lxc: Add OpenSSH support for Busybox containers

Add command line parameter to create Busybox containers with OpenSSH support. As a prerequisite, OpenSSH needs to be installed on the host system. Signed-off-by: Bogdan Purcareata <bogdan.purcareata@freescale.com> Signed-off-by: Bruce Ashfield <bruce.ashfield@windriver.com>
2025-07-05 05:15:25 +02:00 · 2015-05-04 17:51:58 +00:00 · 2015-05-04 17:51:58 +00:00 · c59f888d61
commit c59f888d61
parent f23b699283
3 changed files with 297 additions and 0 deletions
--- a/recipes-containers/lxc/files/lxc-busybox-add-OpenSSH-support.patch
+++ b/recipes-containers/lxc/files/lxc-busybox-add-OpenSSH-support.patch
@ -0,0 +1,246 @@
+From ed52814c776963efdcc9dcda1ec26fc09930ef93 Mon Sep 17 00:00:00 2001
+From: Bogdan Purcareata <bogdan.purcareata@freescale.com>
+Date: Wed, 22 Apr 2015 14:53:32 +0000
+Subject: [PATCH] lxc-busybox: add OpenSSH support
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Add an additional template parameter for SSH support in the container. Currently
+this can be implemented using the Dropbear or OpenSSH utility. The respective
+tool needs to be available on the host Linux.
+
+If the parameter is omitted, the template will look for the Dropbear utility on
+the host and install it if it is available (legacy behavior).
+
+Adding OpenSSH support has been done following the model in the lxc-sshd
+template.
+
+Upstream-status: Accepted
+[https://github.com/lxc/lxc/commit/ed52814c776963efdcc9dcda1ec26fc09930ef93]
+
+Signed-off-by: Bogdan Purcareata <bogdan.purcareata@freescale.com>
+Acked-by: Stéphane Graber <stgraber@ubuntu.com>
+---
+ templates/lxc-busybox.in | 169 ++++++++++++++++++++++++++++++++++++++---------
+ 1 file changed, 139 insertions(+), 30 deletions(-)
+
+diff --git a/templates/lxc-busybox.in b/templates/lxc-busybox.in
+index 7e05bd6..95961a3 100644
+--- a/templates/lxc-busybox.in
+++ b/templates/lxc-busybox.in
+@@ -22,6 +22,7 @@
+ 
+ LXC_MAPPED_UID=
+ LXC_MAPPED_GID=
+SSH=
+ 
+ # Make sure the usual locations are in PATH
+ export PATH=$PATH:/usr/sbin:/usr/bin:/sbin:/bin
+@@ -160,6 +161,116 @@ EOF
+     return $res
+ }
+ 
+install_dropbear()
+{
+    # copy dropbear binary
+    cp $(which dropbear) $rootfs/usr/sbin
+    if [ $? -ne 0 ]; then
+        echo "Failed to copy dropbear in the rootfs"
+        return 1
+    fi
+
+    # make symlinks to various ssh utilities
+    utils="\
+        $rootfs/usr/bin/dbclient \
+        $rootfs/usr/bin/scp \
+        $rootfs/usr/bin/ssh \
+        $rootfs/usr/sbin/dropbearkey \
+        $rootfs/usr/sbin/dropbearconvert \
+    "
+    echo $utils | xargs -n1 ln -s /usr/sbin/dropbear
+
+    # add necessary config files
+    mkdir $rootfs/etc/dropbear
+    dropbearkey -t rsa -f $rootfs/etc/dropbear/dropbear_rsa_host_key > /dev/null 2>&1
+    dropbearkey -t dss -f $rootfs/etc/dropbear/dropbear_dss_host_key > /dev/null 2>&1
+
+    echo "'dropbear' ssh utility installed"
+
+    return 0
+}
+
+install_openssh()
+{
+    # tools to be installed
+    server_utils="sshd"
+    client_utils="\
+        ssh \
+        scp \
+        sftp \
+        ssh-add \
+        ssh-agent \
+        ssh-keygen \
+        ssh-keyscan \
+        ssh-argv0 \
+        ssh-copy-id \
+        "
