/etc/ssh \ |
18efb001 | 46 | $rootfs/etc/sysconfig/network-scripts \ |
418c73ad | 47 | $rootfs/dev/shm \ |
a0430b2f | 48 | $rootfs/run/sshd \ |
418c73ad | 49 | $rootfs/proc \ |
18efb001 | 50 | $rootfs/sys \ |
418c73ad DL |
51 | $rootfs/bin \ |
52 | $rootfs/sbin \ | |
53 | $rootfs/usr \ | |
54 | $rootfs/tmp \ | |
55 | $rootfs/home \ | |
56 | $rootfs/root \ | |
57 | $rootfs/lib \ | |
58 | $rootfs/lib64" | |
59 | ||
60 | mkdir -p $tree | |
61 | if [ $? -ne 0 ]; then | |
14d9c0f0 | 62 | return 1 |
c9844b87 | 63 | fi |
64 | ||
a0430b2f NM |
65 | ln -s /run $rootfs/var/run |
66 | if [ $? -ne 0 ]; then | |
67 | return 1 | |
68 | fi | |
69 | ||
418c73ad | 70 | return 0 |
c9844b87 | 71 | } |
72 | ||
418c73ad DL |
73 | configure_sshd() |
74 | { | |
75 | rootfs=$1 | |
c9844b87 | 76 | |
418c73ad DL |
77 | cat <<EOF > $rootfs/etc/passwd |
78 | root:x:0:0:root:/root:/bin/bash | |
79 | sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin | |
80 | EOF | |
c9844b87 | 81 | |
418c73ad DL |
82 | cat <<EOF > $rootfs/etc/group |
83 | root:x:0:root | |
84 | sshd:x:74: | |
85 | EOF | |
c9844b87 | 86 | |
18efb001 DE |
87 | ssh-keygen -t rsa -N "" -f $rootfs/etc/ssh/ssh_host_rsa_key |
88 | ssh-keygen -t dsa -N "" -f $rootfs/etc/ssh/ssh_host_dsa_key | |
418c73ad DL |
89 | |
90 | # by default setup root password with no password | |
91 | cat <<EOF > $rootfs/etc/ssh/sshd_config | |
92 | Port 22 | |
93 | Protocol 2 | |
94 | HostKey /etc/ssh/ssh_host_rsa_key | |
95 | HostKey /etc/ssh/ssh_host_dsa_key | |
96 | UsePrivilegeSeparation yes | |
418c73ad DL |
97 | SyslogFacility AUTH |
98 | LogLevel INFO | |
99 | LoginGraceTime 120 | |
100 | PermitRootLogin yes | |
101 | StrictModes yes | |
418c73ad DL |
102 | PubkeyAuthentication yes |
103 | IgnoreRhosts yes | |
418c73ad DL |
104 | HostbasedAuthentication no |
105 | PermitEmptyPasswords yes | |
106 | ChallengeResponseAuthentication no | |
107 | EOF | |
337e1471 SG |
108 | |
109 | if [ -n "$auth_key" -a -f "$auth_key" ]; then | |
110 | u_path="/root/.ssh" | |
111 | root_u_path="$rootfs/$u_path" | |
112 | mkdir -p $root_u_path | |
113 | cp $auth_key "$root_u_path/authorized_keys" | |
114 | chown -R 0:0 "$rootfs/$u_path" | |
115 | chmod 700 "$rootfs/$u_path" | |
ca0a3364 | 116 | echo "Inserted SSH public key from $auth_key into $rootfs/$u_path" |
337e1471 SG |
117 | fi |
118 | ||
418c73ad DL |
119 | return 0 |
120 | } | |
c9844b87 | 121 | |
418c73ad DL |
122 | copy_configuration() |
123 | { | |
124 | path=$1 | |
125 | rootfs=$2 | |
126 | name=$3 | |
127 | ||
7e8aa95e NM |
128 | init_path=$(realpath --relative-to=/ $(readlink -f /sbin/init)) |
129 | ||
7a96a068 | 130 | grep -q "^lxc.rootfs.path" $path/config 2>/dev/null || echo "lxc.rootfs.path = $rootfs" >> $path/config |
