X-Git-Url: https://git.sommitrealweird.co.uk/lxc-debian-unprivileged.git/blobdiff_plain/330e7d0cfc0886a371df29017a74d9e01c92562e..6b2f4764180633ef9eed9a89f89086a877f50218:/templates/lxc-debian-unprivileged diff --git a/templates/lxc-debian-unprivileged b/templates/lxc-debian-unprivileged index 9b45a1b..d801b9d 100755 --- a/templates/lxc-debian-unprivileged +++ b/templates/lxc-debian-unprivileged @@ -31,9 +31,13 @@ done if [ "$MAPPED" == "no" ]; then echo "This template can only be used for unprivileged containers." 1>&2 - echo "You might want the \"debian\" template instead." 1|&2 + echo "You might want the \"debian\" template instead." 1>&2 + exit 1 fi +set -e +set -u + # Make sure the usual locations are in PATH export PATH=/usr/sbin:/usr/bin:/sbin:/bin:$PATH export GREP_OPTIONS="" @@ -197,22 +201,27 @@ if [ -e "${LXC_ROOTFS}/etc/network/interfaces.d" ]; then fi # remove some interesting breakages in pam for unpriv foo -sed -i -e 's#^\(session.*required.*pam_loginuid.so\)#\#\1#;' "${LXC_ROOTFS}/etc/pam.d/*" +sed -i -e 's#^\(session.*required.*pam_loginuid.so\)#\#\1#;' "${LXC_ROOTFS}"/etc/pam.d/* # set the hostname echo $LXC_NAME > "${LXC_ROOTFS}/etc/hostname" +SECURITY="" +if [ "$DEBIAN_RELEASE" != "sid" ] && [ "$DEBIAN_RELEASE" != "unstable" ]; then + SECURITY="deb http://security.debian.org/ $DEBIAN_RELEASE/updates main" +fi + # setup sources.list cat < "${LXC_ROOTFS}/etc/apt/sources.list" deb $DEBIAN_MIRROR $DEBIAN_RELEASE main -deb http://security.debian.org/ $DEBIAN_RELEASE/updates main +$SECURITY EOF -# disable bits of systemd that we hates -chroot "${LXC_ROOTFS}" /usr/sbin/update-rc.d -f checkroot.sh disable > /dev/null 2>&1 -chroot "${LXC_ROOTFS}" /usr/sbin/update-rc.d -f umountfs disable > /dev/null 2>&1 -chroot "${LXC_ROOTFS}" /usr/sbin/update-rc.d -f hwclock.sh disable > /dev/null 2>&1 -chroot "${LXC_ROOTFS}" /usr/sbin/update-rc.d -f hwclockfirst.sh disable > /dev/null 2>&1 +# disable bits of systemd / initrd that break things +chroot "${LXC_ROOTFS}" /usr/sbin/update-rc.d -f checkroot.sh disable > /dev/null 2>&1 || true +chroot "${LXC_ROOTFS}" /usr/sbin/update-rc.d -f umountfs disable > /dev/null 2>&1 || true +chroot "${LXC_ROOTFS}" /usr/sbin/update-rc.d -f hwclock.sh disable > /dev/null 2>&1 || true +chroot "${LXC_ROOTFS}" /usr/sbin/update-rc.d -f hwclockfirst.sh disable > /dev/null 2>&1 || true if [ -e "${LXC_ROOTFS}/etc/systemd/system/" ]; then touch "${LXC_ROOTFS}/etc/systemd/system/systemd-setup-dgram-qlen.service" @@ -223,6 +232,10 @@ if [ -e "${LXC_ROOTFS}/etc/systemd/system/" ]; then chroot "${LXC_ROOTFS}" ln -s /lib/systemd/system/halt.target /etc/systemd/system/sigpwr.target fi +if [ -e "${LXC_ROOTFS}/lib/systemd/system/systemd-journald-audit.socket" ]; then + touch "${LXC_ROOTFS}/etc/systemd/system/systemd-journald-audit.socket" +fi + cat <> "${LXC_ROOTFS}${NETWORK_FILE}" auto eth0 iface eth0 inet dhcp @@ -251,4 +264,18 @@ enable_initscripts rm -r "${LXC_PATH}/bin" +cat <