Improve the lxc-debian script

From: Daniel Lezcano <dlezcano@fr.ibm.com>

Changed the lxc-debian script to accept empty password for
ssh connection, and to not share the /dev directory with the
system.

Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>

diff --git a/scripts/lxc-debian.in b/scripts/lxc-debian.in
index 150a17cec133a29fd9b867719da8f858d4af8234..0af0a48d85f865cca84d5c7a34bd6328920aff97 100755 (executable)
--- a/scripts/lxc-debian.in
+++ b/scripts/lxc-debian.in
@@ -1,5 +1,5 @@
 #!/bin/bash
-# set -ex
+set -ex
 
 NAME="debian"
 CONFFILE="lxc.conf"
@@ -11,8 +11,127 @@ INTERFACES="/etc/network/interfaces"
 INITTAB="/etc/inittab"
 HOSTNAME="/etc/hostname"
 FSTAB="/etc/fstab"
+SSHD_CONFIG="/etc/ssh/sshd_config"
 CACHE="@LOCALSTATEDIR@/cache/lxc/debian"
 
+################################################################################
+#                    debian custom configuration files
+################################################################################
+
+# custom fstab
+
+write_debian_fstab() {
+cat <<EOF > $ROOTFS/$FSTAB
+tmpfs  /dev/shm   tmpfs  defaults  0 0
+EOF
+}
+
+# custom inittab
+
+write_debian_inittab() {
+cat <<EOF > $ROOTFS/$INITTAB
+id:3:initdefault:
+si::sysinit:/etc/init.d/rcS
+l0:0:wait:/etc/init.d/rc 0
+l1:1:wait:/etc/init.d/rc 1
+l2:2:wait:/etc/init.d/rc 2
+l3:3:wait:/etc/init.d/rc 3
+l4:4:wait:/etc/init.d/rc 4
+l5:5:wait:/etc/init.d/rc 5
+l6:6:wait:/etc/init.d/rc 6
+# Normally not reached, but fallthrough in case of emergency.
+z6:6:respawn:/sbin/sulogin
+1:2345:respawn:/sbin/getty 38400 console
+EOF
+}
+
+# custom network configuration
+
+write_debian_network() {
+cat <<EOF > $ROOTFS/$INTERFACES
+auto eth0 lo
+iface eth0 inet static
+address $IPV4
+netmask 255.255.255.0
+broadcast 0.0.0.0
+up route add default gw $GATEWAY
+iface lo inet loopback
+EOF
+}
+
+# custom hostname
+
+write_debian_hostname() {
+cat <<EOF > $ROOTFS/$HOSTNAME
+$UTSNAME
+EOF
+}
+
+# custom sshd configuration file
+
+write_debian_sshd_config() {
+cat <<EOF > $ROOTFS/$SSHD_CONFIG
+Port 22
+Protocol 2
+HostKey /etc/ssh/ssh_host_rsa_key
+HostKey /etc/ssh/ssh_host_dsa_key
+UsePrivilegeSeparation yes
+KeyRegenerationInterval 3600
+ServerKeyBits 768
+SyslogFacility AUTH
+LogLevel INFO
+LoginGraceTime 120
+PermitRootLogin yes
+StrictModes yes
+RSAAuthentication yes
+PubkeyAuthentication yes
+IgnoreRhosts yes
+RhostsRSAAuthentication no
+HostbasedAuthentication no
+PermitEmptyPasswords yes
+ChallengeResponseAuthentication no
+EOF
+}
+
+################################################################################
+#                        lxc configuration files
+################################################################################
+
+write_lxc_configuration() {
+cat <<EOF > $CONFFILE
+lxc.utsname = $UTSNAME
+lxc.network.type = veth
+lxc.network.flags = up
+lxc.network.link = br0
+lxc.network.name = eth0
+lxc.mount = $MNTFILE
+lxc.rootfs = $ROOTFS
+lxc.cgroup.devices.deny = a
+# /dev/null and zero
+lxc.cgroup.devices.allow = c 1:3 rwm
+lxc.cgroup.devices.allow = c 1:5 rwm
+# consoles
+lxc.cgroup.devices.allow = c 5:1 rwm
+lxc.cgroup.devices.allow = c 5:0 rwm
+lxc.cgroup.devices.allow = c 4:0 rwm
+lxc.cgroup.devices.allow = c 4:1 rwm
+# /dev/{,u}random
+lxc.cgroup.devices.allow = c 1:9 rwm
+lxc.cgroup.devices.allow = c 1:8 rwm
+# /dev/pts/* - pts namespaces are "coming soon"
+lxc.cgroup.devices.allow = c 136:* rwm
+lxc.cgroup.devices.allow = c 5:2 rwm
+# rtc
+lxc.cgroup.devices.allow = c 254:0 rwm
+EOF
+}
+
+write_lxc_mounts() {
+cat <<EOF > $MNTFILE
+
+EOF
+}
+
 create() {
 
