templates/lxc-sshd.in

   1 #!/bin/bash
   2
   3 #
   4 # lxc: linux Container library
   5
   6 # Authors:
   7 # Daniel Lezcano <daniel.lezcano@free.fr>
   8
   9 # This library is free software; you can redistribute it and/or
  10 # modify it under the terms of the GNU Lesser General Public
  11 # License as published by the Free Software Foundation; either
  12 # version 2.1 of the License, or (at your option) any later version.
  13
  14 # This library is distributed in the hope that it will be useful,
  15 # but WITHOUT ANY WARRANTY; without even the implied warranty of
  16 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
  17 # Lesser General Public License for more details.
  18
  19 # You should have received a copy of the GNU Lesser General Public
  20 # License along with this library; if not, write to the Free Software
  21 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
  22
  23 install_sshd()
  24 {
  25     rootfs=$1
  26
  27     tree="\
  28 $rootfs/var/run/sshd \
  29 $rootfs/var/empty/sshd \
  30 $rootfs/var/lib/empty/sshd \
  31 $rootfs/etc/init.d \
  32 $rootfs/etc/rc.d \
  33 $rootfs/etc/ssh \
  34 $rootfs/etc/sysconfig/network-scripts \
  35 $rootfs/dev/shm \
  36 $rootfs/run/shm \
  37 $rootfs/proc \
  38 $rootfs/sys \
  39 $rootfs/bin \
  40 $rootfs/sbin \
  41 $rootfs/usr \
  42 $rootfs/tmp \
  43 $rootfs/home \
  44 $rootfs/root \
  45 $rootfs/lib \
  46 $rootfs/lib64"
  47
  48     mkdir -p $tree
  49     if [ $? -ne 0 ]; then
  50         return 1
  51     fi
  52
  53     return 0
  54 }
  55
  56 configure_sshd()
  57 {
  58     rootfs=$1
  59
  60     cat <<EOF > $rootfs/etc/passwd
  61 root:x:0:0:root:/root:/bin/bash
  62 sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
  63 EOF
  64
  65     cat <<EOF > $rootfs/etc/group
  66 root:x:0:root
  67 sshd:x:74:
  68 EOF
  69
  70 ssh-keygen -t rsa -N "" -f $rootfs/etc/ssh/ssh_host_rsa_key
  71 ssh-keygen -t dsa -N "" -f $rootfs/etc/ssh/ssh_host_dsa_key
  72
  73     # by default setup root password with no password
  74     cat <<EOF > $rootfs/etc/ssh/sshd_config
  75 Port 22
  76 Protocol 2
  77 HostKey /etc/ssh/ssh_host_rsa_key
  78 HostKey /etc/ssh/ssh_host_dsa_key
  79 UsePrivilegeSeparation yes
  80 KeyRegenerationInterval 3600
  81 ServerKeyBits 768
  82 SyslogFacility AUTH
  83 LogLevel INFO
  84 LoginGraceTime 120
  85 PermitRootLogin yes
  86 StrictModes yes
  87 RSAAuthentication yes
  88 PubkeyAuthentication yes
  89 IgnoreRhosts yes
  90 RhostsRSAAuthentication no
  91 HostbasedAuthentication no
  92 PermitEmptyPasswords yes
  93 ChallengeResponseAuthentication no
  94 EOF
  95
  96     if [ -n "$auth_key" -a -f "$auth_key" ]; then
  97         u_path="/root/.ssh"
  98         root_u_path="$rootfs/$u_path"
  99         mkdir -p $root_u_path
 100         cp $auth_key "$root_u_path/authorized_keys"
 101         chown -R 0:0 "$rootfs/$u_path"
 102         chmod 700 "$rootfs/$u_path"
 103         echo "Inserted SSH public key from $auth_key into $rootfs/$u_path"
 104     fi
 105
 106     return 0
 107 }
 108
 109 copy_configuration()
 110 {
 111     path=$1
 112     rootfs=$2
 113     name=$3
 114
 115     grep -q "^lxc.rootfs" $path/config 2>/dev/null || echo "lxc.rootfs = $rootfs" >> $path/config
 116 cat <<EOF >> $path/config
 117 lxc.utsname = $name
 118 lxc.pts = 1024
 119 lxc.kmsg = 0
 120 lxc.cap.drop = sys_module mac_admin mac_override sys_time
 121
 122 # When using LXC with apparmor, uncomment the next line to run unconfined:
 123 #lxc.aa_profile = unconfined
 124
 125 lxc.mount.entry = /dev dev none ro,bind 0 0
 126 lxc.mount.entry = /lib lib none ro,bind 0 0
 127 lxc.mount.entry = /bin bin none ro,bind 0 0
 128 lxc.mount.entry = /usr usr none ro,bind 0 0
 129 lxc.mount.entry = /sbin sbin none ro,bind 0 0
 130 lxc.mount.entry = tmpfs var/run/sshd tmpfs mode=0644 0 0
