[mirror_lxc.git] / templates / lxc-sshd.in

#!/bin/bash

#
# lxc: linux Container library

# Authors:
# Daniel Lezcano <daniel.lezcano@free.fr>

# This library is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public
# License as published by the Free Software Foundation; either
# version 2.1 of the License, or (at your option) any later version.

# This library is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
# Lesser General Public License for more details.

# You should have received a copy of the GNU Lesser General Public
# License along with this library; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA

# Detect use under userns (unsupported)
for arg in "$@"; do
    [ "$arg" = "--" ] && break
    if [ "$arg" = "--mapped-uid" -o "$arg" = "--mapped-gid" ]; then
        echo "This template can't be used for unprivileged containers." 1>&2
        echo "You may want to try the \"download\" template instead." 1>&2
        exit 1
    fi
done

# Make sure the usual locations are in PATH
export PATH=$PATH:/usr/sbin:/usr/bin:/sbin:/bin

install_sshd()
{
    rootfs=$1

    tree="\
$rootfs/var/run/sshd \
$rootfs/var/empty/sshd \
$rootfs/var/lib/empty/sshd \
$rootfs/etc/init.d \
$rootfs/etc/rc.d \
$rootfs/etc/ssh \
$rootfs/etc/sysconfig/network-scripts \
$rootfs/dev/shm \
$rootfs/run/shm \
$rootfs/proc \
$rootfs/sys \
$rootfs/bin \
$rootfs/sbin \
$rootfs/usr \
$rootfs/tmp \
$rootfs/home \
$rootfs/root \
$rootfs/lib \
$rootfs/lib64"

    mkdir -p $tree
    if [ $? -ne 0 ]; then
        return 1
    fi

    return 0
}

configure_sshd()
{
    rootfs=$1

    cat <<EOF > $rootfs/etc/passwd
root:x:0:0:root:/root:/bin/bash
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
EOF

    cat <<EOF > $rootfs/etc/group
root:x:0:root
sshd:x:74:
EOF

ssh-keygen -t rsa -N "" -f $rootfs/etc/ssh/ssh_host_rsa_key
ssh-keygen -t dsa -N "" -f $rootfs/etc/ssh/ssh_host_dsa_key

    # by default setup root password with no password
    cat <<EOF > $rootfs/etc/ssh/sshd_config
Port 22
Protocol 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
UsePrivilegeSeparation yes
KeyRegenerationInterval 3600
ServerKeyBits 768
SyslogFacility AUTH
LogLevel INFO
LoginGraceTime 120
PermitRootLogin yes
StrictModes yes
RSAAuthentication yes
PubkeyAuthentication yes
IgnoreRhosts yes
RhostsRSAAuthentication no
HostbasedAuthentication no
PermitEmptyPasswords yes
ChallengeResponseAuthentication no
EOF

    if [ -n "$auth_key" -a -f "$auth_key" ]; then
        u_path="/root/.ssh"
        root_u_path="$rootfs/$u_path"
        mkdir -p $root_u_path
        cp $auth_key "$root_u_path/authorized_keys"
        chown -R 0:0 "$rootfs/$u_path"
        chmod 700 "$rootfs/$u_path"
        echo "Inserted SSH public key from $auth_key into $rootfs/$u_path"
    fi

    return 0
}

copy_configuration()
{
    path=$1
    rootfs=$2
    name=$3

    grep -q "^lxc.rootfs" $path/config 2>/dev/null || echo "lxc.rootfs = $rootfs" >> $path/config
cat <<EOF >> $path/config
lxc.utsname = $name
lxc.pts = 1024
lxc.cap.drop = sys_module mac_admin mac_override sys_time

# When using LXC with apparmor, uncomment the next line to run unconfined:
#lxc.aa_profile = unconfined

lxc.mount.entry = /dev dev none ro,bind 0 0
lxc.mount.entry = /lib lib none ro,bind 0 0
lxc.mount.entry = /bin bin none ro,bind 0 0
lxc.mount.entry = /usr usr none ro,bind 0 0
lxc.mount.entry = /sbin sbin none ro,bind 0 0
lxc.mount.entry = tmpfs var/run/sshd tmpfs mode=0644 0 0
lxc.mount.entry = @LXCTEMPLATEDIR@/lxc-sshd sbin/init none ro,bind 0 0
lxc.mount.entry = proc proc proc nodev,noexec,nosuid 0 0
lxc.mount.entry = sysfs sys sysfs ro 0 0
lxc.mount.entry = /etc/init.d etc/init.d none ro,bind 0 0
EOF