418c73ad | 131 | cat <<EOF >> $path/config |
b67771bc | 132 | lxc.uts.name = $name |
232763d6 | 133 | lxc.pty.max = 1024 |
eee3ba81 | 134 | lxc.cap.drop = sys_module mac_admin mac_override sys_time |
f02ce27d SG |
135 | |
136 | # When using LXC with apparmor, uncomment the next line to run unconfined: | |
a1d5fdfd | 137 | #lxc.apparmor.profile = unconfined |
f02ce27d | 138 | |
eba7df9e SG |
139 | lxc.mount.entry = /dev dev none ro,bind 0 0 |
140 | lxc.mount.entry = /lib lib none ro,bind 0 0 | |
141 | lxc.mount.entry = /bin bin none ro,bind 0 0 | |
142 | lxc.mount.entry = /usr usr none ro,bind 0 0 | |
143 | lxc.mount.entry = /sbin sbin none ro,bind 0 0 | |
a0430b2f | 144 | lxc.mount.entry = tmpfs run/sshd tmpfs mode=0644 0 0 |
7e8aa95e | 145 | lxc.mount.entry = @LXCTEMPLATEDIR@/lxc-sshd $init_path none ro,bind 0 0 |
18efb001 | 146 | lxc.mount.entry = /etc/init.d etc/init.d none ro,bind 0 0 |
f24a52d5 SG |
147 | |
148 | lxc.mount.auto = cgroup:mixed proc:mixed sys:mixed | |
c9844b87 | 149 | EOF |
150 | ||
18efb001 DE |
151 | # Oracle Linux and Fedora need the following two bind mounted |
152 | if [ -d /etc/sysconfig/network-scripts ]; then | |
153 | cat <<EOF >> $path/config | |
154 | lxc.mount.entry = /etc/sysconfig/network-scripts etc/sysconfig/network-scripts none ro,bind 0 0 | |
155 | EOF | |
156 | fi | |
157 | ||
158 | if [ -d /etc/rc.d ]; then | |
159 | cat <<EOF >> $path/config | |
160 | lxc.mount.entry = /etc/rc.d etc/rc.d none ro,bind 0 0 | |
161 | EOF | |
162 | fi | |
163 | ||
337e1471 | 164 | # if no .ipv4 section in config, then have the container run dhcp |
9ff60df2 | 165 | grep -q "^lxc.net.0.ipv4.address" $path/config || touch $rootfs/run-dhcp |
337e1471 SG |
166 | |
167 | if [ "$(uname -m)" = "x86_64" ]; then | |
168 | cat <<EOF >> $path/config | |
eba7df9e | 169 | lxc.mount.entry = /lib64 lib64 none ro,bind 0 0 |
c9844b87 | 170 | EOF |
337e1471 | 171 | fi |
c9844b87 | 172 | } |
173 | ||
418c73ad DL |
174 | usage() |
175 | { | |
176 | cat <<EOF | |
1897e3bc | 177 | $1 -h|--help -p|--path=<path> [--rootfs=<path>] |
418c73ad DL |
178 | EOF |
179 | return 0 | |
180 | } | |
c9844b87 | 181 | |
18efb001 DE |
182 | check_for_cmd() |
183 | { | |
184 | cmd_path=`type $1` | |
185 | if [ $? -ne 0 ]; then | |
186 | echo "The command '$1' $cmd_path is not accessible on the system" | |
187 | exit 1 | |
188 | fi | |
189 | # we use cut instead of awk because awk is alternatives symlink on ubuntu | |
190 | # and /etc/alternatives isn't bind mounted | |
191 | cmd_path=`echo $cmd_path |cut -d ' ' -f 3` | |
192 | } | |
193 | ||
1897e3bc | 194 | options=$(getopt -o hp:n:S: -l help,rootfs:,path:,name:,auth-key: -- "$@") |
