proxmox-mirrors/mirror_lxc
1
0
Fork 0
mirror of https://git.proxmox.com/git/mirror_lxc synced 2025-08-16 04:04:48 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

fix sshd template

Browse Source 
Commit a0a2066d introduced an lxc subdir into the lxc-init path, but
this was never reflected in the sshd template. Add it there.

Don't have ssh-keygen ask for passphrase since host keys are not
supposed to use them.

Don't try to symlink kmsg since /dev is bind mounted readonly.

Read-only bind mount some extra /etc directories, and sysfs which are
needed by dhclient on Fedora and Oracle Linux. Fix mounting of /proc.

Find sshd in more places by adding some common paths to $PATH, and
use the found path to it instead of hardcoded /usr/sbin.

Check for ifconfig command, and print out container's IP address.

Signed-off-by: Dwight Engen <dwight.engen@oracle.com>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
This commit is contained in:
Dwight Engen 2013-07-05 12:17:15 -04:00 committed by Serge Hallyn
parent ef091cefca
commit 18efb001a4
1 changed files with 44 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

64
templates/lxc-sshd.in
View File

@ -28,10 +28,14 @@ install_sshd()
$rootfs/var/run/sshd \ $rootfs/var/run/sshd \
$rootfs/var/empty/sshd \ $rootfs/var/empty/sshd \
$rootfs/var/lib/empty/sshd \ $rootfs/var/lib/empty/sshd \
$rootfs/etc/init.d \
$rootfs/etc/rc.d \
$rootfs/etc/ssh \ $rootfs/etc/ssh \
$rootfs/etc/sysconfig/network-scripts \
$rootfs/dev/shm \ $rootfs/dev/shm \
$rootfs/run/shm \ $rootfs/run/shm \
$rootfs/proc \ $rootfs/proc \
$rootfs/sys \
$rootfs/bin \ $rootfs/bin \
$rootfs/sbin \ $rootfs/sbin \
$rootfs/usr \ $rootfs/usr \
@ -63,8 +67,8 @@ root:x:0:root
sshd:x:74: sshd:x:74:
EOF EOF
ssh-keygen -t rsa -f $rootfs/etc/ssh/ssh_host_rsa_key ssh-keygen -t rsa -N "" -f $rootfs/etc/ssh/ssh_host_rsa_key
ssh-keygen -t dsa -f $rootfs/etc/ssh/ssh_host_dsa_key ssh-keygen -t dsa -N "" -f $rootfs/etc/ssh/ssh_host_dsa_key
# by default setup root password with no password # by default setup root password with no password
cat <<EOF > $rootfs/etc/ssh/sshd_config cat <<EOF > $rootfs/etc/ssh/sshd_config
@ -112,6 +116,7 @@ copy_configuration()
cat <<EOF >> $path/config cat <<EOF >> $path/config
lxc.utsname = $name lxc.utsname = $name
lxc.pts = 1024 lxc.pts = 1024
lxc.kmsg = 0
lxc.cap.drop = sys_module mac_admin mac_override sys_time lxc.cap.drop = sys_module mac_admin mac_override sys_time
# When using LXC with apparmor, uncomment the next line to run unconfined: # When using LXC with apparmor, uncomment the next line to run unconfined:
@ -124,9 +129,24 @@ lxc.mount.entry = /usr usr none ro,bind 0 0
lxc.mount.entry = /sbin sbin none ro,bind 0 0 lxc.mount.entry = /sbin sbin none ro,bind 0 0
lxc.mount.entry = tmpfs var/run/sshd tmpfs mode=0644 0 0 lxc.mount.entry = tmpfs var/run/sshd tmpfs mode=0644 0 0
lxc.mount.entry = @LXCTEMPLATEDIR@/lxc-sshd sbin/init none bind 0 0 lxc.mount.entry = @LXCTEMPLATEDIR@/lxc-sshd sbin/init none bind 0 0
lxc.mount.entry = proc $rootfs/proc proc nodev,noexec,nosuid 0 0 lxc.mount.entry = proc proc proc nodev,noexec,nosuid 0 0
lxc.mount.entry = sysfs sys sysfs ro 0 0
lxc.mount.entry = /etc/init.d etc/init.d none ro,bind 0 0
EOF EOF
# Oracle Linux and Fedora need the following two bind mounted
if [ -d /etc/sysconfig/network-scripts ]; then
cat <<EOF >> $path/config
lxc.mount.entry = /etc/sysconfig/network-scripts etc/sysconfig/network-scripts none ro,bind 0 0
EOF
fi
if [ -d /etc/rc.d ]; then
cat <<EOF >> $path/config
lxc.mount.entry = /etc/rc.d etc/rc.d none ro,bind 0 0
EOF
fi
# if no .ipv4 section in config, then have the container run dhcp # if no .ipv4 section in config, then have the container run dhcp
grep -q "^lxc.network.ipv4" $path/config || touch $rootfs/run-dhcp grep -q "^lxc.network.ipv4" $path/config || touch $rootfs/run-dhcp
@ -145,6 +165,18 @@ EOF
return 0 return 0
} }
check_for_cmd()
{
cmd_path=`type $1`
if [ $? -ne 0 ]; then
echo "The command '$1' $cmd_path is not accessible on the system"
exit 1
fi
# we use cut instead of awk because awk is alternatives symlink on ubuntu
# and /etc/alternatives isn't bind mounted
cmd_path=`echo $cmd_path |cut -d ' ' -f 3`
}
options=$(getopt -o hp:n:S: -l help,rootfs:,path:,name:,auth-key: -- "$@") options=$(getopt -o hp:n:S: -l help,rootfs:,path:,name:,auth-key: -- "$@")
if [ $? -ne 0 ]; then if [ $? -ne 0 ]; then
usage $(basename $0) usage $(basename $0)
@ -172,25 +204,15 @@ fi
if [ $0 == "/sbin/init" ]; then if [ $0 == "/sbin/init" ]; then
type @LXCINITDIR@/lxc-init PATH="$PATH:/bin:/sbin:/usr/sbin"
if [ $? -ne 0 ]; then check_for_cmd @LXCINITDIR@/lxc/lxc-init
echo "'lxc-init is not accessible on the system" check_for_cmd sshd
exit 1 sshd_path=$cmd_path
fi
type sshd
if [ $? -ne 0 ]; then
echo "'sshd' is not accessible on the system "
exit 1
fi
# run dhcp? # run dhcp?
if [ -f /run-dhcp ]; then if [ -f /run-dhcp ]; then
type dhclient check_for_cmd dhclient
if [ $? -ne 0 ]; then check_for_cmd ifconfig
echo "can't find dhclient"
exit 1
fi
touch /etc/fstab touch /etc/fstab
rm -f /dhclient.conf rm -f /dhclient.conf
cat > /dhclient.conf << EOF cat > /dhclient.conf << EOF
@ -198,9 +220,11 @@ send host-name "<hostname>";
EOF EOF
ifconfig eth0 up ifconfig eth0 up
dhclient eth0 -cf /dhclient.conf dhclient eth0 -cf /dhclient.conf
echo "Container IP address:"
ifconfig eth0 |grep inet
fi fi
exec @LXCINITDIR@/lxc-init -- /usr/sbin/sshd exec @LXCINITDIR@/lxc/lxc-init -- $sshd_path
exit 1 exit 1
fi fi