]> git.proxmox.com Git - mirror_lxc.git/blob - templates/lxc-sshd.in
projects / mirror_lxc.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Merge pull request #2055 from marcosps/cgfsng_debug
[mirror_lxc.git] / templates / lxc-sshd.in
1 #!/bin/bash
2
3 #
4 # lxc: linux Container library
5
6 # Authors:
7 # Daniel Lezcano <daniel.lezcano@free.fr>
8
9 # This library is free software; you can redistribute it and/or
10 # modify it under the terms of the GNU Lesser General Public
11 # License as published by the Free Software Foundation; either
12 # version 2.1 of the License, or (at your option) any later version.
13
14 # This library is distributed in the hope that it will be useful,
15 # but WITHOUT ANY WARRANTY; without even the implied warranty of
16 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
17 # Lesser General Public License for more details.
18
19 # You should have received a copy of the GNU Lesser General Public
20 # License along with this library; if not, write to the Free Software
21 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
22
23 # Detect use under userns (unsupported)
24 for arg in "$@"; do
25 [ "$arg" = "--" ] && break
26 if [ "$arg" = "--mapped-uid" -o "$arg" = "--mapped-gid" ]; then
27 echo "This template can't be used for unprivileged containers." 1>&2
28 echo "You may want to try the \"download\" template instead." 1>&2
29 exit 1
30 fi
31 done
32
33 # Make sure the usual locations are in PATH
34 export PATH=$PATH:/usr/sbin:/usr/bin:/sbin:/bin
35
36 install_sshd()
37 {
38 rootfs=$1
39
40 tree="\
41 $rootfs/var/empty/sshd \
42 $rootfs/var/lib/empty/sshd \
43 $rootfs/etc/init.d \
44 $rootfs/etc/rc.d \
45 $rootfs/etc/ssh \
46 $rootfs/etc/sysconfig/network-scripts \
47 $rootfs/dev/shm \
48 $rootfs/run/sshd \
49 $rootfs/proc \
50 $rootfs/sys \
51 $rootfs/bin \
52 $rootfs/sbin \
53 $rootfs/usr \
54 $rootfs/tmp \
55 $rootfs/home \
56 $rootfs/root \
57 $rootfs/lib \
58 $rootfs/lib64"
59
60 mkdir -p $tree
61 if [ $? -ne 0 ]; then
62 return 1
63 fi
64
65 ln -s /run $rootfs/var/run
66 if [ $? -ne 0 ]; then
67 return 1
68 fi
69
70 return 0
71 }
72
73 configure_sshd()
74 {
75 rootfs=$1
76
77 cat <<EOF > $rootfs/etc/passwd
78 root:x:0:0:root:/root:/bin/bash
79 sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
80 EOF
81
82 cat <<EOF > $rootfs/etc/group
83 root:x:0:root
84 sshd:x:74:
85 EOF
86
87 ssh-keygen -t rsa -N "" -f $rootfs/etc/ssh/ssh_host_rsa_key
88 ssh-keygen -t dsa -N "" -f $rootfs/etc/ssh/ssh_host_dsa_key
89
90 # by default setup root password with no password
91 cat <<EOF > $rootfs/etc/ssh/sshd_config
92 Port 22
93 Protocol 2
94 HostKey /etc/ssh/ssh_host_rsa_key
95 HostKey /etc/ssh/ssh_host_dsa_key
96 UsePrivilegeSeparation yes
97 SyslogFacility AUTH
98 LogLevel INFO
99 LoginGraceTime 120
100 PermitRootLogin yes
101 StrictModes yes
102 PubkeyAuthentication yes
103 IgnoreRhosts yes
104 HostbasedAuthentication no
105 PermitEmptyPasswords yes
106 ChallengeResponseAuthentication no
107 EOF
108
109 if [ -n "$auth_key" -a -f "$auth_key" ]; then
110 u_path="/root/.ssh"
111 root_u_path="$rootfs/$u_path"
112 mkdir -p $root_u_path
113 cp $auth_key "$root_u_path/authorized_keys"
114 chown -R 0:0 "$rootfs/$u_path"
115 chmod 700 "$rootfs/$u_path"
116 echo "Inserted SSH public key from $auth_key into $rootfs/$u_path"
117 fi
118
119 return 0
120 }
121
122 copy_configuration()
123 {
124 path=$1
125 rootfs=$2
126 name=$3
127
128 init_path=$(realpath --relative-to=/ $(readlink -f /sbin/init))
129
130 grep -q "^lxc.rootfs.path" $path/config 2>/dev/null || echo "lxc.rootfs.path = $rootfs" >> $path/config
131 cat <<EOF >> $path/config
132 lxc.uts.name = $name
133 lxc.pty.max = 1024