+
+    # new folders used by ssh
+    ssh_tree="\
+$rootfs/etc/ssh \
+$rootfs/var/empty/sshd \
+$rootfs/var/lib/empty/sshd \
+$rootfs/var/run/sshd \
+"
+
+    # create folder structure
+    mkdir -p $ssh_tree
+    if [ $? -ne 0 ]; then
+        return 1
+    fi
+
+    # copy binaries
+    for bin in $server_utils $client_utils; do
+        tool_path=`which $bin`
+        cp $tool_path $rootfs/$tool_path
+        if [ $? -ne 0 ]; then
+            echo "Unable to copy $tool_path in the rootfs"
+            return 1
+        fi
+    done
+
+    # add user and group
+    cat <<EOF >> $rootfs/etc/passwd
+sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
+EOF
+
+    cat <<EOF >> $rootfs/etc/group
+sshd:x:74:
+EOF
+
+    # generate container keys
+    ssh-keygen -t rsa -N "" -f $rootfs/etc/ssh/ssh_host_rsa_key >/dev/null 2>&1
+    ssh-keygen -t dsa -N "" -f $rootfs/etc/ssh/ssh_host_dsa_key >/dev/null 2>&1
+
+    # by default setup root password with no password
+    cat <<EOF > $rootfs/etc/ssh/sshd_config
+Port 22
+Protocol 2
+HostKey /etc/ssh/ssh_host_rsa_key
+HostKey /etc/ssh/ssh_host_dsa_key
+UsePrivilegeSeparation yes
+KeyRegenerationInterval 3600
+ServerKeyBits 768
+SyslogFacility AUTH
+LogLevel INFO
+LoginGraceTime 120
+PermitRootLogin yes
+StrictModes yes
+RSAAuthentication yes
+PubkeyAuthentication yes
+IgnoreRhosts yes
+RhostsRSAAuthentication no
+HostbasedAuthentication no
+PermitEmptyPasswords yes
+ChallengeResponseAuthentication no
+EOF
+
+    echo "'OpenSSH' utility installed"
+
+    return 0
+}
+
+ configure_busybox()
+ {
+     rootfs=$1
+@@ -230,34 +341,6 @@ EOF
+     lxc-unshare -s MOUNT -- /bin/sh < $CHPASSWD_FILE
+     rm $CHPASSWD_FILE
+ 
+-    # add ssh functionality if dropbear package available on host
+-    which dropbear >/dev/null 2>&1
+-    if [ $? -eq 0 ]; then
+-        # copy dropbear binary
+-        cp $(which dropbear) $rootfs/usr/sbin
+-        if [ $? -ne 0 ]; then
+-            echo "Failed to copy dropbear in the rootfs"
+-            return 1
+-        fi
+-
+-        # make symlinks to various ssh utilities
+-        utils="\
+-            $rootfs/usr/bin/dbclient \
+-            $rootfs/usr/bin/scp \
+-            $rootfs/usr/bin/ssh \
+-            $rootfs/usr/sbin/dropbearkey \
+-            $rootfs/usr/sbin/dropbearconvert \
+-        "
+-        echo $utils | xargs -n1 ln -s /usr/sbin/dropbear
+-
+-        # add necessary config files
+-        mkdir $rootfs/etc/dropbear
+-        dropbearkey -t rsa -f $rootfs/etc/dropbear/dropbear_rsa_host_key > /dev/null 2>&1
+-        dropbearkey -t dss -f $rootfs/etc/dropbear/dropbear_dss_host_key > /dev/null 2>&1
+-
+-        echo "'dropbear' ssh utility installed"
+-    fi
+-
+     return 0
+ }
+ 
+@@ -315,12 +398,12 @@ remap_userns()
+ usage()
+ {
+     cat <<EOF
+-$1 -h|--help -p|--path=<path>
+$1 -h|--help -p|--path=<path> -s|--ssh={dropbear,openssh}
+ EOF
+     return 0
+ }
+ 
+-options=$(getopt -o hp:n: -l help,rootfs:,path:,name:,mapped-uid:,mapped-gid: -- "$@")
+options=$(getopt -o hp:n:s: -l help,rootfs:,path:,name:,mapped-uid:,mapped-gid:,ssh: -- "$@")
+ if [ $? -ne 0 ]; then
+     usage $(basename $0)
+     exit 1
+@@ -336,6 +419,7 @@ do
+         -n|--name)      name=$2; shift 2;;
