Clean up after ourselves, and stop services from doing anything in the chroot as...

[lxc-debian-unprivileged.git] / templates / lxc-debian-unprivileged

diff --git a/templates/lxc-debian-unprivileged b/templates/lxc-debian-unprivileged
index 30d4912c3dfd58726fb2afc8852513933076c4fc..c7134a79a2d20dee56cb410151896a00c1d2d7e2 100755 (executable)
--- a/templates/lxc-debian-unprivileged
+++ b/templates/lxc-debian-unprivileged
@@ -66,6 +66,21 @@ eval set -- "$options"
 DEBIAN_MIRROR="http://mirror.mythic-beasts.com/debian/"
 DEBIAN_RELEASE="jessie"
 
+disable_initscripts() {
+    cat <<EOF > ${LXC_ROOTFS}/usr/sbin/policy-rc.d
+#!/bin/sh
+
+exit 101
+EOF
+    chmod 755 ${LXC_ROOTFS}/usr/sbin/policy-rc.d
+}
+
+enable_initscripts() {
+    if [ -e ${LXC_ROOTFS}/usr/sbin/policy-rc.d ]; then
+        rm ${LXC_ROOTFS}/usr/sbin/policy-rc.d
+    fi
+}
+
 while :; do
     case "$1" in
         -h|--help)      usage && exit 1;;
@@ -80,12 +95,6 @@ while :; do
     esac
 done
 
-echo "Mapped UID: $MAPPED_UID"
-echo "Mapped GID: $MAPPED_GID"
-echo "RootFS: $LXC_ROOTFS"
-echo "Name: $LXC_NAME"
-echo "Path: $LXC_PATH"
-
 # rewrite the default config file
 
 sed -i -e "/lxc./{w ${LXC_PATH}/config-auto" -e "d}" ${LXC_PATH}/config
@@ -118,7 +127,7 @@ chmod 755 ${LXC_PATH}/bin/mknod
 
 export PATH=${LXC_PATH}/bin:$PATH
 
-debootstrap --foreign --include debian-archive-keyring,ifupdown,isc-dhcp-client,locales $DEBIAN_RELEASE ${LXC_ROOTFS} $DEBIAN_MIRROR
+debootstrap --foreign --include debian-archive-keyring,ifupdown,isc-dhcp-client,locales,openssh-server $DEBIAN_RELEASE ${LXC_ROOTFS} $DEBIAN_MIRROR
 
 # now totally skip that check in the new root, because it sucks.
 sed -i -e 's#check_sane_mount () {#check_sane_mount () {\n\treturn 0#;' ${LXC_ROOTFS}/debootstrap/functions
@@ -140,7 +149,7 @@ for file in /var/lib/lxcfs/proc/*; do
     mount -n -o bind $file ${LXC_ROOTFS}/proc/$fname
 done
 
-for dev in random urandom; do
+for dev in null random urandom; do
     touch ${LXC_ROOTFS}/dev/$dev
     mount -n -o bind /dev/$dev ${LXC_ROOTFS}/dev/$dev
 done
@@ -149,15 +158,14 @@ done
 echo "debootstrapping - hahaha" > ${LXC_ROOTFS}/proc/cmdline
 
 # and disable initscripts
-cat <<EOF > ${LXC_ROOTFS}/usr/sbin/policy-rc.d
-#!/bin/sh
-
-exit 101
-EOF
+disable_initscripts
 
 # and run the second stage
 chroot ${LXC_ROOTFS} /debootstrap/debootstrap --second-stage
 
+# make sure that initscripts are still disabled
+disable_initscripts
+
 # configure locales
 lang=en_GB.UTF-8
 enc=UTF-8
@@ -188,10 +196,16 @@ if [ -e ${LXC_ROOTFS}/etc/network/interfaces.d ]; then
     NETWORK_FILE=/etc/network/interfaces.d/eth0
 fi
 
+# remove some interesting breakages in pam for unpriv foo
+sed -i -e 's#^\(session.*required.*pam_loginuid.so\)#\#\1#;' ${LXC_ROOTFS}/etc/pam.d/*
+
+# set the hostname
+echo $LXC_NAME > ${LXC_ROOTFS}/etc/hostname
+
 # setup sources.list
 cat <<EOF > ${LXC_ROOTFS}/etc/apt/sources.list
 deb $DEBIAN_MIRROR $DEBIAN_RELEASE main
-deb http://security.debian.org/ $DEBIAN_RELEASE/update main
+deb http://security.debian.org/ $DEBIAN_RELEASE/updates main
 EOF
 
 # disable bits of systemd that we hates
@@ -216,13 +230,13 @@ EOF
 
 # and update to the latest security
 chroot ${LXC_ROOTFS} apt-get update
-chroot ${LXC_ROOTFS} apt-get upgrade
+chroot ${LXC_ROOTFS} apt-get -y upgrade
 
 # if we're all good here, unmount things and clean up
 [ -e ${LXC_ROOTFS}/usr/sbin/policy-rc.d ] && rm ${LXC_ROOTFS}/usr/sbin/policy-rc.d
 rm ${LXC_ROOTFS}/proc/cmdline
 
-for dev in random urandom; do
+for dev in null random urandom; do
     umount ${LXC_ROOTFS}/dev/$dev
     rm ${LXC_ROOTFS}/dev/$dev
 done
@@ -233,4 +247,8 @@ for file in /var/lib/lxcfs/proc/*; do
     rm ${LXC_ROOTFS}/proc/$fname
 done
 
+enable_initscripts
+
+rm -r ${LXC_PATH}/bin
+
 exit 0