    # Oracle Linux and Fedora need the following two bind mounted
    if [ -d /etc/sysconfig/network-scripts ]; then
        cat <<EOF >> $path/config
lxc.mount.entry = /etc/sysconfig/network-scripts etc/sysconfig/network-scripts none ro,bind 0 0
EOF
    fi

    if [ -d /etc/rc.d ]; then
        cat <<EOF >> $path/config
lxc.mount.entry = /etc/rc.d etc/rc.d none ro,bind 0 0
EOF
    fi

    # if no .ipv4 section in config, then have the container run dhcp
    grep -q "^lxc.network.ipv4" $path/config || touch $rootfs/run-dhcp

    if [ "$(uname -m)" = "x86_64" ]; then
        cat <<EOF >> $path/config
lxc.mount.entry = /lib64 lib64 none ro,bind 0 0
EOF
    fi
}

usage()
{
    cat <<EOF
$1 -h|--help -p|--path=<path> [--rootfs=<path>]
EOF
    return 0
}

check_for_cmd()
{
    cmd_path=`type $1`
    if [ $? -ne 0 ]; then
        echo "The command '$1' $cmd_path is not accessible on the system"
        exit 1
    fi
    # we use cut instead of awk because awk is alternatives symlink on ubuntu
    # and /etc/alternatives isn't bind mounted
    cmd_path=`echo $cmd_path |cut -d ' ' -f 3`
}

options=$(getopt -o hp:n:S: -l help,rootfs:,path:,name:,auth-key: -- "$@")
if [ $? -ne 0 ]; then
        usage $(basename $0)
    exit 1
fi
eval set -- "$options"

while true
do
    case "$1" in
        -h|--help)      usage $0 && exit 0;;
        -p|--path)      path=$2; shift 2;;
        --rootfs)       rootfs=$2; shift 2;;
        -n|--name)      name=$2; shift 2;;
        -S|--auth-key)  auth_key=$2; shift 2;;
        --)             shift 1; break ;;
        *)              break ;;
    esac
done

if [ "$(id -u)" != "0" ]; then
    echo "This script should be run as 'root'"
    exit 1
fi

if [ $0 = "/sbin/init" ]; then

    PATH="$PATH:/bin:/sbin:/usr/sbin"
    check_for_cmd @SBINDIR@/init.lxc
    check_for_cmd sshd
    sshd_path=$cmd_path

    # run dhcp?
    if [ -f /run-dhcp ]; then
        check_for_cmd dhclient
        check_for_cmd ifconfig
        touch /etc/fstab
        rm -f /dhclient.conf
        cat > /dhclient.conf << EOF
send host-name = gethostname();
EOF
        ifconfig eth0 up
        dhclient eth0 -cf /dhclient.conf
        echo "Container IP address:"
        ifconfig eth0 |grep inet
    fi

    exec @SBINDIR@/init.lxc -- $sshd_path
    exit 1
fi

if [ -z "$path" ]; then
    echo "'path' parameter is required"
    exit 1
fi

# detect rootfs
config="$path/config"
if [ -z "$rootfs" ]; then
    if grep -q '^lxc.rootfs' $config 2>/dev/null ; then
        rootfs=$(awk -F= '/^lxc.rootfs =/{ print $2 }' $config)
    else
        rootfs=$path/rootfs
    fi
fi

install_sshd $rootfs
if [ $? -ne 0 ]; then
    echo "failed to install sshd's rootfs"
    exit 1
fi

configure_sshd $rootfs
if [ $? -ne 0 ]; then
    echo "failed to configure sshd template"
    exit 1
fi

