]>
git.proxmox.com Git - mirror_lxc.git/blob - templates/lxc-sshd.in
4 # lxc: linux Container library
7 # Daniel Lezcano <daniel.lezcano@free.fr>
9 # This library is free software; you can redistribute it and/or
10 # modify it under the terms of the GNU Lesser General Public
11 # License as published by the Free Software Foundation; either
12 # version 2.1 of the License, or (at your option) any later version.
14 # This library is distributed in the hope that it will be useful,
15 # but WITHOUT ANY WARRANTY; without even the implied warranty of
16 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
17 # Lesser General Public License for more details.
19 # You should have received a copy of the GNU Lesser General Public
20 # License along with this library; if not, write to the Free Software
21 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
23 # Detect use under userns (unsupported)
25 [ "$arg" = "--" ] && break
26 if [ "$arg" = "--mapped-uid" -o "$arg" = "--mapped-gid" ]; then
27 echo "This template can't be used for unprivileged containers." 1>&2
28 echo "You may want to try the \"download\" template instead." 1>&2
33 # Make sure the usual locations are in PATH
34 export PATH
=$PATH:/usr
/sbin
:/usr
/bin
:/sbin
:/bin
41 $rootfs/var/empty/sshd \
42 $rootfs/var/lib/empty/sshd \
46 $rootfs/etc/sysconfig/network-scripts \
65 ln -s /run
$rootfs/var
/run
77 cat <<EOF > $rootfs/etc/passwd
78 root:x:0:0:root:/root:/bin/bash
79 sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
82 cat <<EOF > $rootfs/etc/group
87 ssh-keygen
-t rsa
-N "" -f $rootfs/etc
/ssh
/ssh_host_rsa_key
88 ssh-keygen
-t dsa
-N "" -f $rootfs/etc
/ssh
/ssh_host_dsa_key
90 # by default setup root password with no password
91 cat <<EOF > $rootfs/etc/ssh/sshd_config
94 HostKey /etc/ssh/ssh_host_rsa_key
95 HostKey /etc/ssh/ssh_host_dsa_key
96 UsePrivilegeSeparation yes
102 PubkeyAuthentication yes
104 HostbasedAuthentication no
105 PermitEmptyPasswords yes
106 ChallengeResponseAuthentication no
109 if [ -n "$auth_key" -a -f "$auth_key" ]; then
111 root_u_path
="$rootfs/$u_path"
112 mkdir
-p $root_u_path
113 cp $auth_key "$root_u_path/authorized_keys"
114 chown
-R 0:0 "$rootfs/$u_path"
115 chmod 700 "$rootfs/$u_path"
116 echo "Inserted SSH public key from $auth_key into $rootfs/$u_path"
128 init_path
=$
(realpath
--relative-to=/ $
(readlink
-f /sbin
/init
))
130 grep -q "^lxc.rootfs" $path/config
2>/dev
/null ||
echo "lxc.rootfs = $rootfs" >> $path/config
131 cat <<EOF >> $path/config
134 lxc.cap.drop = sys_module mac_admin mac_override sys_time
136 # When using LXC with apparmor, uncomment the next line to run unconfined:
137 #lxc.aa_profile = unconfined
139 lxc.mount.entry = /dev dev none ro,bind 0 0
140 lxc.mount.entry = /lib lib none ro,bind 0 0
141 lxc.mount.entry = /bin bin none ro,bind 0 0
142 lxc.mount.entry = /usr usr none ro,bind 0 0
143 lxc.mount.entry = /sbin sbin none ro,bind 0 0
144 lxc.mount.entry = tmpfs run/sshd tmpfs mode=0644 0 0
145 lxc.mount.entry = @LXCTEMPLATEDIR@/lxc-sshd $init_path none ro,bind 0 0
146 lxc.mount.entry = /etc/init.d etc/init.d none ro,bind 0 0
148 lxc.mount.auto = cgroup:mixed proc:mixed sys:mixed
151 # Oracle Linux and Fedora need the following two bind mounted
152 if [ -d /etc
/sysconfig
/network-scripts
]; then
153 cat <<EOF >> $path/config
154 lxc.mount.entry = /etc/sysconfig/network-scripts etc/sysconfig/network-scripts none ro,bind 0 0
158 if [ -d /etc
/rc.d
]; then
159 cat <<EOF >> $path/config
160 lxc.mount.entry = /etc/rc.d etc/rc.d none ro,bind 0 0
164 # if no .ipv4 section in config, then have the container run dhcp
165 grep -q "^lxc.network.ipv4" $path/config ||
touch $rootfs/run-dhcp
167 if [ "$(uname -m)" = "x86_64" ]; then
168 cat <<EOF >> $path/config
169 lxc.mount.entry = /lib64 lib64 none ro,bind 0 0
177 $1 -h|--help -p|--path=<path> [--rootfs=<path>]
185 if [ $?
-ne 0 ]; then
186 echo "The command '$1' $cmd_path is not accessible on the system"
189 # we use cut instead of awk because awk is alternatives symlink on ubuntu
190 # and /etc/alternatives isn't bind mounted
191 cmd_path
=`echo $cmd_path |cut -d ' ' -f 3`
194 options
=$
(getopt
-o hp
:n
:S
: -l help,rootfs
:,path
:,name
:,auth-key
: -- "$@")
195 if [ $?
-ne 0 ]; then
199 eval set -- "$options"
204 -h|
--help) usage
$0 && exit 0;;
205 -p|
--path) path
=$2; shift 2;;
206 --rootfs) rootfs
=$2; shift 2;;
207 -n|
--name) name
=$2; shift 2;;
208 -S|
--auth-key) auth_key
=$2; shift 2;;
209 --) shift 1; break ;;
214 if [ "$(id -u)" != "0" ]; then
215 echo "This script should be run as 'root'"
219 if [ $0 = "/sbin/init" ]; then
221 PATH
="$PATH:/bin:/sbin:/usr/sbin"
222 check_for_cmd @SBINDIR@
/init.lxc
227 if [ -f /run-dhcp
]; then
228 check_for_cmd dhclient
229 check_for_cmd ifconfig
232 cat > /dhclient.conf
<< EOF
233 send host-name = gethostname();
236 dhclient eth0
-cf /dhclient.conf
237 echo "Container IP address:"
238 ifconfig eth0 |
grep inet
241 exec @SBINDIR@
/init.lxc
-- $sshd_path
245 if [ -z "$path" ]; then
246 echo "'path' parameter is required"
251 config
="$path/config"
252 if [ -z "$rootfs" ]; then
253 if grep -q '^lxc.rootfs' $config 2>/dev
/null
; then
254 rootfs
=$
(awk -F= '/^lxc.rootfs =/{ print $2 }' $config)
261 if [ $?
-ne 0 ]; then
262 echo "failed to install sshd's rootfs"
266 configure_sshd
$rootfs
267 if [ $?
-ne 0 ]; then
268 echo "failed to configure sshd template"
272 copy_configuration
$path $rootfs $name
273 if [ $?
-ne 0 ]; then
274 echo "failed to write configuration file"