[meta-virtualization] [PATCH] lxc: Add OpenSSH support for Busybox containers
Bogdan Purcareata
bogdan.purcareata at freescale.com
Mon May 4 10:51:58 PDT 2015
Add command line parameter to create Busybox containers
with OpenSSH support. As a prerequisite, OpenSSH needs
to be installed on the host system.
Signed-off-by: Bogdan Purcareata <bogdan.purcareata at freescale.com>
---
.../files/lxc-busybox-add-OpenSSH-support.patch | 246 +++++++++++++++++++++
.../files/make-some-OpenSSH-tools-optional.patch | 49 ++++
recipes-containers/lxc/lxc_1.0.7.bb | 2 +
3 files changed, 297 insertions(+)
create mode 100644 recipes-containers/lxc/files/lxc-busybox-add-OpenSSH-support.patch
create mode 100644 recipes-containers/lxc/files/make-some-OpenSSH-tools-optional.patch
diff --git a/recipes-containers/lxc/files/lxc-busybox-add-OpenSSH-support.patch b/recipes-containers/lxc/files/lxc-busybox-add-OpenSSH-support.patch
new file mode 100644
index 0000000..f2f332c
--- /dev/null
+++ b/recipes-containers/lxc/files/lxc-busybox-add-OpenSSH-support.patch
@@ -0,0 +1,246 @@
+From ed52814c776963efdcc9dcda1ec26fc09930ef93 Mon Sep 17 00:00:00 2001
+From: Bogdan Purcareata <bogdan.purcareata at freescale.com>
+Date: Wed, 22 Apr 2015 14:53:32 +0000
+Subject: [PATCH] lxc-busybox: add OpenSSH support
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Add an additional template parameter for SSH support in the container. Currently
+this can be implemented using the Dropbear or OpenSSH utility. The respective
+tool needs to be available on the host Linux.
+
+If the parameter is omitted, the template will look for the Dropbear utility on
+the host and install it if it is available (legacy behavior).
+
+Adding OpenSSH support has been done following the model in the lxc-sshd
+template.
+
+Upstream-status: Accepted
+[https://github.com/lxc/lxc/commit/ed52814c776963efdcc9dcda1ec26fc09930ef93]
+
+Signed-off-by: Bogdan Purcareata <bogdan.purcareata at freescale.com>
+Acked-by: Stéphane Graber <stgraber at ubuntu.com>
+---
+ templates/lxc-busybox.in | 169 ++++++++++++++++++++++++++++++++++++++---------
+ 1 file changed, 139 insertions(+), 30 deletions(-)
+
+diff --git a/templates/lxc-busybox.in b/templates/lxc-busybox.in
+index 7e05bd6..95961a3 100644
+--- a/templates/lxc-busybox.in
++++ b/templates/lxc-busybox.in
+@@ -22,6 +22,7 @@
+
+ LXC_MAPPED_UID=
+ LXC_MAPPED_GID=
++SSH=
+
+ # Make sure the usual locations are in PATH
+ export PATH=$PATH:/usr/sbin:/usr/bin:/sbin:/bin
+@@ -160,6 +161,116 @@ EOF
+ return $res
+ }
+
++install_dropbear()
++{
++ # copy dropbear binary
++ cp $(which dropbear) $rootfs/usr/sbin
++ if [ $? -ne 0 ]; then
++ echo "Failed to copy dropbear in the rootfs"
++ return 1
++ fi
++
++ # make symlinks to various ssh utilities
++ utils="\
++ $rootfs/usr/bin/dbclient \
++ $rootfs/usr/bin/scp \
++ $rootfs/usr/bin/ssh \
++ $rootfs/usr/sbin/dropbearkey \
++ $rootfs/usr/sbin/dropbearconvert \
++ "
++ echo $utils | xargs -n1 ln -s /usr/sbin/dropbear
++
++ # add necessary config files
++ mkdir $rootfs/etc/dropbear
++ dropbearkey -t rsa -f $rootfs/etc/dropbear/dropbear_rsa_host_key > /dev/null 2>&1
++ dropbearkey -t dss -f $rootfs/etc/dropbear/dropbear_dss_host_key > /dev/null 2>&1
++