copy_configuration $path $rootfs $name
if [ $? -ne 0 ]; then
    echo "failed to write configuration file"
    exit 1
fi
Commit	Line	Data
c9844b87	1	#!/bin/bash
c9844b87	2
418c73ad DL	3	#
	4	# lxc: linux Container library
	5
	6	# Authors:
	7	# Daniel Lezcano <daniel.lezcano@free.fr>
	8
	9	# This library is free software; you can redistribute it and/or
	10	# modify it under the terms of the GNU Lesser General Public
	11	# License as published by the Free Software Foundation; either
	12	# version 2.1 of the License, or (at your option) any later version.
	13
	14	# This library is distributed in the hope that it will be useful,
	15	# but WITHOUT ANY WARRANTY; without even the implied warranty of
	16	# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
	17	# Lesser General Public License for more details.
	18
	19	# You should have received a copy of the GNU Lesser General Public
	20	# License along with this library; if not, write to the Free Software
250b1eec	21	# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
418c73ad	22
8ec981fc	23	# Detect use under userns (unsupported)
c63c04fc	24	for arg in "$@"; do
96283b54 SG	25	[ "$arg" = "--" ] && break
96283b54 SG	26	if [ "$arg" = "--mapped-uid" -o "$arg" = "--mapped-gid" ]; then
8ec981fc SG	27	echo "This template can't be used for unprivileged containers." 1>&2
	28	echo "You may want to try the \"download\" template instead." 1>&2
	29	exit 1
	30	fi
	31	done
	32
207bf0e4 SG	33	# Make sure the usual locations are in PATH
	34	export PATH=$PATH:/usr/sbin:/usr/bin:/sbin:/bin
	35
418c73ad DL	36	install_sshd()
	37	{
	38	rootfs=$1
	39
	40	tree="\
70e27957	41	$rootfs/var/run/sshd \
418c73ad DL	42	$rootfs/var/empty/sshd \
418c73ad DL	43	$rootfs/var/lib/empty/sshd \
18efb001 DE	44	$rootfs/etc/init.d \
18efb001 DE	45	$rootfs/etc/rc.d \
418c73ad	46	$rootfs/etc/ssh \
18efb001	47	$rootfs/etc/sysconfig/network-scripts \
418c73ad	48	$rootfs/dev/shm \
b91b1cd7	49	$rootfs/run/shm \
418c73ad	50	$rootfs/proc \
18efb001	51	$rootfs/sys \
418c73ad DL	52	$rootfs/bin \
	53	$rootfs/sbin \
	54	$rootfs/usr \
	55	$rootfs/tmp \
	56	$rootfs/home \
	57	$rootfs/root \
	58	$rootfs/lib \
	59	$rootfs/lib64"
	60
	61	mkdir -p $tree
	62	if [ $? -ne 0 ]; then
14d9c0f0	63	return 1
c9844b87	64	fi
c9844b87	65
418c73ad	66	return 0
c9844b87	67	}
c9844b87	68
418c73ad DL	69	configure_sshd()
	70	{
	71	rootfs=$1
c9844b87	72
418c73ad DL	73	cat <<EOF > $rootfs/etc/passwd
	74	root:x:0:0:root:/root:/bin/bash
	75	sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
	76	EOF
c9844b87	77
418c73ad DL	78	cat <<EOF > $rootfs/etc/group
	79	root:x:0:root
	80	sshd:x:74:
	81	EOF
c9844b87	82
18efb001 DE	83	ssh-keygen -t rsa -N "" -f $rootfs/etc/ssh/ssh_host_rsa_key
18efb001 DE	84	ssh-keygen -t dsa -N "" -f $rootfs/etc/ssh/ssh_host_dsa_key
418c73ad DL	85
	86	# by default setup root password with no password
	87	cat <<EOF > $rootfs/etc/ssh/sshd_config
	88	Port 22
