Don't bother with security urls for sid/unstable

[lxc-debian-unprivileged.git] / templates / lxc-debian-unprivileged

diff --git a/templates/lxc-debian-unprivileged b/templates/lxc-debian-unprivileged
index 9b45a1b6134ba0da937d28acf329478adc433273..42ece9e509f61156e32cd1d97ff4ea4bd0c71fc8 100755 (executable)
--- a/templates/lxc-debian-unprivileged
+++ b/templates/lxc-debian-unprivileged
@@ -31,9 +31,13 @@ done
 
 if [ "$MAPPED" == "no" ]; then
     echo "This template can only be used for unprivileged containers." 1>&2
-    echo "You might want the \"debian\" template instead." 1|&2
+    echo "You might want the \"debian\" template instead." 1>&2
+    exit 1
 fi
 
+set -e
+set -u
+
 # Make sure the usual locations are in PATH
 export PATH=/usr/sbin:/usr/bin:/sbin:/bin:$PATH
 export GREP_OPTIONS=""
@@ -197,22 +201,27 @@ if [ -e "${LXC_ROOTFS}/etc/network/interfaces.d" ]; then
 fi
 
 # remove some interesting breakages in pam for unpriv foo
-sed -i -e 's#^\(session.*required.*pam_loginuid.so\)#\#\1#;' "${LXC_ROOTFS}/etc/pam.d/*"
+sed -i -e 's#^\(session.*required.*pam_loginuid.so\)#\#\1#;' "${LXC_ROOTFS}"/etc/pam.d/*
 
 # set the hostname
 echo $LXC_NAME > "${LXC_ROOTFS}/etc/hostname"
 
+SECURITY=""
+if [ "$DEBIAN_RELEASE" != "sid" ] && [ "$DEBIAN_RELEASE" != "unstable" ]; then
+    SECURITY="deb http://security.debian.org/ $DEBIAN_RELEASE/updates main"
+fi
+
 # setup sources.list
 cat <<EOF > "${LXC_ROOTFS}/etc/apt/sources.list"
 deb $DEBIAN_MIRROR $DEBIAN_RELEASE main
-deb http://security.debian.org/ $DEBIAN_RELEASE/updates main
+$SECURITY
 EOF
 
-# disable bits of systemd that we hates
-chroot "${LXC_ROOTFS}" /usr/sbin/update-rc.d -f checkroot.sh disable > /dev/null 2>&1
-chroot "${LXC_ROOTFS}" /usr/sbin/update-rc.d -f umountfs disable > /dev/null 2>&1
-chroot "${LXC_ROOTFS}" /usr/sbin/update-rc.d -f hwclock.sh disable > /dev/null 2>&1
-chroot "${LXC_ROOTFS}" /usr/sbin/update-rc.d -f hwclockfirst.sh disable > /dev/null 2>&1
+# disable bits of systemd / initrd that break things
+chroot "${LXC_ROOTFS}" /usr/sbin/update-rc.d -f checkroot.sh disable > /dev/null 2>&1 || true
+chroot "${LXC_ROOTFS}" /usr/sbin/update-rc.d -f umountfs disable > /dev/null 2>&1 || true
+chroot "${LXC_ROOTFS}" /usr/sbin/update-rc.d -f hwclock.sh disable > /dev/null 2>&1 || true
+chroot "${LXC_ROOTFS}" /usr/sbin/update-rc.d -f hwclockfirst.sh disable > /dev/null 2>&1 || true
 
 if [ -e "${LXC_ROOTFS}/etc/systemd/system/" ]; then
     touch "${LXC_ROOTFS}/etc/systemd/system/systemd-setup-dgram-qlen.service"
@@ -223,6 +232,10 @@ if [ -e "${LXC_ROOTFS}/etc/systemd/system/" ]; then
     chroot "${LXC_ROOTFS}" ln -s /lib/systemd/system/halt.target /etc/systemd/system/sigpwr.target
 fi
 
+if [ -e "${LXC_ROOTFS}/lib/systemd/system/systemd-journald-audit.socket" ]; then
+    touch "${LXC_ROOTFS}/etc/systemd/system/systemd-journald-audit.socket"
+fi
+
 cat <<EOF >> "${LXC_ROOTFS}${NETWORK_FILE}"
 auto eth0
 iface eth0 inet dhcp