]> git.proxmox.com Git - mirror_lxc.git/blob - templates/lxc-busybox.in
projects / mirror_lxc.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
fix busybox unpriv
[mirror_lxc.git] / templates / lxc-busybox.in
1 #!/bin/bash
2
3 #
4 # lxc: linux Container library
5
6 # Authors:
7 # Daniel Lezcano <daniel.lezcano@free.fr>
8
9 # This library is free software; you can redistribute it and/or
10 # modify it under the terms of the GNU Lesser General Public
11 # License as published by the Free Software Foundation; either
12 # version 2.1 of the License, or (at your option) any later version.
13
14 # This library is distributed in the hope that it will be useful,
15 # but WITHOUT ANY WARRANTY; without even the implied warranty of
16 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
17 # Lesser General Public License for more details.
18
19 # You should have received a copy of the GNU Lesser General Public
20 # License along with this library; if not, write to the Free Software
21 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
22
23 LXC_MAPPED_UID=
24 LXC_MAPPED_GID=
25
26 # Make sure the usual locations are in PATH
27 export PATH=$PATH:/usr/sbin:/usr/bin:/sbin:/bin
28
29 am_in_userns() {
30 [ -e /proc/self/uid_map ] || { echo no; return; }
31 [ "$(wc -l /proc/self/uid_map | awk '{ print $1 }')" -eq 1 ] || { echo yes; return; }
32 line=$(awk '{ print $1 " " $2 " " $3 }' /proc/self/uid_map)
33 [ "$line" = "0 0 4294967295" ] && { echo no; return; }
34 echo yes
35 }
36
37 in_userns=0
38 [ $(am_in_userns) = "yes" ] && in_userns=1
39
40 install_busybox()
41 {
42 rootfs=$1
43 name=$2
44 res=0
45 tree="\
46 $rootfs/selinux \
47 $rootfs/dev \
48 $rootfs/home \
49 $rootfs/root \
50 $rootfs/etc \
51 $rootfs/etc/init.d \
52 $rootfs/bin \
53 $rootfs/usr/bin \
54 $rootfs/sbin \
55 $rootfs/usr/sbin \
56 $rootfs/proc \
57 $rootfs/sys \
58 $rootfs/mnt \
59 $rootfs/tmp \
60 $rootfs/var/log \
61 $rootfs/usr/share/udhcpc \
62 $rootfs/dev/pts \
63 $rootfs/dev/shm \
64 $rootfs/lib \
65 $rootfs/usr/lib \
66 $rootfs/lib64 \
67 $rootfs/usr/lib64"
68
69 mkdir -p $tree || return 1
70 chmod 755 $tree || return 1
71
72 pushd $rootfs/dev > /dev/null || return 1
73
74 # minimal devices needed for busybox
75 if [ $in_userns -eq 1 ]; then
76 for dev in tty console tty0 tty1 ram0 null urandom; do
77 echo "/dev/$dev dev/$dev none bind,optional,create=file 0 0" >> $path/fstab
78 done
79 else
80 mknod -m 666 tty c 5 0 || res=1
81 mknod -m 666 console c 5 1 || res=1
82 mknod -m 666 tty0 c 4 0 || res=1
83 mknod -m 666 tty1 c 4 0 || res=1
84 mknod -m 666 tty5 c 4 0 || res=1
85 mknod -m 600 ram0 b 1 0 || res=1
86 mknod -m 666 null c 1 3 || res=1
87 mknod -m 666 zero c 1 5 || res=1
88 mknod -m 666 urandom c 1 9 || res=1
89 fi
90
91 popd > /dev/null
92
93 # root user defined
94 cat <<EOF >> $rootfs/etc/passwd
95 root:x:0:0:root:/root:/bin/sh
96 EOF
97
98 cat <<EOF >> $rootfs/etc/group
99 root:x:0:root
100 EOF
101
102 # mount everything
103 cat <<EOF >> $rootfs/etc/init.d/rcS
104 #!/bin/sh
105 /bin/syslogd
106 /bin/mount -a
107 /bin/udhcpc
108 EOF
109
110 # executable
111 chmod 744 $rootfs/etc/init.d/rcS || return 1
112
113 # mount points
114 cat <<EOF >> $rootfs/etc/fstab
115 shm /dev/shm tmpfs defaults 0 0
116 EOF
117
118 # writable and readable for other
119 chmod 644 $rootfs/etc/fstab || return 1
120
121 # launch rcS first then make a console available