     # choose a container name, default is 'debian'
@@ -101,104 +220,19 @@ create() {
     fi
 
 
-########################################
-# lxc configuration files
-########################################
-
-# lxc mount point
-
-cat <<EOF > $MNTFILE
-/dev   $(pwd)/$ROOTFS/dev none bind 0 0
-/dev/pts $(pwd)/$ROOTFS/dev/pts none bind 0 0
-/etc/resolv.conf $(pwd)/$ROOTFS/etc/resolv.conf none ro,bind 0 0
-EOF
-
-# lxc configuration
-
-cat <<EOF > $CONFFILE
-
-lxc.utsname = $UTSNAME
-
-lxc.network.type = veth
-lxc.network.flags = up
-lxc.network.link = br0
-lxc.network.name = eth0
-
-lxc.mount = $MNTFILE
-
-lxc.rootfs = $ROOTFS
-
-lxc.cgroup.devices.deny = a
-
-# /dev/null and zero
-lxc.cgroup.devices.allow = c 1:3 rwm
-lxc.cgroup.devices.allow = c 1:5 rwm
-
-# consoles
-lxc.cgroup.devices.allow = c 5:1 rwm
-lxc.cgroup.devices.allow = c 5:0 rwm
-lxc.cgroup.devices.allow = c 4:0 rwm
-lxc.cgroup.devices.allow = c 4:1 rwm
-
-# /dev/{,u}random
-lxc.cgroup.devices.allow = c 1:9 rwm
-lxc.cgroup.devices.allow = c 1:8 rwm
-
-# /dev/pts/* - pts namespaces are "coming soon"
-lxc.cgroup.devices.allow = c 136:* rwm
-lxc.cgroup.devices.allow = c 5:2 rwm
-
-# rtc
-lxc.cgroup.devices.allow = c 254:0 rwm
-
-EOF
-
-
-########################################
-# rootfs configuration files tweak
-########################################
-
-# inittab
-
-cat <<EOF > $ROOTFS/$INITTAB
-id:3:initdefault:
-si::sysinit:/etc/init.d/rcS
-l0:0:wait:/etc/init.d/rc 0
-l1:1:wait:/etc/init.d/rc 1
-l2:2:wait:/etc/init.d/rc 2
-l3:3:wait:/etc/init.d/rc 3
-l4:4:wait:/etc/init.d/rc 4
-l5:5:wait:/etc/init.d/rc 5
-l6:6:wait:/etc/init.d/rc 6
-# Normally not reached, but fallthrough in case of emergency.
-z6:6:respawn:/sbin/sulogin
-1:2345:respawn:/sbin/getty 38400 console
-EOF
+write_lxc_mounts
 
-# hostname
-cat <<EOF > $ROOTFS/$HOSTNAME
-$UTSNAME
-EOF
+write_lxc_configuration
 
-# fstab
+write_debian_inittab
 
-cat <<EOF > $ROOTFS/$FSTAB
-tmpfs                   /dev/shm                tmpfs   defaults        0 0
-EOF
+write_debian_hostname
 
-# network
+write_debian_fstab
 
-cat <<EOF > $ROOTFS/$INTERFACES
-auto eth0 lo
-iface eth0 inet static
-address $IPV4
-netmask 255.255.255.0
-broadcast 0.0.0.0
-up route add default gw $GATEWAY
-iface lo inet loopback
-EOF
+write_debian_network
 
-# create the container object
+write_debian_sshd_config
 
 @BINDIR@/lxc-create -n $NAME -f $CONFFILE 
 RES=$?