418c73ad DL |
195 | if [ $? -ne 0 ]; then |
196 | usage $(basename $0) | |
337e1471 | 197 | exit 1 |
418c73ad DL |
198 | fi |
199 | eval set -- "$options" | |
200 | ||
201 | while true | |
202 | do | |
203 | case "$1" in | |
204 | -h|--help) usage $0 && exit 0;; | |
205 | -p|--path) path=$2; shift 2;; | |
1897e3bc | 206 | --rootfs) rootfs=$2; shift 2;; |
337e1471 SG |
207 | -n|--name) name=$2; shift 2;; |
208 | -S|--auth-key) auth_key=$2; shift 2;; | |
418c73ad DL |
209 | --) shift 1; break ;; |
210 | *) break ;; | |
211 | esac | |
212 | done | |
c9844b87 | 213 | |
418c73ad DL |
214 | if [ "$(id -u)" != "0" ]; then |
215 | echo "This script should be run as 'root'" | |
216 | exit 1 | |
217 | fi | |
c9844b87 | 218 | |
17abf278 | 219 | if [ $0 = "/sbin/init" ]; then |
c9844b87 | 220 | |
18efb001 | 221 | PATH="$PATH:/bin:/sbin:/usr/sbin" |
8a2fdf50 | 222 | check_for_cmd @SBINDIR@/init.lxc |
18efb001 DE |
223 | check_for_cmd sshd |
224 | sshd_path=$cmd_path | |
c9844b87 | 225 | |
337e1471 SG |
226 | # run dhcp? |
227 | if [ -f /run-dhcp ]; then | |
18efb001 DE |
228 | check_for_cmd dhclient |
229 | check_for_cmd ifconfig | |
337e1471 SG |
230 | touch /etc/fstab |
231 | rm -f /dhclient.conf | |
232 | cat > /dhclient.conf << EOF | |
b78b2e23 | 233 | send host-name = gethostname(); |
337e1471 SG |
234 | EOF |
235 | ifconfig eth0 up | |
236 | dhclient eth0 -cf /dhclient.conf | |
c01c25fc | 237 | echo "Container IP address:" |
18efb001 | 238 | ifconfig eth0 |grep inet |
337e1471 SG |
239 | fi |
240 | ||
8a2fdf50 | 241 | exec @SBINDIR@/init.lxc -- $sshd_path |
418c73ad DL |
242 | exit 1 |
243 | fi | |
c9844b87 | 244 | |
418c73ad DL |
245 | if [ -z "$path" ]; then |
246 | echo "'path' parameter is required" | |
247 | exit 1 | |
248 | fi | |
c9844b87 | 249 | |
1881820a SH |
250 | # detect rootfs |
251 | config="$path/config" | |
1897e3bc | 252 | if [ -z "$rootfs" ]; then |
7a96a068 CB |
253 | if grep -q '^lxc.rootfs.path' $config 2>/dev/null ; then |
254 | rootfs=$(awk -F= '/^lxc.rootfs.path =/{ print $2 }' $config) | |
1897e3bc SH |
255 | else |
256 | rootfs=$path/rootfs | |
257 | fi | |
1881820a | 258 | fi |
c9844b87 | 259 | |
418c73ad DL |
260 | install_sshd $rootfs |
261 | if [ $? -ne 0 ]; then | |
262 | echo "failed to install sshd's rootfs" | |
263 | exit 1 | |
264 | fi | |
c9844b87 | 265 | |
418c73ad DL |
266 | configure_sshd $rootfs |
267 | if [ $? -ne 0 ]; then | |
268 | echo "failed to configure sshd template" | |
269 | exit 1 | |
c9844b87 | 270 | fi |
271 | ||
418c73ad DL |
272 | copy_configuration $path $rootfs $name |
273 | if [ $? -ne 0 ]; then | |
274 | echo "failed to write configuration file" | |
c9844b87 | 275 | exit 1 |
418c73ad | 276 | fi |