]>
git.proxmox.com Git - mirror_lxc.git/blob - templates/lxc-sshd.in
4 # lxc: linux Container library
7 # Daniel Lezcano <daniel.lezcano@free.fr>
9 # This library is free software; you can redistribute it and/or
10 # modify it under the terms of the GNU Lesser General Public
11 # License as published by the Free Software Foundation; either
12 # version 2.1 of the License, or (at your option) any later version.
14 # This library is distributed in the hope that it will be useful,
15 # but WITHOUT ANY WARRANTY; without even the implied warranty of
16 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
17 # Lesser General Public License for more details.
19 # You should have received a copy of the GNU Lesser General Public
20 # License along with this library; if not, write to the Free Software
21 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
23 # Detect use under userns (unsupported)
25 [ "$arg" = "--" ] && break
26 if [ "$arg" = "--mapped-uid" -o "$arg" = "--mapped-gid" ]; then
27 echo "This template can't be used for unprivileged containers." 1>&2
28 echo "You may want to try the \"download\" template instead." 1>&2
33 # Make sure the usual locations are in PATH
34 export PATH
=$PATH:/usr
/sbin
:/usr
/bin
:/sbin
:/bin
41 $rootfs/var/run/sshd \
42 $rootfs/var/empty/sshd \
43 $rootfs/var/lib/empty/sshd \
47 $rootfs/etc/sysconfig/network-scripts \
73 cat <<EOF > $rootfs/etc/passwd
74 root:x:0:0:root:/root:/bin/bash
75 sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
78 cat <<EOF > $rootfs/etc/group
83 ssh-keygen
-t rsa
-N "" -f $rootfs/etc
/ssh
/ssh_host_rsa_key
84 ssh-keygen
-t dsa
-N "" -f $rootfs/etc
/ssh
/ssh_host_dsa_key
86 # by default setup root password with no password
87 cat <<EOF > $rootfs/etc/ssh/sshd_config
90 HostKey /etc/ssh/ssh_host_rsa_key
91 HostKey /etc/ssh/ssh_host_dsa_key
92 UsePrivilegeSeparation yes
93 KeyRegenerationInterval 3600
100 RSAAuthentication yes
101 PubkeyAuthentication yes
103 RhostsRSAAuthentication no
104 HostbasedAuthentication no
105 PermitEmptyPasswords yes
106 ChallengeResponseAuthentication no
109 if [ -n "$auth_key" -a -f "$auth_key" ]; then
111 root_u_path
="$rootfs/$u_path"
112 mkdir
-p $root_u_path
113 cp $auth_key "$root_u_path/authorized_keys"
114 chown
-R 0:0 "$rootfs/$u_path"
115 chmod 700 "$rootfs/$u_path"
116 echo "Inserted SSH public key from $auth_key into $rootfs/$u_path"
128 grep -q "^lxc.rootfs" $path/config
2>/dev
/null ||
echo "lxc.rootfs = $rootfs" >> $path/config
129 cat <<EOF >> $path/config
132 lxc.cap.drop = sys_module mac_admin mac_override sys_time
134 # When using LXC with apparmor, uncomment the next line to run unconfined:
135 #lxc.aa_profile = unconfined
137 lxc.mount.entry = /dev dev none ro,bind 0 0
138 lxc.mount.entry = /lib lib none ro,bind 0 0
139 lxc.mount.entry = /bin bin none ro,bind 0 0
140 lxc.mount.entry = /usr usr none ro,bind 0 0
141 lxc.mount.entry = /sbin sbin none ro,bind 0 0
142 lxc.mount.entry = tmpfs var/run/sshd tmpfs mode=0644 0 0
143 lxc.mount.entry = @LXCTEMPLATEDIR@/lxc-sshd sbin/init none ro,bind 0 0
144 lxc.mount.entry = /etc/init.d etc/init.d none ro,bind 0 0
146 lxc.mount.auto = cgroup:mixed proc:mixed sys:mixed
149 # Oracle Linux and Fedora need the following two bind mounted
150 if [ -d /etc
/sysconfig
/network-scripts
]; then
151 cat <<EOF >> $path/config
152 lxc.mount.entry = /etc/sysconfig/network-scripts etc/sysconfig/network-scripts none ro,bind 0 0
156 if [ -d /etc
/rc.d
]; then
157 cat <<EOF >> $path/config
158 lxc.mount.entry = /etc/rc.d etc/rc.d none ro,bind 0 0
162 # if no .ipv4 section in config, then have the container run dhcp
163 grep -q "^lxc.network.ipv4" $path/config ||
touch $rootfs/run-dhcp
165 if [ "$(uname -m)" = "x86_64" ]; then
166 cat <<EOF >> $path/config
167 lxc.mount.entry = /lib64 lib64 none ro,bind 0 0
175 $1 -h|--help -p|--path=<path> [--rootfs=<path>]
183 if [ $?
-ne 0 ]; then
184 echo "The command '$1' $cmd_path is not accessible on the system"
187 # we use cut instead of awk because awk is alternatives symlink on ubuntu
188 # and /etc/alternatives isn't bind mounted
189 cmd_path
=`echo $cmd_path |cut -d ' ' -f 3`
192 options
=$
(getopt
-o hp
:n
:S
: -l help,rootfs
:,path
:,name
:,auth-key
: -- "$@")
193 if [ $?
-ne 0 ]; then
197 eval set -- "$options"
202 -h|
--help) usage
$0 && exit 0;;
203 -p|
--path) path
=$2; shift 2;;
204 --rootfs) rootfs
=$2; shift 2;;
205 -n|
--name) name
=$2; shift 2;;
206 -S|
--auth-key) auth_key
=$2; shift 2;;
207 --) shift 1; break ;;
212 if [ "$(id -u)" != "0" ]; then
213 echo "This script should be run as 'root'"
217 if [ $0 = "/sbin/init" ]; then
219 PATH
="$PATH:/bin:/sbin:/usr/sbin"
220 check_for_cmd @SBINDIR@
/init.lxc
225 if [ -f /run-dhcp
]; then
226 check_for_cmd dhclient
227 check_for_cmd ifconfig
230 cat > /dhclient.conf
<< EOF
231 send host-name = gethostname();
234 dhclient eth0
-cf /dhclient.conf
235 echo "Container IP address:"
236 ifconfig eth0 |
grep inet
239 exec @SBINDIR@
/init.lxc
-- $sshd_path
243 if [ -z "$path" ]; then
244 echo "'path' parameter is required"
249 config
="$path/config"
250 if [ -z "$rootfs" ]; then
251 if grep -q '^lxc.rootfs' $config 2>/dev
/null
; then
252 rootfs
=$
(awk -F= '/^lxc.rootfs =/{ print $2 }' $config)
259 if [ $?
-ne 0 ]; then
260 echo "failed to install sshd's rootfs"
264 configure_sshd
$rootfs
265 if [ $?
-ne 0 ]; then
266 echo "failed to configure sshd template"
270 copy_configuration
$path $rootfs $name
271 if [ $?
-ne 0 ]; then
272 echo "failed to write configuration file"