122 # and propose a shell on the tty, the last one is
123 # not needed
124 cat <<EOF >> $rootfs/etc/inittab
125 ::sysinit:/etc/init.d/rcS
126 tty1::respawn:/bin/getty -L tty1 115200 vt100
127 console::askfirst:/bin/sh
128 EOF
129 # writable and readable for other
130 chmod 644 $rootfs/etc/inittab || return 1
131
132 cat <<EOF >> $rootfs/usr/share/udhcpc/default.script
133 #!/bin/sh
134 case "\$1" in
135 deconfig)
136 ip addr flush dev \$interface
137 ;;
138
139 renew|bound)
140 # flush all the routes
141 if [ -n "\$router" ]; then
142 ip route del default 2> /dev/null
143 fi
144
145 # check broadcast
146 if [ -n "\$broadcast" ]; then
147 broadcast="broadcast \$broadcast"
148 fi
149
150 # add a new ip address
151 ip addr add \$ip/\$mask \$broadcast dev \$interface
152
153 if [ -n "\$router" ]; then
154 ip route add default via \$router dev \$interface
155 fi
156
157 [ -n "\$domain" ] && echo search \$domain > /etc/resolv.conf
158 for i in \$dns ; do
159 echo nameserver \$i >> /etc/resolv.conf
160 done
161 ;;
162 esac
163 exit 0
164 EOF
165
166 chmod 744 $rootfs/usr/share/udhcpc/default.script
167
168 return $res
169 }
170
171 configure_busybox()
172 {
173 rootfs=$1
174
175 which busybox >/dev/null 2>&1
176
177 if [ $? -ne 0 ]; then
178 echo "busybox executable is not accessible"
179 return 1
180 fi
181
182 file -L $(which busybox) | grep -q "statically linked"
183 if [ $? -ne 0 ]; then
184 echo "warning : busybox is not statically linked."
185 echo "warning : The template script may not correctly"
186 echo "warning : setup the container environment."
187 fi
188
189 # copy busybox in the rootfs
190 cp $(which busybox) $rootfs/bin
191 if [ $? -ne 0 ]; then
192 echo "failed to copy busybox in the rootfs"
193 return 1
194 fi
195
196 # symlink busybox for the commands it supports
197 # it would be nice to just use "chroot $rootfs busybox --install -s /bin"
198 # but that only works right in a chroot with busybox >= 1.19.0
199 pushd $rootfs/bin > /dev/null || return 1
200 ./busybox --help | grep 'Currently defined functions:' -A300 | \
201 grep -v 'Currently defined functions:' | tr , '\n' | \
202 xargs -n1 ln -s busybox
203 popd > /dev/null
204
205 # relink /sbin/init
206 ln $rootfs/bin/busybox $rootfs/sbin/init
207
208 # passwd exec must be setuid
209 chmod +s $rootfs/bin/passwd
210 touch $rootfs/etc/shadow
211
212 # setting passwd for root
213 CHPASSWD_FILE=$rootfs/root/chpasswd.sh
214
215 cat <<EOF >$CHPASSWD_FILE
216 echo "setting root password to \"root\""
217
218 mount -n --bind /lib $rootfs/lib
219 if [ \$? -ne 0 ]; then
220 echo "Failed bind-mounting /lib at $rootfs/lib"
221 exit 1
222 fi
223
224 chroot $rootfs chpasswd <<EOFF 2>/dev/null
225 root:root
226 EOFF
227
228
229 if [ \$? -ne 0 ]; then
230 echo "Failed to change root password"
231 exit 1
232 fi
233
234 umount $rootfs/lib
235
236 EOF
237
238 lxc-unshare -s MOUNT -- /bin/sh < $CHPASSWD_FILE
239 rm $CHPASSWD_FILE
240
241 # add ssh functionality if dropbear package available on host
242 which dropbear >/dev/null 2>&1
243 if [ $? -eq 0 ]; then
244 # copy dropbear binary
245 cp $(which dropbear) $rootfs/usr/sbin
246 if [ $? -ne 0 ]; then
247 echo "Failed to copy dropbear in the rootfs"
248 return 1
249 fi
250
251 # make symlinks to various ssh utilities
252 utils="\
253 $rootfs/usr/bin/dbclient \
254 $rootfs/usr/bin/scp \
255 $rootfs/usr/bin/ssh \
256 $rootfs/usr/sbin/dropbearkey \
