[meta-virtualization] [PATCH] lxc: Add OpenSSH support for Busybox containers
Bruce Ashfield
bruce.ashfield at gmail.com
Thu May 7 11:14:34 PDT 2015
Thanks!
merged to master.
Bruce
On Mon, May 4, 2015 at 1:51 PM, Bogdan Purcareata
<bogdan.purcareata at freescale.com> wrote:
> Add command line parameter to create Busybox containers
> with OpenSSH support. As a prerequisite, OpenSSH needs
> to be installed on the host system.
>
> Signed-off-by: Bogdan Purcareata <bogdan.purcareata at freescale.com>
> ---
> .../files/lxc-busybox-add-OpenSSH-support.patch | 246 +++++++++++++++++++++
> .../files/make-some-OpenSSH-tools-optional.patch | 49 ++++
> recipes-containers/lxc/lxc_1.0.7.bb | 2 +
> 3 files changed, 297 insertions(+)
> create mode 100644 recipes-containers/lxc/files/lxc-busybox-add-OpenSSH-support.patch
> create mode 100644 recipes-containers/lxc/files/make-some-OpenSSH-tools-optional.patch
>
> diff --git a/recipes-containers/lxc/files/lxc-busybox-add-OpenSSH-support.patch b/recipes-containers/lxc/files/lxc-busybox-add-OpenSSH-support.patch
> new file mode 100644
> index 0000000..f2f332c
> --- /dev/null
> +++ b/recipes-containers/lxc/files/lxc-busybox-add-OpenSSH-support.patch
> @@ -0,0 +1,246 @@
> +From ed52814c776963efdcc9dcda1ec26fc09930ef93 Mon Sep 17 00:00:00 2001
> +From: Bogdan Purcareata <bogdan.purcareata at freescale.com>
> +Date: Wed, 22 Apr 2015 14:53:32 +0000
> +Subject: [PATCH] lxc-busybox: add OpenSSH support
> +MIME-Version: 1.0
> +Content-Type: text/plain; charset=UTF-8
> +Content-Transfer-Encoding: 8bit
> +
> +Add an additional template parameter for SSH support in the container. Currently
> +this can be implemented using the Dropbear or OpenSSH utility. The respective
> +tool needs to be available on the host Linux.
> +
> +If the parameter is omitted, the template will look for the Dropbear utility on
> +the host and install it if it is available (legacy behavior).
> +
> +Adding OpenSSH support has been done following the model in the lxc-sshd
> +template.
> +
> +Upstream-status: Accepted
> +[https://github.com/lxc/lxc/commit/ed52814c776963efdcc9dcda1ec26fc09930ef93]
> +
> +Signed-off-by: Bogdan Purcareata <bogdan.purcareata at freescale.com>
> +Acked-by: Stéphane Graber <stgraber at ubuntu.com>
> +---
> + templates/lxc-busybox.in | 169 ++++++++++++++++++++++++++++++++++++++---------
> + 1 file changed, 139 insertions(+), 30 deletions(-)
> +
> +diff --git a/templates/lxc-busybox.in b/templates/lxc-busybox.in
> +index 7e05bd6..95961a3 100644
> +--- a/templates/lxc-busybox.in
> ++++ b/templates/lxc-busybox.in
> +@@ -22,6 +22,7 @@
> +
> + LXC_MAPPED_UID=
> + LXC_MAPPED_GID=
> ++SSH=
> +
> + # Make sure the usual locations are in PATH
> + export PATH=$PATH:/usr/sbin:/usr/bin:/sbin:/bin
> +@@ -160,6 +161,116 @@ EOF
> + return $res
> + }
> +
> ++install_dropbear()
> ++{
> ++ # copy dropbear binary
> ++ cp $(which dropbear) $rootfs/usr/sbin
> ++ if [ $? -ne 0 ]; then
> ++ echo "Failed to copy dropbear in the rootfs"
> ++ return 1
> ++ fi
> ++
> ++ # make symlinks to various ssh utilities
> ++ utils="\
> ++ $rootfs/usr/bin/dbclient \
> ++ $rootfs/usr/bin/scp \
> ++ $rootfs/usr/bin/ssh \
> ++ $rootfs/usr/sbin/dropbearkey \
> ++ $rootfs/usr/sbin/dropbearconvert \
> ++ "
> ++ echo $utils | xargs -n1 ln -s /usr/sbin/dropbear
> ++
> ++ # add necessary config files
> ++ mkdir $rootfs/etc/dropbear
> ++ dropbearkey -t rsa -f $rootfs/etc/dropbear/dropbear_rsa_host_key > /dev/null 2>&1
> ++ dropbearkey -t dss -f $rootfs/etc/dropbear/dropbear_dss_host_key > /dev/null 2>&1
> ++
> ++ echo "'dropbear' ssh utility installed"
