4 # lxc: linux Container library
7 # Daniel Lezcano <daniel.lezcano@free.fr>
9 # This library is free software; you can redistribute it and/or
10 # modify it under the terms of the GNU Lesser General Public
11 # License as published by the Free Software Foundation; either
12 # version 2.1 of the License, or (at your option) any later version.
14 # This library is distributed in the hope that it will be useful,
15 # but WITHOUT ANY WARRANTY; without even the implied warranty of
16 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
17 # Lesser General Public License for more details.
19 # You should have received a copy of the GNU Lesser General Public
20 # License along with this library; if not, write to the Free Software
21 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
28 $rootfs/var/run/sshd \
29 $rootfs/var/empty/sshd \
30 $rootfs/var/lib/empty/sshd \
34 $rootfs/etc/sysconfig/network-scripts \
60 cat <<EOF > $rootfs/etc/passwd
61 root:x:0:0:root:/root:/bin/bash
62 sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
65 cat <<EOF > $rootfs/etc/group
70 ssh-keygen
-t rsa
-N "" -f $rootfs/etc
/ssh
/ssh_host_rsa_key
71 ssh-keygen
-t dsa
-N "" -f $rootfs/etc
/ssh
/ssh_host_dsa_key
73 # by default setup root password with no password
74 cat <<EOF > $rootfs/etc/ssh/sshd_config
77 HostKey /etc/ssh/ssh_host_rsa_key
78 HostKey /etc/ssh/ssh_host_dsa_key
79 UsePrivilegeSeparation yes
80 KeyRegenerationInterval 3600
88 PubkeyAuthentication yes
90 RhostsRSAAuthentication no
91 HostbasedAuthentication no
92 PermitEmptyPasswords yes
93 ChallengeResponseAuthentication no
96 if [ -n "$auth_key" -a -f "$auth_key" ]; then
98 root_u_path
="$rootfs/$u_path"
100 cp $auth_key "$root_u_path/authorized_keys"
101 chown
-R 0:0 "$rootfs/$u_path"
102 chmod 700 "$rootfs/$u_path"
103 echo "Inserted SSH public key from $auth_key into $rootfs/$u_path"
115 grep -q "^lxc.rootfs" $path/config
2>/dev
/null ||
echo "lxc.rootfs = $rootfs" >> $path/config
116 cat <<EOF >> $path/config
120 lxc.cap.drop = sys_module mac_admin mac_override sys_time
122 # When using LXC with apparmor, uncomment the next line to run unconfined:
123 #lxc.aa_profile = unconfined
125 lxc.mount.entry = /dev dev none ro,bind 0 0
126 lxc.mount.entry = /lib lib none ro,bind 0 0
127 lxc.mount.entry = /bin bin none ro,bind 0 0
128 lxc.mount.entry = /usr usr none ro,bind 0 0
129 lxc.mount.entry = /sbin sbin none ro,bind 0 0
130 lxc.mount.entry = tmpfs var/run/sshd tmpfs mode=0644 0 0
131 lxc.mount.entry = @LXCTEMPLATEDIR@/lxc-sshd sbin/init none bind 0 0
132 lxc.mount.entry = proc proc proc nodev,noexec,nosuid 0 0
133 lxc.mount.entry = sysfs sys sysfs ro 0 0
134 lxc.mount.entry = /etc/init.d etc/init.d none ro,bind 0 0
137 # Oracle Linux and Fedora need the following two bind mounted
138 if [ -d /etc
/sysconfig
/network-scripts
]; then
139 cat <<EOF >> $path/config
140 lxc.mount.entry = /etc/sysconfig/network-scripts etc/sysconfig/network-scripts none ro,bind 0 0
144 if [ -d /etc
/rc.d
]; then
145 cat <<EOF >> $path/config
146 lxc.mount.entry = /etc/rc.d etc/rc.d none ro,bind 0 0
150 # if no .ipv4 section in config, then have the container run dhcp
151 grep -q "^lxc.network.ipv4" $path/config ||
touch $rootfs/run-dhcp
153 if [ "$(uname -m)" = "x86_64" ]; then
154 cat <<EOF >> $path/config
155 lxc.mount.entry = /lib64 lib64 none ro,bind 0 0
163 $1 -h|--help -p|--path=<path> [--rootfs=<path>]
171 if [ $?
-ne 0 ]; then
172 echo "The command '$1' $cmd_path is not accessible on the system"
175 # we use cut instead of awk because awk is alternatives symlink on ubuntu
176 # and /etc/alternatives isn't bind mounted
177 cmd_path
=`echo $cmd_path |cut -d ' ' -f 3`
180 options
=$
(getopt
-o hp
:n
:S
: -l help,rootfs
:,path
:,name
:,auth-key
: -- "$@")
181 if [ $?
-ne 0 ]; then
185 eval set -- "$options"
190 -h|
--help) usage
$0 && exit 0;;
191 -p|
--path) path
=$2; shift 2;;
192 --rootfs) rootfs
=$2; shift 2;;
193 -n|
--name) name
=$2; shift 2;;
194 -S|
--auth-key) auth_key
=$2; shift 2;;
195 --) shift 1; break ;;
200 if [ "$(id -u)" != "0" ]; then
201 echo "This script should be run as 'root'"
205 if [ $0 == "/sbin/init" ]; then
207 PATH
="$PATH:/bin:/sbin:/usr/sbin"
208 check_for_cmd @LXCINITDIR@
/lxc
/lxc-init
213 if [ -f /run-dhcp
]; then
214 check_for_cmd dhclient
215 check_for_cmd ifconfig
218 cat > /dhclient.conf
<< EOF
219 send host-name "<hostname>";
222 dhclient eth0
-cf /dhclient.conf
223 echo "Container IP address:"
224 ifconfig eth0 |
grep inet
227 exec @LXCINITDIR@
/lxc
/lxc-init
-- $sshd_path
231 if [ -z "$path" ]; then
232 echo "'path' parameter is required"
237 config
="$path/config"
238 if [ -z "$rootfs" ]; then
239 if grep -q '^lxc.rootfs' $config 2>/dev
/null
; then
240 rootfs
=`grep 'lxc.rootfs =' $config | awk -F= '{ print $2 }'`
247 if [ $?
-ne 0 ]; then
248 echo "failed to install sshd's rootfs"
252 configure_sshd
$rootfs
253 if [ $?
-ne 0 ]; then
254 echo "failed to configure sshd template"
258 copy_configuration
$path $rootfs $name
259 if [ $?
-ne 0 ]; then
260 echo "failed to write configuration file"