257 $rootfs/usr/sbin/dropbearconvert \
258 "
259 echo $utils | xargs -n1 ln -s /usr/sbin/dropbear
260
261 # add necessary config files
262 mkdir $rootfs/etc/dropbear
263 dropbearkey -t rsa -f $rootfs/etc/dropbear/dropbear_rsa_host_key > /dev/null 2>&1
264 dropbearkey -t dss -f $rootfs/etc/dropbear/dropbear_dss_host_key > /dev/null 2>&1
265
266 echo "'dropbear' ssh utility installed"
267 fi
268
269 return 0
270 }
271
272 copy_configuration()
273 {
274 path=$1
275 rootfs=$2
276 name=$3
277
278 grep -q "^lxc.rootfs" $path/config 2>/dev/null || echo "lxc.rootfs = $rootfs" >> $path/config
279 cat <<EOF >> $path/config
280 lxc.haltsignal = SIGUSR1
281 lxc.utsname = $name
282 lxc.tty = 1
283 lxc.pts = 1
284 lxc.cap.drop = sys_module mac_admin mac_override sys_time
285
286 # When using LXC with apparmor, uncomment the next line to run unconfined:
287 #lxc.aa_profile = unconfined
288 EOF
289
290 libdirs="\
291 lib \
292 usr/lib \
293 lib64 \
294 usr/lib64"
295
296 for dir in $libdirs; do
297 if [ -d "/$dir" ] && [ -d "$rootfs/$dir" ]; then
298 echo "lxc.mount.entry = /$dir $dir none ro,bind 0 0" >> $path/config
299 fi
300 done
301 echo "lxc.mount.entry = /sys/kernel/security sys/kernel/security none ro,bind,optional 0 0" >>$path/config
302 echo "lxc.mount.auto = proc:mixed sys" >>$path/config
303
304 if [ -f "$path/fstab" ]; then
305 echo "lxc.mount = $path/fstab" >>$path/config
306 fi
307 }
308
309 remap_userns()
310 {
311 path=$1
312
313 if [ -n "$LXC_MAPPED_UID" ] && [ "$LXC_MAPPED_UID" != "-1" ]; then
314 chown $LXC_MAPPED_UID $path/config $path/fstab >/dev/null 2>&1
315 chown -R root $path/rootfs >/dev/null 2>&1
316 fi
317
318 if [ -n "$LXC_MAPPED_GID" ] && [ "$LXC_MAPPED_GID" != "-1" ]; then
319 chgrp $LXC_MAPPED_GID $path/config $path/fstab >/dev/null 2>&1
320 chgrp -R root $path/rootfs >/dev/null 2>&1
321 fi
322 }
323
324 usage()
325 {
326 cat <<EOF
327 $1 -h|--help -p|--path=<path>
328 EOF
329 return 0
330 }
331
332 options=$(getopt -o hp:n: -l help,rootfs:,path:,name:,mapped-uid:,mapped-gid: -- "$@")
333 if [ $? -ne 0 ]; then
334 usage $(basename $0)
335 exit 1
336 fi
337 eval set -- "$options"
338
339 while true
340 do
341 case "$1" in
342 -h|--help) usage $0 && exit 0;;
343 -p|--path) path=$2; shift 2;;
344 --rootfs) rootfs=$2; shift 2;;
345 -n|--name) name=$2; shift 2;;
346 --mapped-uid) LXC_MAPPED_UID=$2; shift 2;;
347 --mapped-gid) LXC_MAPPED_GID=$2; shift 2;;
348 --) shift 1; break ;;
349 *) break ;;
350 esac
351 done
352
353 if [ "$(id -u)" != "0" ]; then
354 echo "This script should be run as 'root'"
355 exit 1
356 fi
357
358 if [ -z "$path" ]; then
359 echo "'path' parameter is required"
360 exit 1
361 fi
362
363 # detect rootfs
364 config="$path/config"
365 if [ -z "$rootfs" ]; then
366 if grep -q '^lxc.rootfs' $config 2>/dev/null ; then
367 rootfs=$(awk -F= '/^lxc.rootfs =/{ print $2 }' $config)
368 else
369 rootfs=$path/rootfs
370 fi
371 fi
372
373 install_busybox $rootfs $name
374 if [ $? -ne 0 ]; then
375 echo "failed to install busybox's rootfs"
376 exit 1
377 fi
378
379 configure_busybox $rootfs
380 if [ $? -ne 0 ]; then
381 echo "failed to configure busybox template"
382 exit 1
383 fi
384
385 copy_configuration $path $rootfs $name
386 if [ $? -ne 0 ]; then
387 echo "failed to write configuration file"
388 exit 1
389 fi
390
391 remap_userns $path
392 if [ $? -ne 0 ]; then
393 echo "failed to remap files to user"
394 exit 1
395 fi
LXC mirror