++ echo "'dropbear' ssh utility installed"
++
++ return 0
++}
++
++install_openssh()
++{
++ # tools to be installed
++ server_utils="sshd"
++ client_utils="\
++ ssh \
++ scp \
++ sftp \
++ ssh-add \
++ ssh-agent \
++ ssh-keygen \
++ ssh-keyscan \
++ ssh-argv0 \
++ ssh-copy-id \
++ "
++
++ # new folders used by ssh
++ ssh_tree="\
++$rootfs/etc/ssh \
++$rootfs/var/empty/sshd \
++$rootfs/var/lib/empty/sshd \
++$rootfs/var/run/sshd \
++"
++
++ # create folder structure
++ mkdir -p $ssh_tree
++ if [ $? -ne 0 ]; then
++ return 1
++ fi
++
++ # copy binaries
++ for bin in $server_utils $client_utils; do
++ tool_path=`which $bin`
++ cp $tool_path $rootfs/$tool_path
++ if [ $? -ne 0 ]; then
++ echo "Unable to copy $tool_path in the rootfs"
++ return 1
++ fi
++ done
++
++ # add user and group
++ cat <<EOF >> $rootfs/etc/passwd
++sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
++EOF
++
++ cat <<EOF >> $rootfs/etc/group
++sshd:x:74:
++EOF
++
++ # generate container keys
++ ssh-keygen -t rsa -N "" -f $rootfs/etc/ssh/ssh_host_rsa_key >/dev/null 2>&1
++ ssh-keygen -t dsa -N "" -f $rootfs/etc/ssh/ssh_host_dsa_key >/dev/null 2>&1
++
++ # by default setup root password with no password
++ cat <<EOF > $rootfs/etc/ssh/sshd_config
++Port 22
++Protocol 2
++HostKey /etc/ssh/ssh_host_rsa_key
++HostKey /etc/ssh/ssh_host_dsa_key
++UsePrivilegeSeparation yes
++KeyRegenerationInterval 3600
++ServerKeyBits 768
++SyslogFacility AUTH
++LogLevel INFO
++LoginGraceTime 120
++PermitRootLogin yes
++StrictModes yes
++RSAAuthentication yes
++PubkeyAuthentication yes
++IgnoreRhosts yes
++RhostsRSAAuthentication no
++HostbasedAuthentication no
++PermitEmptyPasswords yes
++ChallengeResponseAuthentication no
++EOF
++
++ echo "'OpenSSH' utility installed"
++
++ return 0
++}
++
+ configure_busybox()
+ {
+ rootfs=$1
+@@ -230,34 +341,6 @@ EOF
+ lxc-unshare -s MOUNT -- /bin/sh < $CHPASSWD_FILE
+ rm $CHPASSWD_FILE
+
+- # add ssh functionality if dropbear package available on host
+- which dropbear >/dev/null 2>&1
+- if [ $? -eq 0 ]; then
+- # copy dropbear binary
+- cp $(which dropbear) $rootfs/usr/sbin
+- if [ $? -ne 0 ]; then
+- echo "Failed to copy dropbear in the rootfs"
+- return 1
+- fi
+-
+- # make symlinks to various ssh utilities
+- utils="\
+- $rootfs/usr/bin/dbclient \
+- $rootfs/usr/bin/scp \
+- $rootfs/usr/bin/ssh \
+- $rootfs/usr/sbin/dropbearkey \
+- $rootfs/usr/sbin/dropbearconvert \
+- "
+- echo $utils | xargs -n1 ln -s /usr/sbin/dropbear
+-
+- # add necessary config files
+- mkdir $rootfs/etc/dropbear
+- dropbearkey -t rsa -f $rootfs/etc/dropbear/dropbear_rsa_host_key > /dev/null 2>&1
+- dropbearkey -t dss -f $rootfs/etc/dropbear/dropbear_dss_host_key > /dev/null 2>&1
+-
+- echo "'dropbear' ssh utility installed"
+- fi
+-
+ return 0
+ }
+
+@@ -315,12 +398,12 @@ remap_userns()
+ usage()
+ {
+ cat <<EOF
+-$1 -h|--help -p|--path=<path>
++$1 -h|--help -p|--path=<path> -s|--ssh={dropbear,openssh}
+ EOF
+ return 0
+ }
+
+-options=$(getopt -o hp:n: -l help,rootfs:,path:,name:,mapped-uid:,mapped-gid: -- "$@")
++options=$(getopt -o hp:n:s: -l help,rootfs:,path:,name:,mapped-uid:,mapped-gid:,ssh: -- "$@")
+ if [ $? -ne 0 ]; then
+ usage $(basename $0)
+ exit 1
+@@ -336,6 +419,7 @@ do
