From c59f888d6149acfd486658bb3a2b4feb4217f29f Mon Sep 17 00:00:00 2001 From: Bogdan Purcareata Date: Mon, 4 May 2015 17:51:58 +0000 Subject: [PATCH] lxc: Add OpenSSH support for Busybox containers Add command line parameter to create Busybox containers with OpenSSH support. As a prerequisite, OpenSSH needs to be installed on the host system. Signed-off-by: Bogdan Purcareata Signed-off-by: Bruce Ashfield --- .../lxc-busybox-add-OpenSSH-support.patch | 246 ++++++++++++++++++ .../make-some-OpenSSH-tools-optional.patch | 49 ++++ recipes-containers/lxc/lxc_1.0.7.bb | 2 + 3 files changed, 297 insertions(+) create mode 100644 recipes-containers/lxc/files/lxc-busybox-add-OpenSSH-support.patch create mode 100644 recipes-containers/lxc/files/make-some-OpenSSH-tools-optional.patch diff --git a/recipes-containers/lxc/files/lxc-busybox-add-OpenSSH-support.patch b/recipes-containers/lxc/files/lxc-busybox-add-OpenSSH-support.patch new file mode 100644 index 00000000..f2f332cb --- /dev/null +++ b/recipes-containers/lxc/files/lxc-busybox-add-OpenSSH-support.patch @@ -0,0 +1,246 @@ +From ed52814c776963efdcc9dcda1ec26fc09930ef93 Mon Sep 17 00:00:00 2001 +From: Bogdan Purcareata +Date: Wed, 22 Apr 2015 14:53:32 +0000 +Subject: [PATCH] lxc-busybox: add OpenSSH support +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Add an additional template parameter for SSH support in the container. Currently +this can be implemented using the Dropbear or OpenSSH utility. The respective +tool needs to be available on the host Linux. + +If the parameter is omitted, the template will look for the Dropbear utility on +the host and install it if it is available (legacy behavior). + +Adding OpenSSH support has been done following the model in the lxc-sshd +template. + +Upstream-status: Accepted +[https://github.com/lxc/lxc/commit/ed52814c776963efdcc9dcda1ec26fc09930ef93] + +Signed-off-by: Bogdan Purcareata +Acked-by: Stéphane Graber +--- + templates/lxc-busybox.in | 169 ++++++++++++++++++++++++++++++++++++++--------- + 1 file changed, 139 insertions(+), 30 deletions(-) + +diff --git a/templates/lxc-busybox.in b/templates/lxc-busybox.in +index 7e05bd6..95961a3 100644 +--- a/templates/lxc-busybox.in ++++ b/templates/lxc-busybox.in +@@ -22,6 +22,7 @@ + + LXC_MAPPED_UID= + LXC_MAPPED_GID= ++SSH= + + # Make sure the usual locations are in PATH + export PATH=$PATH:/usr/sbin:/usr/bin:/sbin:/bin +@@ -160,6 +161,116 @@ EOF + return $res + } + ++install_dropbear() ++{ ++ # copy dropbear binary ++ cp $(which dropbear) $rootfs/usr/sbin ++ if [ $? -ne 0 ]; then ++ echo "Failed to copy dropbear in the rootfs" ++ return 1 ++ fi ++ ++ # make symlinks to various ssh utilities ++ utils="\ ++ $rootfs/usr/bin/dbclient \ ++ $rootfs/usr/bin/scp \ ++ $rootfs/usr/bin/ssh \ ++ $rootfs/usr/sbin/dropbearkey \ ++ $rootfs/usr/sbin/dropbearconvert \ ++ " ++ echo $utils | xargs -n1 ln -s /usr/sbin/dropbear ++ ++ # add necessary config files ++ mkdir $rootfs/etc/dropbear ++ dropbearkey -t rsa -f $rootfs/etc/dropbear/dropbear_rsa_host_key > /dev/null 2>&1 ++ dropbearkey -t dss -f $rootfs/etc/dropbear/dropbear_dss_host_key > /dev/null 2>&1 ++ ++ echo "'dropbear' ssh utility installed" ++ ++ return 0 ++} ++ ++install_openssh() ++{ ++ # tools to be installed ++ server_utils="sshd" ++ client_utils="\ ++ ssh \ ++ scp \ ++ sftp \ ++ ssh-add \ ++ ssh-agent \ ++ ssh-keygen \ ++ ssh-keyscan \ ++ ssh-argv0 \ ++ ssh-copy-id \ ++ " ++ ++ # new folders used by ssh ++ ssh_tree="\ ++$rootfs/etc/ssh \ ++$rootfs/var/empty/sshd \ ++$rootfs/var/lib/empty/sshd \ ++$rootfs/var/run/sshd \ ++" ++ ++ # create folder structure ++ mkdir -p $ssh_tree ++ if [ $? -ne 0 ]; then ++ return 1 ++ fi ++ ++ # copy binaries ++ for bin in $server_utils $client_utils; do ++ tool_path=`which $bin` ++ cp $tool_path $rootfs/$tool_path ++ if [ $? -ne 0 ]; then ++ echo "Unable to copy $tool_path in the rootfs" ++ return 1 ++ fi ++ done ++ ++ # add user and group ++ cat <> $rootfs/etc/passwd ++sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin ++EOF ++ ++ cat <> $rootfs/etc/group ++sshd:x:74: ++EOF ++ ++ # generate container keys ++ ssh-keygen -t rsa -N "" -f $rootfs/etc/ssh/ssh_host_rsa_key >/dev/null 2>&1 ++ ssh-keygen -t dsa -N "" -f $rootfs/etc/ssh/ssh_host_dsa_key >/dev/null 2>&1 ++ ++ # by default setup root password with no password ++ cat < $rootfs/etc/ssh/sshd_config ++Port 22 ++Protocol 2 ++HostKey /etc/ssh/ssh_host_rsa_key ++HostKey /etc/ssh/ssh_host_dsa_key ++UsePrivilegeSeparation yes ++KeyRegenerationInterval 3600 ++ServerKeyBits 768 ++SyslogFacility AUTH ++LogLevel INFO ++LoginGraceTime 120 ++PermitRootLogin yes ++StrictModes yes ++RSAAuthentication yes ++PubkeyAuthentication yes ++IgnoreRhosts yes ++RhostsRSAAuthentication no ++HostbasedAuthentication no ++PermitEmptyPasswords yes ++ChallengeResponseAuthentication no ++EOF ++ ++ echo "'OpenSSH' utility installed" ++ ++ return 0 ++} ++ + configure_busybox() + { + rootfs=$1 +@@ -230,34 +341,6 @@ EOF + lxc-unshare -s MOUNT -- /bin/sh < $CHPASSWD_FILE + rm $CHPASSWD_FILE + +- # add ssh functionality if dropbear package available on host +- which dropbear >/dev/null 2>&1 +- if [ $? -eq 0 ]; then +- # copy dropbear binary +- cp $(which dropbear) $rootfs/usr/sbin +- if [ $? -ne 0 ]; then +- echo "Failed to copy dropbear in the rootfs" +- return 1 +- fi +- +- # make symlinks to various ssh utilities +- utils="\ +- $rootfs/usr/bin/dbclient \ +- $rootfs/usr/bin/scp \ +- $rootfs/usr/bin/ssh \ +- $rootfs/usr/sbin/dropbearkey \ +- $rootfs/usr/sbin/dropbearconvert \ +- " +- echo $utils | xargs -n1 ln -s /usr/sbin/dropbear +- +- # add necessary config files +- mkdir $rootfs/etc/dropbear +- dropbearkey -t rsa -f $rootfs/etc/dropbear/dropbear_rsa_host_key > /dev/null 2>&1 +- dropbearkey -t dss -f $rootfs/etc/dropbear/dropbear_dss_host_key > /dev/null 2>&1 +- +- echo "'dropbear' ssh utility installed" +- fi +- + return 0 + } + +@@ -315,12 +398,12 @@ remap_userns() + usage() + { + cat < ++$1 -h|--help -p|--path= -s|--ssh={dropbear,openssh} + EOF + return 0 + } + +-options=$(getopt -o hp:n: -l help,rootfs:,path:,name:,mapped-uid:,mapped-gid: -- "$@") ++options=$(getopt -o hp:n:s: -l help,rootfs:,path:,name:,mapped-uid:,mapped-gid:,ssh: -- "$@") + if [ $? -ne 0 ]; then + usage $(basename $0) + exit 1 +@@ -336,6 +419,7 @@ do + -n|--name) name=$2; shift 2;; + --mapped-uid) LXC_MAPPED_UID=$2; shift 2;; + --mapped-gid) LXC_MAPPED_GID=$2; shift 2;; ++ -s|--ssh) SSH=$2; shift 2;; + --) shift 1; break ;; + *) break ;; + esac +@@ -384,3 +468,28 @@ if [ $? -ne 0 ]; then + echo "failed to remap files to user" + exit 1 + fi ++ ++if [ -n "$SSH" ]; then ++ case "$SSH" in ++ "dropbear") ++ install_dropbear ++ if [ $? -ne 0 ]; then ++ echo "Unable to install 'dropbear' ssh utility" ++ exit 1 ++ fi ;; ++ "openssh") ++ install_openssh ++ if [ $? -ne 0 ]; then ++ echo "Unable to install 'OpenSSH' utility" ++ exit 1 ++ fi ;; ++ *) ++ echo "$SSH: unrecognized ssh utility" ++ exit 1 ++ esac ++else ++ which dropbear >/dev/null 2>&1 ++ if [ $? -eq 0 ]; then ++ install_dropbear ++ fi ++fi +-- +2.1.4 + diff --git a/recipes-containers/lxc/files/make-some-OpenSSH-tools-optional.patch b/recipes-containers/lxc/files/make-some-OpenSSH-tools-optional.patch new file mode 100644 index 00000000..2d287885 --- /dev/null +++ b/recipes-containers/lxc/files/make-some-OpenSSH-tools-optional.patch @@ -0,0 +1,49 @@ +From 34be0d3cd8c4eaca9929470bc8bce5e74975bccf Mon Sep 17 00:00:00 2001 +From: Bogdan Purcareata +Date: Thu, 23 Apr 2015 08:33:00 +0000 +Subject: [PATCH] lxc-busybox: make some OpenSSH tools optional + +Currently, when installing OpenSSH in a Busybox container, the template searches +for all the OpenSSH client binaries available in the Debian distro package. The +included tools might differ from distro to distro, so make part of the tools +optional. The mandatory tools, without which installing OpenSSH fails, are +"sshd" for the server and "ssh" and "scp" for the client. + +Upstream-Status: Submitted +[https://lists.linuxcontainers.org/pipermail/lxc-devel/2015-April/011696.html] + +Signed-off-by: Bogdan Purcareata +--- + templates/lxc-busybox.in | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/templates/lxc-busybox.in b/templates/lxc-busybox.in +index 95961a3..17a3006 100644 +--- a/templates/lxc-busybox.in ++++ b/templates/lxc-busybox.in +@@ -197,6 +197,8 @@ install_openssh() + client_utils="\ + ssh \ + scp \ ++ " ++ client_optional_utils="\ + sftp \ + ssh-add \ + ssh-agent \ +@@ -230,6 +232,13 @@ $rootfs/var/run/sshd \ + fi + done + ++ for bin in $client_optional_utils; do ++ tool_path=`which $bin` ++ if [ $? -eq 0 ]; then ++ cp $tool_path $rootfs/$tool_path ++ fi ++ done ++ + # add user and group + cat <> $rootfs/etc/passwd + sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin +-- +2.1.4 + diff --git a/recipes-containers/lxc/lxc_1.0.7.bb b/recipes-containers/lxc/lxc_1.0.7.bb index 0da1e37f..f79ba762 100644 --- a/recipes-containers/lxc/lxc_1.0.7.bb +++ b/recipes-containers/lxc/lxc_1.0.7.bb @@ -32,6 +32,8 @@ SRC_URI = "http://linuxcontainers.org/downloads/${BPN}-${PV}.tar.gz \ file://lxc-busybox-use-lxc.rebootsignal-SIGTERM.patch \ file://ppc-add-seccomp-support-for-lxc.patch \ file://lxc-fix-B-S.patch \ + file://lxc-busybox-add-OpenSSH-support.patch \ + file://make-some-OpenSSH-tools-optional.patch \ " SRC_URI[md5sum] = "b48f468a9bef0e4e140dd723f0a65ad0"