 131 lxc.mount.entry = @LXCTEMPLATEDIR@/lxc-sshd sbin/init none bind 0 0
 132 lxc.mount.entry = proc proc proc nodev,noexec,nosuid 0 0
 133 lxc.mount.entry = sysfs sys sysfs ro 0 0
 134 lxc.mount.entry = /etc/init.d etc/init.d none ro,bind 0 0
 135 EOF
 136
 137     # Oracle Linux and Fedora need the following two bind mounted
 138     if [ -d /etc/sysconfig/network-scripts ]; then
 139         cat <<EOF >> $path/config
 140 lxc.mount.entry = /etc/sysconfig/network-scripts etc/sysconfig/network-scripts none ro,bind 0 0
 141 EOF
 142     fi
 143
 144     if [ -d /etc/rc.d ]; then
 145         cat <<EOF >> $path/config
 146 lxc.mount.entry = /etc/rc.d etc/rc.d none ro,bind 0 0
 147 EOF
 148     fi
 149
 150     # if no .ipv4 section in config, then have the container run dhcp
 151     grep -q "^lxc.network.ipv4" $path/config || touch $rootfs/run-dhcp
 152
 153     if [ "$(uname -m)" = "x86_64" ]; then
 154         cat <<EOF >> $path/config
 155 lxc.mount.entry = /lib64 lib64 none ro,bind 0 0
 156 EOF
 157     fi
 158 }
 159
 160 usage()
 161 {
 162     cat <<EOF
 163 $1 -h|--help -p|--path=<path> [--rootfs=<path>]
 164 EOF
 165     return 0
 166 }
 167
 168 check_for_cmd()
 169 {
 170     cmd_path=`type $1`
 171     if [ $? -ne 0 ]; then
 172         echo "The command '$1' $cmd_path is not accessible on the system"
 173         exit 1
 174     fi
 175     # we use cut instead of awk because awk is alternatives symlink on ubuntu
 176     # and /etc/alternatives isn't bind mounted
 177     cmd_path=`echo $cmd_path |cut -d ' ' -f 3`
 178 }
 179
 180 options=$(getopt -o hp:n:S: -l help,rootfs:,path:,name:,auth-key: -- "$@")
 181 if [ $? -ne 0 ]; then
 182         usage $(basename $0)
 183     exit 1
 184 fi
 185 eval set -- "$options"
 186
 187 while true
 188 do
 189     case "$1" in
 190         -h|--help)      usage $0 && exit 0;;
 191         -p|--path)      path=$2; shift 2;;
 192         --rootfs)       rootfs=$2; shift 2;;
 193         -n|--name)      name=$2; shift 2;;
 194         -S|--auth-key)  auth_key=$2; shift 2;;
 195         --)             shift 1; break ;;
 196         *)              break ;;
 197     esac
 198 done
 199
 200 if [ "$(id -u)" != "0" ]; then
 201     echo "This script should be run as 'root'"
 202     exit 1
 203 fi
 204
 205 if [ $0 == "/sbin/init" ]; then
 206
 207     PATH="$PATH:/bin:/sbin:/usr/sbin"
 208     check_for_cmd @LXCINITDIR@/lxc/lxc-init
 209     check_for_cmd sshd
 210     sshd_path=$cmd_path
 211
 212     # run dhcp?
 213     if [ -f /run-dhcp ]; then
 214         check_for_cmd dhclient
 215         check_for_cmd ifconfig
 216         touch /etc/fstab
 217         rm -f /dhclient.conf
 218         cat > /dhclient.conf << EOF
 219 send host-name "<hostname>";
 220 EOF
 221         ifconfig eth0 up
 222         dhclient eth0 -cf /dhclient.conf
 223         echo "Container IP address:"
 224         ifconfig eth0 |grep inet
 225     fi
 226
 227     exec @LXCINITDIR@/lxc/lxc-init -- $sshd_path
 228     exit 1
 229 fi
 230
 231 if [ -z "$path" ]; then
 232     echo "'path' parameter is required"
 233     exit 1
 234 fi
 235
 236 # detect rootfs
 237 config="$path/config"
 238 if [ -z "$rootfs" ]; then
 239     if grep -q '^lxc.rootfs' $config 2>/dev/null ; then
 240         rootfs=`grep 'lxc.rootfs =' $config | awk -F= '{ print $2 }'`
 241     else
 242         rootfs=$path/rootfs
 243     fi
 244 fi
 245
 246 install_sshd $rootfs
 247 if [ $? -ne 0 ]; then
 248     echo "failed to install sshd's rootfs"
 249     exit 1
 250 fi
 251
 252 configure_sshd $rootfs
 253 if [ $? -ne 0 ]; then
 254     echo "failed to configure sshd template"
 255     exit 1
 256 fi
 257
 258 copy_configuration $path $rootfs $name
 259 if [ $? -ne 0 ]; then
 260     echo "failed to write configuration file"
 261     exit 1
 262 fi