+ -n|--name) name=$2; shift 2;;
+ --mapped-uid) LXC_MAPPED_UID=$2; shift 2;;
+ --mapped-gid) LXC_MAPPED_GID=$2; shift 2;;
++ -s|--ssh) SSH=$2; shift 2;;
+ --) shift 1; break ;;
+ *) break ;;
+ esac
+@@ -384,3 +468,28 @@ if [ $? -ne 0 ]; then
+ echo "failed to remap files to user"
+ exit 1
+ fi
++
++if [ -n "$SSH" ]; then
++ case "$SSH" in
++ "dropbear")
++ install_dropbear
++ if [ $? -ne 0 ]; then
++ echo "Unable to install 'dropbear' ssh utility"
++ exit 1
++ fi ;;
++ "openssh")
++ install_openssh
++ if [ $? -ne 0 ]; then
++ echo "Unable to install 'OpenSSH' utility"
++ exit 1
++ fi ;;
++ *)
++ echo "$SSH: unrecognized ssh utility"
++ exit 1
++ esac
++else
++ which dropbear >/dev/null 2>&1
++ if [ $? -eq 0 ]; then
++ install_dropbear
++ fi
++fi
+--
+2.1.4
+
diff --git a/recipes-containers/lxc/files/make-some-OpenSSH-tools-optional.patch b/recipes-containers/lxc/files/make-some-OpenSSH-tools-optional.patch
new file mode 100644
index 0000000..2d28788
--- /dev/null
+++ b/recipes-containers/lxc/files/make-some-OpenSSH-tools-optional.patch
@@ -0,0 +1,49 @@
+From 34be0d3cd8c4eaca9929470bc8bce5e74975bccf Mon Sep 17 00:00:00 2001
+From: Bogdan Purcareata <bogdan.purcareata at freescale.com>
+Date: Thu, 23 Apr 2015 08:33:00 +0000
+Subject: [PATCH] lxc-busybox: make some OpenSSH tools optional
+
+Currently, when installing OpenSSH in a Busybox container, the template searches
+for all the OpenSSH client binaries available in the Debian distro package. The
+included tools might differ from distro to distro, so make part of the tools
+optional. The mandatory tools, without which installing OpenSSH fails, are
+"sshd" for the server and "ssh" and "scp" for the client.
+
+Upstream-Status: Submitted
+[https://lists.linuxcontainers.org/pipermail/lxc-devel/2015-April/011696.html]
+
+Signed-off-by: Bogdan Purcareata <bogdan.purcareata at freescale.com>
+---
+ templates/lxc-busybox.in | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/templates/lxc-busybox.in b/templates/lxc-busybox.in
+index 95961a3..17a3006 100644
+--- a/templates/lxc-busybox.in
++++ b/templates/lxc-busybox.in
+@@ -197,6 +197,8 @@ install_openssh()
+ client_utils="\
+ ssh \
+ scp \
++ "
++ client_optional_utils="\
+ sftp \
+ ssh-add \
+ ssh-agent \
+@@ -230,6 +232,13 @@ $rootfs/var/run/sshd \
+ fi
+ done
+
++ for bin in $client_optional_utils; do
++ tool_path=`which $bin`
++ if [ $? -eq 0 ]; then
++ cp $tool_path $rootfs/$tool_path
++ fi
++ done
++
+ # add user and group
+ cat <<EOF >> $rootfs/etc/passwd
+ sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
+--
+2.1.4
+
diff --git a/recipes-containers/lxc/lxc_1.0.7.bb b/recipes-containers/lxc/lxc_1.0.7.bb
index 0da1e37..f79ba76 100644
--- a/recipes-containers/lxc/lxc_1.0.7.bb
+++ b/recipes-containers/lxc/lxc_1.0.7.bb
@@ -32,6 +32,8 @@ SRC_URI = "http://linuxcontainers.org/downloads/${BPN}-${PV}.tar.gz \
file://lxc-busybox-use-lxc.rebootsignal-SIGTERM.patch \
file://ppc-add-seccomp-support-for-lxc.patch \
file://lxc-fix-B-S.patch \
+ file://lxc-busybox-add-OpenSSH-support.patch \
+ file://make-some-OpenSSH-tools-optional.patch \
"
SRC_URI[md5sum] = "b48f468a9bef0e4e140dd723f0a65ad0"
--
1.9.1
More information about the meta-virtualization
mailing list