From 44b036309bd11ecde9ddbfa05ee74070e7456d6c Mon Sep 17 00:00:00 2001
From: Leonid Isaev <lisaev@umail.iu.edu>
Date: Mon, 31 Mar 2014 17:11:58 -0400
Subject: [PATCH] archlinux: Create per-container pacman host key
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Do not copy the pacman master key from the host, as this opens it to
attacks; generate a new secret hostkey.

Signed-off-by: Leonid Isaev <lisaev@umail.iu.edu>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
---
 templates/lxc-archlinux.in | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/templates/lxc-archlinux.in b/templates/lxc-archlinux.in
index b3bc99e92..b01ccfe50 100644
--- a/templates/lxc-archlinux.in
+++ b/templates/lxc-archlinux.in
@@ -107,6 +107,9 @@ ln -s /dev/null /etc/systemd/system/systemd-udevd-kernel.socket
 ln -s /dev/null /etc/systemd/system/proc-sys-fs-binfmt_misc.automount
 # set default systemd target
 ln -s /lib/systemd/system/multi-user.target /etc/systemd/system/default.target
+# initialize pacman keyring
+pacman-key --init
+pacman-key --populate archlinux
 EOF
     return 0
 }
@@ -172,7 +175,8 @@ install_arch() {
         pacman_config="${container_pacman_config}"
     fi
 
-    if ! pacstrap -dcC "${pacman_config}" "${rootfs_path}" ${base_packages[@]}; then
+    if ! pacstrap -dcGC "${pacman_config}" "${rootfs_path}" \
+	    ${base_packages[@]}; then
         echo "Failed to install container packages"
         return 1
     fi