X-Git-Url: https://git.sommitrealweird.co.uk/lxc-debian-unprivileged.git/blobdiff_plain/5682c82c369a62227f49a827aaa54830a58a370b..0706287ab500d02db0257d2321156da6f01a38a6:/templates/lxc-debian-unprivileged?ds=inline diff --git a/templates/lxc-debian-unprivileged b/templates/lxc-debian-unprivileged index d18a27e..c7134a7 100755 --- a/templates/lxc-debian-unprivileged +++ b/templates/lxc-debian-unprivileged @@ -66,6 +66,21 @@ eval set -- "$options" DEBIAN_MIRROR="http://mirror.mythic-beasts.com/debian/" DEBIAN_RELEASE="jessie" +disable_initscripts() { + cat < ${LXC_ROOTFS}/usr/sbin/policy-rc.d +#!/bin/sh + +exit 101 +EOF + chmod 755 ${LXC_ROOTFS}/usr/sbin/policy-rc.d +} + +enable_initscripts() { + if [ -e ${LXC_ROOTFS}/usr/sbin/policy-rc.d ]; then + rm ${LXC_ROOTFS}/usr/sbin/policy-rc.d + fi +} + while :; do case "$1" in -h|--help) usage && exit 1;; @@ -80,12 +95,6 @@ while :; do esac done -echo "Mapped UID: $MAPPED_UID" -echo "Mapped GID: $MAPPED_GID" -echo "RootFS: $LXC_ROOTFS" -echo "Name: $LXC_NAME" -echo "Path: $LXC_PATH" - # rewrite the default config file sed -i -e "/lxc./{w ${LXC_PATH}/config-auto" -e "d}" ${LXC_PATH}/config @@ -118,7 +127,7 @@ chmod 755 ${LXC_PATH}/bin/mknod export PATH=${LXC_PATH}/bin:$PATH -debootstrap --foreign --include debian-archive-keyring,ifupdown,isc-dhcp-client,locales $DEBIAN_RELEASE ${LXC_ROOTFS} $DEBIAN_MIRROR +debootstrap --foreign --include debian-archive-keyring,ifupdown,isc-dhcp-client,locales,openssh-server $DEBIAN_RELEASE ${LXC_ROOTFS} $DEBIAN_MIRROR # now totally skip that check in the new root, because it sucks. sed -i -e 's#check_sane_mount () {#check_sane_mount () {\n\treturn 0#;' ${LXC_ROOTFS}/debootstrap/functions @@ -140,7 +149,7 @@ for file in /var/lib/lxcfs/proc/*; do mount -n -o bind $file ${LXC_ROOTFS}/proc/$fname done -for dev in random urandom; do +for dev in null random urandom; do touch ${LXC_ROOTFS}/dev/$dev mount -n -o bind /dev/$dev ${LXC_ROOTFS}/dev/$dev done @@ -149,15 +158,14 @@ done echo "debootstrapping - hahaha" > ${LXC_ROOTFS}/proc/cmdline # and disable initscripts -cat < ${LXC_ROOTFS}/usr/sbin/policy-rc.d -#!/bin/sh - -exit 101 -EOF +disable_initscripts # and run the second stage chroot ${LXC_ROOTFS} /debootstrap/debootstrap --second-stage +# make sure that initscripts are still disabled +disable_initscripts + # configure locales lang=en_GB.UTF-8 enc=UTF-8 @@ -188,6 +196,12 @@ if [ -e ${LXC_ROOTFS}/etc/network/interfaces.d ]; then NETWORK_FILE=/etc/network/interfaces.d/eth0 fi +# remove some interesting breakages in pam for unpriv foo +sed -i -e 's#^\(session.*required.*pam_loginuid.so\)#\#\1#;' ${LXC_ROOTFS}/etc/pam.d/* + +# set the hostname +echo $LXC_NAME > ${LXC_ROOTFS}/etc/hostname + # setup sources.list cat < ${LXC_ROOTFS}/etc/apt/sources.list deb $DEBIAN_MIRROR $DEBIAN_RELEASE main @@ -216,13 +230,13 @@ EOF # and update to the latest security chroot ${LXC_ROOTFS} apt-get update -chroot ${LXC_ROOTFS} apt-get upgrade +chroot ${LXC_ROOTFS} apt-get -y upgrade # if we're all good here, unmount things and clean up [ -e ${LXC_ROOTFS}/usr/sbin/policy-rc.d ] && rm ${LXC_ROOTFS}/usr/sbin/policy-rc.d rm ${LXC_ROOTFS}/proc/cmdline -for dev in random urandom; do +for dev in null random urandom; do umount ${LXC_ROOTFS}/dev/$dev rm ${LXC_ROOTFS}/dev/$dev done @@ -233,4 +247,8 @@ for file in /var/lib/lxcfs/proc/*; do rm ${LXC_ROOTFS}/proc/$fname done +enable_initscripts + +rm -r ${LXC_PATH}/bin + exit 0