]> git.proxmox.com Git - mirror_lxc.git/blob - templates/lxc-sshd.in
projects / mirror_lxc.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Merge branch 'upstream-bugfix' of https://github.com/lxc/lxc
[mirror_lxc.git] / templates / lxc-sshd.in
1 #!/bin/bash
2
3 #
4 # lxc: linux Container library
5
6 # Authors:
7 # Daniel Lezcano <daniel.lezcano@free.fr>
8
9 # This library is free software; you can redistribute it and/or
10 # modify it under the terms of the GNU Lesser General Public
11 # License as published by the Free Software Foundation; either
12 # version 2.1 of the License, or (at your option) any later version.
13
14 # This library is distributed in the hope that it will be useful,
15 # but WITHOUT ANY WARRANTY; without even the implied warranty of
16 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
17 # Lesser General Public License for more details.
18
19 # You should have received a copy of the GNU Lesser General Public
20 # License along with this library; if not, write to the Free Software
21 # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
22
23 install_sshd()
24 {
25 rootfs=$1
26
27 tree="\
28 $rootfs/var/run/sshd \
29 $rootfs/var/empty/sshd \
30 $rootfs/var/lib/empty/sshd \
31 $rootfs/etc/ssh \
32 $rootfs/dev/shm \
33 $rootfs/run/shm \
34 $rootfs/proc \
35 $rootfs/bin \
36 $rootfs/sbin \
37 $rootfs/usr \
38 $rootfs/tmp \
39 $rootfs/home \
40 $rootfs/root \
41 $rootfs/lib \
42 $rootfs/lib64"
43
44 mkdir -p $tree
45 if [ $? -ne 0 ]; then
46 return 1
47 fi
48
49 return 0
50 }
51
52 configure_sshd()
53 {
54 rootfs=$1
55
56 cat <<EOF > $rootfs/etc/passwd
57 root:x:0:0:root:/root:/bin/bash
58 sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
59 EOF
60
61 cat <<EOF > $rootfs/etc/group
62 root:x:0:root
63 sshd:x:74:
64 EOF
65
66 ssh-keygen -t rsa -f $rootfs/etc/ssh/ssh_host_rsa_key
67 ssh-keygen -t dsa -f $rootfs/etc/ssh/ssh_host_dsa_key
68
69 # by default setup root password with no password
70 cat <<EOF > $rootfs/etc/ssh/sshd_config
71 Port 22
72 Protocol 2
73 HostKey /etc/ssh/ssh_host_rsa_key
74 HostKey /etc/ssh/ssh_host_dsa_key
75 UsePrivilegeSeparation yes
76 KeyRegenerationInterval 3600
77 ServerKeyBits 768
78 SyslogFacility AUTH
79 LogLevel INFO
80 LoginGraceTime 120
81 PermitRootLogin yes
82 StrictModes yes
83 RSAAuthentication yes
84 PubkeyAuthentication yes
85 IgnoreRhosts yes
86 RhostsRSAAuthentication no
87 HostbasedAuthentication no
88 PermitEmptyPasswords yes
89 ChallengeResponseAuthentication no
90 EOF
91
92 if [ -n "$auth_key" -a -f "$auth_key" ]; then
93 u_path="/root/.ssh"
94 root_u_path="$rootfs/$u_path"
95 mkdir -p $root_u_path
96 cp $auth_key "$root_u_path/authorized_keys"
97 chown -R 0:0 "$rootfs/$u_path"
98 chmod 700 "$rootfs/$u_path"
99 echo "Inserted SSH public key from $auth_key into /home/ubuntu/.ssh/authorized_keys"
100 fi
101
102 return 0
103 }
104
105 copy_configuration()
106 {
107 path=$1
108 rootfs=$2
109 name=$3
110
111 cat <<EOF >> $path/config
112 lxc.utsname = $name
113 lxc.pts = 1024
114 lxc.rootfs = $rootfs
115
116 # When using LXC with apparmor, uncomment the next line to run unconfined:
117 #lxc.aa_profile = unconfined
118
119 lxc.mount.entry=/dev dev none ro,bind 0 0
120 lxc.mount.entry=/lib lib none ro,bind 0 0
121 lxc.mount.entry=/bin bin none ro,bind 0 0
122 lxc.mount.entry=/usr usr none ro,bind 0 0
123 lxc.mount.entry=/sbin sbin none ro,bind 0 0
124 lxc.mount.entry=tmpfs var/run/sshd tmpfs mode=0644 0 0
125 lxc.mount.entry=@LXCTEMPLATEDIR@/lxc-sshd sbin/init none bind 0 0
126 lxc.mount.entry=proc $rootfs/proc proc nodev,noexec,nosuid 0 0
127 EOF
128
129 # if no .ipv4 section in config, then have the container run dhcp
130 grep -q "^lxc.network.ipv4" $path/config || touch $rootfs/run-dhcp
131
132 if [ "$(uname -m)" = "x86_64" ]; then
133 cat <<EOF >> $path/config
134 lxc.mount.entry=/lib64 lib64 none ro,bind 0 0
135 EOF
136 fi
137 }
138
139 usage()
140 {
141 cat <<EOF
142 $1 -h|--help -p|--path=<path>
143 EOF
144 return 0
145 }
146
147 options=$(getopt -o hp:n:S: -l help,path:,name:,auth-key: -- "$@")
148 if [ $? -ne 0 ]; then
149 usage $(basename $0)
150 exit 1
151 fi
152 eval set -- "$options"
153
154 while true
155 do
156 case "$1" in
157 -h|--help) usage $0 && exit 0;;
158 -p|--path) path=$2; shift 2;;
159 -n|--name) name=$2; shift 2;;
160 -S|--auth-key) auth_key=$2; shift 2;;
161 --) shift 1; break ;;
162 *) break ;;
163 esac
164 done
165
166 if [ "$(id -u)" != "0" ]; then
167 echo "This script should be run as 'root'"
168 exit 1
169 fi
170
171 if [ $0 == "/sbin/init" ]; then
172
173 type @LXCINITDIR@/lxc-init
174 if [ $? -ne 0 ]; then
175 echo "'lxc-init is not accessible on the system"
176 exit 1
177 fi
178
179 type sshd
180 if [ $? -ne 0 ]; then
181 echo "'sshd' is not accessible on the system "
182 exit 1
183 fi
184
185 # run dhcp?
186 if [ -f /run-dhcp ]; then
187 type dhclient
188 if [ $? -ne 0 ]; then
189 echo "can't find dhclient"
190 exit 1
191 fi
192 touch /etc/fstab
193 rm -f /dhclient.conf
194 cat > /dhclient.conf << EOF
195 send host-name "<hostname>";
196 EOF
197 ifconfig eth0 up
198 dhclient eth0 -cf /dhclient.conf
199 fi
200
201 exec @LXCINITDIR@/lxc-init -- /usr/sbin/sshd
202 exit 1
203 fi
204
205 if [ -z "$path" ]; then
206 echo "'path' parameter is required"
207 exit 1
208 fi
209
210 rootfs=$path/rootfs
211
212 install_sshd $rootfs
213 if [ $? -ne 0 ]; then
214 echo "failed to install sshd's rootfs"
215 exit 1
216 fi
217
218 configure_sshd $rootfs
219 if [ $? -ne 0 ]; then
220 echo "failed to configure sshd template"
221 exit 1
222 fi
223
224 copy_configuration $path $rootfs $name
225 if [ $? -ne 0 ]; then
226 echo "failed to write configuration file"
227 exit 1
228 fi
LXC mirror