	89	Protocol 2
	90	HostKey /etc/ssh/ssh_host_rsa_key
	91	HostKey /etc/ssh/ssh_host_dsa_key
	92	UsePrivilegeSeparation yes
	93	KeyRegenerationInterval 3600
	94	ServerKeyBits 768
	95	SyslogFacility AUTH
	96	LogLevel INFO
	97	LoginGraceTime 120
	98	PermitRootLogin yes
	99	StrictModes yes
	100	RSAAuthentication yes
	101	PubkeyAuthentication yes
	102	IgnoreRhosts yes
	103	RhostsRSAAuthentication no
	104	HostbasedAuthentication no
	105	PermitEmptyPasswords yes
	106	ChallengeResponseAuthentication no
	107	EOF
337e1471 SG	108
	109	if [ -n "$auth_key" -a -f "$auth_key" ]; then
	110	u_path="/root/.ssh"
	111	root_u_path="$rootfs/$u_path"
	112	mkdir -p $root_u_path
	113	cp $auth_key "$root_u_path/authorized_keys"
	114	chown -R 0:0 "$rootfs/$u_path"
	115	chmod 700 "$rootfs/$u_path"
ca0a3364	116	echo "Inserted SSH public key from $auth_key into $rootfs/$u_path"
337e1471 SG	117	fi
337e1471 SG	118
418c73ad DL	119	return 0
418c73ad DL	120	}
c9844b87	121
418c73ad DL	122	copy_configuration()
	123	{
	124	path=$1
	125	rootfs=$2
	126	name=$3
	127
1881820a	128	grep -q "^lxc.rootfs" $path/config 2>/dev/null \|\| echo "lxc.rootfs = $rootfs" >> $path/config
418c73ad DL	129	cat <<EOF >> $path/config
	130	lxc.utsname = $name
	131	lxc.pts = 1024
eee3ba81	132	lxc.cap.drop = sys_module mac_admin mac_override sys_time
f02ce27d SG	133
	134	# When using LXC with apparmor, uncomment the next line to run unconfined:
	135	#lxc.aa_profile = unconfined
	136
eba7df9e SG	137	lxc.mount.entry = /dev dev none ro,bind 0 0
	138	lxc.mount.entry = /lib lib none ro,bind 0 0
	139	lxc.mount.entry = /bin bin none ro,bind 0 0
	140	lxc.mount.entry = /usr usr none ro,bind 0 0
	141	lxc.mount.entry = /sbin sbin none ro,bind 0 0
	142	lxc.mount.entry = tmpfs var/run/sshd tmpfs mode=0644 0 0
f4d5cc8e	143	lxc.mount.entry = @LXCTEMPLATEDIR@/lxc-sshd sbin/init none ro,bind 0 0
18efb001 DE	144	lxc.mount.entry = proc proc proc nodev,noexec,nosuid 0 0
	145	lxc.mount.entry = sysfs sys sysfs ro 0 0
	146	lxc.mount.entry = /etc/init.d etc/init.d none ro,bind 0 0
c9844b87	147	EOF
c9844b87	148
18efb001 DE	149	# Oracle Linux and Fedora need the following two bind mounted
	150	if [ -d /etc/sysconfig/network-scripts ]; then
	151	cat <<EOF >> $path/config
	152	lxc.mount.entry = /etc/sysconfig/network-scripts etc/sysconfig/network-scripts none ro,bind 0 0
	153	EOF
	154	fi
	155
	156	if [ -d /etc/rc.d ]; then
	157	cat <<EOF >> $path/config
	158	lxc.mount.entry = /etc/rc.d etc/rc.d none ro,bind 0 0
	159	EOF
	160	fi
	161
337e1471 SG	162	# if no .ipv4 section in config, then have the container run dhcp
	163	grep -q "^lxc.network.ipv4" $path/config \|\| touch $rootfs/run-dhcp
	164
	165	if [ "$(uname -m)" = "x86_64" ]; then
	166	cat <<EOF >> $path/config
eba7df9e	167	lxc.mount.entry = /lib64 lib64 none ro,bind 0 0
c9844b87	168	EOF
337e1471	169	fi
c9844b87	170	}
c9844b87	171
418c73ad DL	172	usage()
	173	{
	174	cat <<EOF