> ++
> ++ return 0
> ++}
> ++
> ++install_openssh()
> ++{
> ++ # tools to be installed
> ++ server_utils="sshd"
> ++ client_utils="\
> ++ ssh \
> ++ scp \
> ++ sftp \
> ++ ssh-add \
> ++ ssh-agent \
> ++ ssh-keygen \
> ++ ssh-keyscan \
> ++ ssh-argv0 \
> ++ ssh-copy-id \
> ++ "
> ++
> ++ # new folders used by ssh
> ++ ssh_tree="\
> ++$rootfs/etc/ssh \
> ++$rootfs/var/empty/sshd \
> ++$rootfs/var/lib/empty/sshd \
> ++$rootfs/var/run/sshd \
> ++"
> ++
> ++ # create folder structure
> ++ mkdir -p $ssh_tree
> ++ if [ $? -ne 0 ]; then
> ++ return 1
> ++ fi
> ++
> ++ # copy binaries
> ++ for bin in $server_utils $client_utils; do
> ++ tool_path=`which $bin`
> ++ cp $tool_path $rootfs/$tool_path
> ++ if [ $? -ne 0 ]; then
> ++ echo "Unable to copy $tool_path in the rootfs"
> ++ return 1
> ++ fi
> ++ done
> ++
> ++ # add user and group
> ++ cat <<EOF >> $rootfs/etc/passwd
> ++sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
> ++EOF
> ++
> ++ cat <<EOF >> $rootfs/etc/group
> ++sshd:x:74:
> ++EOF
> ++
> ++ # generate container keys
> ++ ssh-keygen -t rsa -N "" -f $rootfs/etc/ssh/ssh_host_rsa_key >/dev/null 2>&1
> ++ ssh-keygen -t dsa -N "" -f $rootfs/etc/ssh/ssh_host_dsa_key >/dev/null 2>&1
> ++
> ++ # by default setup root password with no password
> ++ cat <<EOF > $rootfs/etc/ssh/sshd_config
> ++Port 22
> ++Protocol 2
> ++HostKey /etc/ssh/ssh_host_rsa_key
> ++HostKey /etc/ssh/ssh_host_dsa_key
> ++UsePrivilegeSeparation yes
> ++KeyRegenerationInterval 3600
> ++ServerKeyBits 768
> ++SyslogFacility AUTH
> ++LogLevel INFO
> ++LoginGraceTime 120
> ++PermitRootLogin yes
> ++StrictModes yes
> ++RSAAuthentication yes
> ++PubkeyAuthentication yes
> ++IgnoreRhosts yes
> ++RhostsRSAAuthentication no
> ++HostbasedAuthentication no
> ++PermitEmptyPasswords yes
> ++ChallengeResponseAuthentication no
> ++EOF
> ++
> ++ echo "'OpenSSH' utility installed"
> ++
> ++ return 0
> ++}
> ++
> + configure_busybox()
> + {
> + rootfs=$1
> +@@ -230,34 +341,6 @@ EOF
> + lxc-unshare -s MOUNT -- /bin/sh < $CHPASSWD_FILE
> + rm $CHPASSWD_FILE
> +
> +- # add ssh functionality if dropbear package available on host
> +- which dropbear >/dev/null 2>&1
> +- if [ $? -eq 0 ]; then
> +- # copy dropbear binary
> +- cp $(which dropbear) $rootfs/usr/sbin
> +- if [ $? -ne 0 ]; then
> +- echo "Failed to copy dropbear in the rootfs"
> +- return 1
> +- fi
> +-
> +- # make symlinks to various ssh utilities
> +- utils="\
> +- $rootfs/usr/bin/dbclient \
> +- $rootfs/usr/bin/scp \
> +- $rootfs/usr/bin/ssh \
> +- $rootfs/usr/sbin/dropbearkey \
> +- $rootfs/usr/sbin/dropbearconvert \
> +- "
> +- echo $utils | xargs -n1 ln -s /usr/sbin/dropbear
> +-
> +- # add necessary config files
> +- mkdir $rootfs/etc/dropbear
> +- dropbearkey -t rsa -f $rootfs/etc/dropbear/dropbear_rsa_host_key > /dev/null 2>&1
> +- dropbearkey -t dss -f $rootfs/etc/dropbear/dropbear_dss_host_key > /dev/null 2>&1
> +-
> +- echo "'dropbear' ssh utility installed"
> +- fi
> +-
> + return 0
> + }
> +
> +@@ -315,12 +398,12 @@ remap_userns()
> + usage()
> + {
> + cat <<EOF
> +-$1 -h|--help -p|--path=<path>
> ++$1 -h|--help -p|--path=<path> -s|--ssh={dropbear,openssh}
> + EOF
> + return 0
> + }
> +
> +-options=$(getopt -o hp:n: -l help,rootfs:,path:,name:,mapped-uid:,mapped-gid: -- "$@")
> ++options=$(getopt -o hp:n:s: -l help,rootfs:,path:,name:,mapped-uid:,mapped-gid:,ssh: -- "$@")
> + if [ $? -ne 0 ]; then
> + usage $(basename $0)
> + exit 1
> +@@ -336,6 +419,7 @@ do
> + -n|--name) name=$2; shift 2;;
> + --mapped-uid) LXC_MAPPED_UID=$2; shift 2;;
> + --mapped-gid) LXC_MAPPED_GID=$2; shift 2;;