+         --mapped-uid)   LXC_MAPPED_UID=$2; shift 2;;
+         --mapped-gid)   LXC_MAPPED_GID=$2; shift 2;;
+        -s|--ssh)       SSH=$2; shift 2;;
+         --)             shift 1; break ;;
+         *)              break ;;
+     esac
+@@ -384,3 +468,28 @@ if [ $? -ne 0 ]; then
+     echo "failed to remap files to user"
+     exit 1
+ fi
+
+if [ -n "$SSH" ]; then
+    case "$SSH" in
+        "dropbear")
+            install_dropbear
+            if [ $? -ne 0 ]; then
+                echo "Unable to install 'dropbear' ssh utility"
+                exit 1
+            fi ;;
+        "openssh")
+            install_openssh
+            if [ $? -ne 0 ]; then
+                echo "Unable to install 'OpenSSH' utility"
+                exit 1
+            fi ;;
+        *)
+            echo "$SSH: unrecognized ssh utility"
+            exit 1
+    esac
+else
+    which dropbear >/dev/null 2>&1
+    if [ $? -eq 0 ]; then
+        install_dropbear
+    fi
+fi
+-- 
+2.1.4
+
--- a/recipes-containers/lxc/files/make-some-OpenSSH-tools-optional.patch
+++ b/recipes-containers/lxc/files/make-some-OpenSSH-tools-optional.patch
@ -0,0 +1,49 @@
+From 34be0d3cd8c4eaca9929470bc8bce5e74975bccf Mon Sep 17 00:00:00 2001
+From: Bogdan Purcareata <bogdan.purcareata@freescale.com>
+Date: Thu, 23 Apr 2015 08:33:00 +0000
+Subject: [PATCH] lxc-busybox: make some OpenSSH tools optional
+
+Currently, when installing OpenSSH in a Busybox container, the template searches
+for all the OpenSSH client binaries available in the Debian distro package. The
+included tools might differ from distro to distro, so make part of the tools
+optional. The mandatory tools, without which installing OpenSSH fails, are
+"sshd" for the server and "ssh" and "scp" for the client.
+
+Upstream-Status: Submitted
+[https://lists.linuxcontainers.org/pipermail/lxc-devel/2015-April/011696.html]
+
+Signed-off-by: Bogdan Purcareata <bogdan.purcareata@freescale.com>
+---
+ templates/lxc-busybox.in | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/templates/lxc-busybox.in b/templates/lxc-busybox.in
+index 95961a3..17a3006 100644
+--- a/templates/lxc-busybox.in
+++ b/templates/lxc-busybox.in
+@@ -197,6 +197,8 @@ install_openssh()
+     client_utils="\
+         ssh \
+         scp \
+        "
+    client_optional_utils="\
+         sftp \
+         ssh-add \
+         ssh-agent \
+@@ -230,6 +232,13 @@ $rootfs/var/run/sshd \
+         fi
+     done
+ 
+    for bin in $client_optional_utils; do
+        tool_path=`which $bin`
+        if [ $? -eq 0 ]; then
+            cp $tool_path $rootfs/$tool_path
+        fi
+    done
+
+     # add user and group
+     cat <<EOF >> $rootfs/etc/passwd
+ sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
+-- 
+2.1.4
+
--- a/recipes-containers/lxc/lxc_1.0.7.bb
+++ b/recipes-containers/lxc/lxc_1.0.7.bb
@ -32,6 +32,8 @@ SRC_URI = "http://linuxcontainers.org/downloads/${BPN}-${PV}.tar.gz \
 	file://lxc-busybox-use-lxc.rebootsignal-SIGTERM.patch \
 	file://ppc-add-seccomp-support-for-lxc.patch \
 	file://lxc-fix-B-S.patch \
+	file://lxc-busybox-add-OpenSSH-support.patch \
+	file://make-some-OpenSSH-tools-optional.patch \
 	"

 SRC_URI[md5sum] = "b48f468a9bef0e4e140dd723f0a65ad0"