lxc/templates/lxc-sshd.in

	lxc-sshd.in revision 337e14712e2bf568db73dd57c709b3364e26d798
2ronwalf#!/bin/bash
2ronwalf
2ronwalf#
2ronwalf# lxc: linux Container library
2ronwalf
11daenzerorama# Authors:
11daenzerorama# Daniel Lezcano <daniel.lezcano@free.fr>
2ronwalf
2ronwalf# This library is free software; you can redistribute it and/or
2ronwalf# modify it under the terms of the GNU Lesser General Public
2ronwalf# License as published by the Free Software Foundation; either
38daenzerorama# version 2.1 of the License, or (at your option) any later version.
2ronwalf
2ronwalf# This library is distributed in the hope that it will be useful,
2ronwalf# but WITHOUT ANY WARRANTY; without even the implied warranty of
2ronwalf# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
2ronwalf# Lesser General Public License for more details.
2ronwalf
2ronwalf# You should have received a copy of the GNU Lesser General Public
2ronwalf# License along with this library; if not, write to the Free Software
2ronwalf# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
2ronwalf
2ronwalfinstall_sshd()
2ronwalf{
2ronwalf    rootfs=$1
2ronwalf
2ronwalf    tree="\
2ronwalf$rootfs/var/run/sshd \
2ronwalf$rootfs/var/empty/sshd \
2ronwalf$rootfs/var/lib/empty/sshd \
2ronwalf$rootfs/etc/ssh \
2ronwalf$rootfs/dev/shm \
2ronwalf$rootfs/run/shm \
11daenzerorama$rootfs/proc \
11daenzerorama$rootfs/bin \
11daenzerorama$rootfs/sbin \
11daenzerorama$rootfs/usr \
11daenzerorama$rootfs/tmp \
11daenzerorama$rootfs/home \
11daenzerorama$rootfs/root \
11daenzerorama$rootfs/lib \
11daenzerorama$rootfs/lib64"
11daenzerorama
11daenzerorama    mkdir -p $tree
11daenzerorama    if [ $? -ne 0 ]; then
11daenzerorama    return 1
11daenzerorama    fi
11daenzerorama
11daenzerorama    return 0
11daenzerorama}
11daenzerorama
11daenzeroramaconfigure_sshd()
11daenzerorama{
11daenzerorama    rootfs=$1
11daenzerorama
11daenzerorama    cat <<EOF > $rootfs/etc/passwd
11daenzeroramaroot:x:0:0:root:/root:/bin/bash
11daenzeroramasshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
11daenzeroramaEOF
2ronwalf
    cat <<EOF > $rootfs/etc/group
root:x:0:root
sshd:x:74:
EOF

ssh-keygen -t rsa -f $rootfs/etc/ssh/ssh_host_rsa_key
ssh-keygen -t dsa -f $rootfs/etc/ssh/ssh_host_dsa_key

    # by default setup root password with no password
    cat <<EOF > $rootfs/etc/ssh/sshd_config
Port 22
Protocol 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
UsePrivilegeSeparation yes
KeyRegenerationInterval 3600
ServerKeyBits 768
SyslogFacility AUTH
LogLevel INFO
LoginGraceTime 120
PermitRootLogin yes
StrictModes yes
RSAAuthentication yes
PubkeyAuthentication yes
IgnoreRhosts yes
RhostsRSAAuthentication no
HostbasedAuthentication no
PermitEmptyPasswords yes
ChallengeResponseAuthentication no
EOF

    if [ -n "$auth_key" -a -f "$auth_key" ]; then
        u_path="/root/.ssh"
        root_u_path="$rootfs/$u_path"
        mkdir -p $root_u_path
        cp $auth_key "$root_u_path/authorized_keys"
        chown -R 0:0 "$rootfs/$u_path"
        chmod 700 "$rootfs/$u_path"
        echo "Inserted SSH public key from $auth_key into /home/ubuntu/.ssh/authorized_keys"
    fi

    return 0
}

copy_configuration()
{
    path=$1
    rootfs=$2
    name=$3

cat <<EOF >> $path/config
lxc.utsname = $name
lxc.pts = 1024
lxc.rootfs = $rootfs

# When using LXC with apparmor, uncomment the next line to run unconfined:
#lxc.aa_profile = unconfined

lxc.mount.entry=/dev dev none ro,bind 0 0
lxc.mount.entry=/lib lib none ro,bind 0 0
lxc.mount.entry=/bin bin none ro,bind 0 0
lxc.mount.entry=/usr usr none ro,bind 0 0
lxc.mount.entry=/sbin sbin none ro,bind 0 0
lxc.mount.entry=tmpfs var/run/sshd tmpfs mode=0644 0 0
lxc.mount.entry=@LXCTEMPLATEDIR@/lxc-sshd sbin/init none bind 0 0
lxc.mount.entry=proc $rootfs/proc proc nodev,noexec,nosuid 0 0
EOF

    # if no .ipv4 section in config, then have the container run dhcp
    grep -q "^lxc.network.ipv4" $path/config || touch $rootfs/run-dhcp

    if [ "$(uname -m)" = "x86_64" ]; then
        cat <<EOF >> $path/config
lxc.mount.entry=/lib64 lib64 none ro,bind 0 0
EOF
    fi
}

usage()
{
    cat <<EOF
$1 -h|--help -p|--path=<path>
EOF
    return 0
}

options=$(getopt -o hp:n:S: -l help,path:,name:,auth-key: -- "$@")
if [ $? -ne 0 ]; then
        usage $(basename $0)
    exit 1
fi
eval set -- "$options"

while true
do
    case "$1" in
        -h|--help)      usage $0 && exit 0;;
        -p|--path)      path=$2; shift 2;;
        -n|--name)      name=$2; shift 2;;
        -S|--auth-key)  auth_key=$2; shift 2;;
        --)             shift 1; break ;;
        *)              break ;;
    esac
done

if [ "$(id -u)" != "0" ]; then
    echo "This script should be run as 'root'"
    exit 1
fi

if [ $0 == "/sbin/init" ]; then

    type @LXCINITDIR@/lxc-init
    if [ $? -ne 0 ]; then
    echo "'lxc-init is not accessible on the system"
    exit 1
    fi

    type sshd
    if [ $? -ne 0 ]; then
    echo "'sshd' is not accessible on the system "
    exit 1
    fi

    # run dhcp?
    if [ -f /run-dhcp ]; then
        type dhclient
        if [ $? -ne 0 ]; then
            echo "can't find dhclient"
            exit 1
        fi
        touch /etc/fstab
        rm -f /dhclient.conf
        cat > /dhclient.conf << EOF
send host-name "<hostname>";
EOF
        ifconfig eth0 up
        dhclient eth0 -cf /dhclient.conf
    fi

    exec @LXCINITDIR@/lxc-init -- /usr/sbin/sshd
    exit 1
fi

if [ -z "$path" ]; then
    echo "'path' parameter is required"
    exit 1
fi

rootfs=$path/rootfs

install_sshd $rootfs
if [ $? -ne 0 ]; then
    echo "failed to install sshd's rootfs"
    exit 1
fi

configure_sshd $rootfs
if [ $? -ne 0 ]; then
    echo "failed to configure sshd template"
    exit 1
fi

copy_configuration $path $rootfs $name
if [ $? -ne 0 ]; then
    echo "failed to write configuration file"
    exit 1
fi