1897e3bc	175	$1 -h\|--help -p\|--path=<path> [--rootfs=<path>]
418c73ad DL	176	EOF
	177	return 0
	178	}
c9844b87	179
18efb001 DE	180	check_for_cmd()
	181	{
	182	cmd_path=`type $1`
	183	if [ $? -ne 0 ]; then
	184	echo "The command '$1' $cmd_path is not accessible on the system"
	185	exit 1
	186	fi
	187	# we use cut instead of awk because awk is alternatives symlink on ubuntu
	188	# and /etc/alternatives isn't bind mounted
	189	cmd_path=`echo $cmd_path \|cut -d ' ' -f 3`
	190	}
	191
1897e3bc	192	options=$(getopt -o hp:n:S: -l help,rootfs:,path:,name:,auth-key: -- "$@")
418c73ad DL	193	if [ $? -ne 0 ]; then
418c73ad DL	194	usage $(basename $0)
337e1471	195	exit 1
418c73ad DL	196	fi
	197	eval set -- "$options"
	198
	199	while true
	200	do
	201	case "$1" in
	202	-h\|--help) usage $0 && exit 0;;
	203	-p\|--path) path=$2; shift 2;;
1897e3bc	204	--rootfs) rootfs=$2; shift 2;;
337e1471 SG	205	-n\|--name) name=$2; shift 2;;
337e1471 SG	206	-S\|--auth-key) auth_key=$2; shift 2;;
418c73ad DL	207	--) shift 1; break ;;
	208	*) break ;;
	209	esac
	210	done
c9844b87	211
418c73ad DL	212	if [ "$(id -u)" != "0" ]; then
	213	echo "This script should be run as 'root'"
	214	exit 1
	215	fi
c9844b87	216
17abf278	217	if [ $0 = "/sbin/init" ]; then
c9844b87	218
18efb001	219	PATH="$PATH:/bin:/sbin:/usr/sbin"
8a2fdf50	220	check_for_cmd @SBINDIR@/init.lxc
18efb001 DE	221	check_for_cmd sshd
18efb001 DE	222	sshd_path=$cmd_path
c9844b87	223
337e1471 SG	224	# run dhcp?
337e1471 SG	225	if [ -f /run-dhcp ]; then
18efb001 DE	226	check_for_cmd dhclient
18efb001 DE	227	check_for_cmd ifconfig
337e1471 SG	228	touch /etc/fstab
	229	rm -f /dhclient.conf
	230	cat > /dhclient.conf << EOF
b78b2e23	231	send host-name = gethostname();
337e1471 SG	232	EOF
	233	ifconfig eth0 up
	234	dhclient eth0 -cf /dhclient.conf
c01c25fc	235	echo "Container IP address:"
18efb001	236	ifconfig eth0 \|grep inet
337e1471 SG	237	fi
337e1471 SG	238
8a2fdf50	239	exec @SBINDIR@/init.lxc -- $sshd_path
418c73ad DL	240	exit 1
418c73ad DL	241	fi
c9844b87	242
418c73ad DL	243	if [ -z "$path" ]; then
	244	echo "'path' parameter is required"
	245	exit 1
	246	fi
c9844b87	247
1881820a SH	248	# detect rootfs
1881820a SH	249	config="$path/config"
1897e3bc SH	250	if [ -z "$rootfs" ]; then
1897e3bc SH	251	if grep -q '^lxc.rootfs' $config 2>/dev/null ; then
853d58fd	252	rootfs=$(awk -F= '/^lxc.rootfs =/{ print $2 }' $config)
1897e3bc SH	253	else
	254	rootfs=$path/rootfs
	255	fi
1881820a	256	fi
c9844b87	257
418c73ad DL	258	install_sshd $rootfs
	259	if [ $? -ne 0 ]; then
	260	echo "failed to install sshd's rootfs"
	261	exit 1
	262	fi
c9844b87	263
418c73ad DL	264	configure_sshd $rootfs
	265	if [ $? -ne 0 ]; then
	266	echo "failed to configure sshd template"
	267	exit 1
c9844b87	268	fi
c9844b87	269
418c73ad DL	270	copy_configuration $path $rootfs $name
	271	if [ $? -ne 0 ]; then
	272	echo "failed to write configuration file"
c9844b87	273	exit 1
418c73ad	274	fi