134 lxc.cap.drop = sys_module mac_admin mac_override sys_time
135
136 # When using LXC with apparmor, uncomment the next line to run unconfined:
137 #lxc.apparmor.profile = unconfined
138
139 lxc.mount.entry = /dev dev none ro,bind 0 0
140 lxc.mount.entry = /lib lib none ro,bind 0 0
141 lxc.mount.entry = /bin bin none ro,bind 0 0
142 lxc.mount.entry = /usr usr none ro,bind 0 0
143 lxc.mount.entry = /sbin sbin none ro,bind 0 0
144 lxc.mount.entry = tmpfs run/sshd tmpfs mode=0644 0 0
145 lxc.mount.entry = @LXCTEMPLATEDIR@/lxc-sshd $init_path none ro,bind 0 0
146 lxc.mount.entry = /etc/init.d etc/init.d none ro,bind 0 0
147
148 lxc.mount.auto = cgroup:mixed proc:mixed sys:mixed
149 EOF
150
151 # Oracle Linux and Fedora need the following two bind mounted
152 if [ -d /etc/sysconfig/network-scripts ]; then
153 cat <<EOF >> $path/config
154 lxc.mount.entry = /etc/sysconfig/network-scripts etc/sysconfig/network-scripts none ro,bind 0 0
155 EOF
156 fi
157
158 if [ -d /etc/rc.d ]; then
159 cat <<EOF >> $path/config
160 lxc.mount.entry = /etc/rc.d etc/rc.d none ro,bind 0 0
161 EOF
162 fi
163
164 # if no .ipv4 section in config, then have the container run dhcp
165 grep -q "^lxc.net.0.ipv4.address" $path/config || touch $rootfs/run-dhcp
166
167 if [ "$(uname -m)" = "x86_64" ]; then
168 cat <<EOF >> $path/config
169 lxc.mount.entry = /lib64 lib64 none ro,bind 0 0
170 EOF
171 fi
172 }
173
174 usage()
175 {
176 cat <<EOF
177 $1 -h|--help -p|--path=<path> [--rootfs=<path>]
178 EOF
179 return 0
180 }
181
182 check_for_cmd()
183 {
184 cmd_path=`type $1`
185 if [ $? -ne 0 ]; then
186 echo "The command '$1' $cmd_path is not accessible on the system"
187 exit 1
188 fi
189 # we use cut instead of awk because awk is alternatives symlink on ubuntu
190 # and /etc/alternatives isn't bind mounted
191 cmd_path=`echo $cmd_path |cut -d ' ' -f 3`
192 }
193
194 options=$(getopt -o hp:n:S: -l help,rootfs:,path:,name:,auth-key: -- "$@")
195 if [ $? -ne 0 ]; then
196 usage $(basename $0)
197 exit 1
198 fi
199 eval set -- "$options"
200
201 while true
202 do
203 case "$1" in
204 -h|--help) usage $0 && exit 0;;
205 -p|--path) path=$2; shift 2;;
206 --rootfs) rootfs=$2; shift 2;;
207 -n|--name) name=$2; shift 2;;
208 -S|--auth-key) auth_key=$2; shift 2;;
209 --) shift 1; break ;;
210 *) break ;;
211 esac
212 done
213
214 if [ "$(id -u)" != "0" ]; then
215 echo "This script should be run as 'root'"
216 exit 1
217 fi
218
219 if [ $0 = "/sbin/init" ]; then
220
221 PATH="$PATH:/bin:/sbin:/usr/sbin"
222 check_for_cmd @SBINDIR@/init.lxc
223 check_for_cmd sshd
224 sshd_path=$cmd_path
225
226 # run dhcp?
227 if [ -f /run-dhcp ]; then
228 check_for_cmd dhclient
229 check_for_cmd ifconfig
230 touch /etc/fstab
231 rm -f /dhclient.conf
232 cat > /dhclient.conf << EOF
233 send host-name = gethostname();
234 EOF
235 ifconfig eth0 up
236 dhclient eth0 -cf /dhclient.conf
237 echo "Container IP address:"
238 ifconfig eth0 |grep inet
239 fi
240
241 exec @SBINDIR@/init.lxc -- $sshd_path
242 exit 1
243 fi
244
245 if [ -z "$path" ]; then
246 echo "'path' parameter is required"
247 exit 1
248 fi
249
250 # detect rootfs
251 config="$path/config"
252 if [ -z "$rootfs" ]; then
253 if grep -q '^lxc.rootfs.path' $config 2>/dev/null ; then
254 rootfs=$(awk -F= '/^lxc.rootfs.path =/{ print $2 }' $config)
255 else
256 rootfs=$path/rootfs
257 fi
258 fi
259
260 install_sshd $rootfs
261 if [ $? -ne 0 ]; then
262 echo "failed to install sshd's rootfs"
263 exit 1
264 fi
265
266 configure_sshd $rootfs
267 if [ $? -ne 0 ]; then
268 echo "failed to configure sshd template"
269 exit 1
270 fi
271
272 copy_configuration $path $rootfs $name
273 if [ $? -ne 0 ]; then
274 echo "failed to write configuration file"
275 exit 1
276 fi
LXC mirror