> ++ -s|--ssh) SSH=$2; shift 2;;
> + --) shift 1; break ;;
> + *) break ;;
> + esac
> +@@ -384,3 +468,28 @@ if [ $? -ne 0 ]; then
> + echo "failed to remap files to user"
> + exit 1
> + fi
> ++
> ++if [ -n "$SSH" ]; then
> ++ case "$SSH" in
> ++ "dropbear")
> ++ install_dropbear
> ++ if [ $? -ne 0 ]; then
> ++ echo "Unable to install 'dropbear' ssh utility"
> ++ exit 1
> ++ fi ;;
> ++ "openssh")
> ++ install_openssh
> ++ if [ $? -ne 0 ]; then
> ++ echo "Unable to install 'OpenSSH' utility"
> ++ exit 1
> ++ fi ;;
> ++ *)
> ++ echo "$SSH: unrecognized ssh utility"
> ++ exit 1
> ++ esac
> ++else
> ++ which dropbear >/dev/null 2>&1
> ++ if [ $? -eq 0 ]; then
> ++ install_dropbear
> ++ fi
> ++fi
> +--
> +2.1.4
> +
> diff --git a/recipes-containers/lxc/files/make-some-OpenSSH-tools-optional.patch b/recipes-containers/lxc/files/make-some-OpenSSH-tools-optional.patch
> new file mode 100644
> index 0000000..2d28788
> --- /dev/null
> +++ b/recipes-containers/lxc/files/make-some-OpenSSH-tools-optional.patch
> @@ -0,0 +1,49 @@
> +From 34be0d3cd8c4eaca9929470bc8bce5e74975bccf Mon Sep 17 00:00:00 2001
> +From: Bogdan Purcareata <bogdan.purcareata at freescale.com>
> +Date: Thu, 23 Apr 2015 08:33:00 +0000
> +Subject: [PATCH] lxc-busybox: make some OpenSSH tools optional
> +
> +Currently, when installing OpenSSH in a Busybox container, the template searches
> +for all the OpenSSH client binaries available in the Debian distro package. The
> +included tools might differ from distro to distro, so make part of the tools
> +optional. The mandatory tools, without which installing OpenSSH fails, are
> +"sshd" for the server and "ssh" and "scp" for the client.
> +
> +Upstream-Status: Submitted
> +[https://lists.linuxcontainers.org/pipermail/lxc-devel/2015-April/011696.html]
> +
> +Signed-off-by: Bogdan Purcareata <bogdan.purcareata at freescale.com>
> +---
> + templates/lxc-busybox.in | 9 +++++++++
> + 1 file changed, 9 insertions(+)
> +
> +diff --git a/templates/lxc-busybox.in b/templates/lxc-busybox.in
> +index 95961a3..17a3006 100644
> +--- a/templates/lxc-busybox.in
> ++++ b/templates/lxc-busybox.in
> +@@ -197,6 +197,8 @@ install_openssh()
> + client_utils="\
> + ssh \
> + scp \
> ++ "
> ++ client_optional_utils="\
> + sftp \
> + ssh-add \
> + ssh-agent \
> +@@ -230,6 +232,13 @@ $rootfs/var/run/sshd \
> + fi
> + done
> +
> ++ for bin in $client_optional_utils; do
> ++ tool_path=`which $bin`
> ++ if [ $? -eq 0 ]; then
> ++ cp $tool_path $rootfs/$tool_path
> ++ fi
> ++ done
> ++
> + # add user and group
> + cat <<EOF >> $rootfs/etc/passwd
> + sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
> +--
> +2.1.4
> +
> diff --git a/recipes-containers/lxc/lxc_1.0.7.bb b/recipes-containers/lxc/lxc_1.0.7.bb
> index 0da1e37..f79ba76 100644
> --- a/recipes-containers/lxc/lxc_1.0.7.bb
> +++ b/recipes-containers/lxc/lxc_1.0.7.bb
> @@ -32,6 +32,8 @@ SRC_URI = "http://linuxcontainers.org/downloads/${BPN}-${PV}.tar.gz \
> file://lxc-busybox-use-lxc.rebootsignal-SIGTERM.patch \
> file://ppc-add-seccomp-support-for-lxc.patch \
> file://lxc-fix-B-S.patch \
> + file://lxc-busybox-add-OpenSSH-support.patch \
> + file://make-some-OpenSSH-tools-optional.patch \
> "
>
> SRC_URI[md5sum] = "b48f468a9bef0e4e140dd723f0a65ad0"
> --
> 1.9.1
>
> --
> _______________________________________________
> meta-virtualization mailing list
> meta-virtualization at yoctoproject.org
> https://lists.yoctoproject.org/listinfo/meta-virtualization
--
"Thou shalt not follow the NULL pointer, for chaos and madness await
thee at its end"
More information about the meta-virtualization
mailing list