toft 0.0.2 → 0.0.3
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- data/Gemfile.lock +1 -1
- data/Rakefile +13 -0
- data/features/checker.feature +1 -1
- data/features/step_definitions/node.rb +2 -2
- data/features/support/env.rb +1 -1
- data/lib/toft/node.rb +7 -6
- data/lib/toft/node_controller.rb +2 -2
- data/lib/toft/version.rb +1 -1
- data/lib/toft.rb +2 -2
- data/scripts/centos/bin/lxc-prepare-host +39 -0
- data/scripts/cookbooks/lxc/files/default/lxc-create-ubuntu-image +26 -12
- data/scripts/cookbooks/lxc/recipes/default.rb +7 -1
- data/scripts/cookbooks/lxc/templates/default/lxc-lucid-chef +11 -7
- data/scripts/cookbooks/lxc/templates/default/lxc-natty-chef +253 -0
- data/scripts/{bash → ubuntu/bin}/install-chef-ubuntu.sh +8 -0
- data/scripts/{bash → ubuntu/bin}/install-rvm.sh +2 -0
- data/scripts/ubuntu/bin/lxc-create-centos-image +56 -0
- data/scripts/ubuntu/bin/lxc-create-ubuntu-image +75 -0
- data/scripts/ubuntu/bin/lxc-prepare-host +24 -0
- data/scripts/ubuntu/lxc-templates/lxc-centos-6 +283 -0
- data/scripts/ubuntu/lxc-templates/lxc-lucid +332 -0
- data/scripts/ubuntu/lxc-templates/lxc-natty +253 -0
- metadata +15 -7
@@ -0,0 +1,75 @@
|
|
1
|
+
#!/bin/bash
|
2
|
+
|
3
|
+
if [ $# -eq 0 ]; then
|
4
|
+
echo "Usage: `basename $0` <sid|wheeze|squeeze|lenny|lucid|maverick|natty>"
|
5
|
+
exit 1
|
6
|
+
fi
|
7
|
+
|
8
|
+
username=`id -nu`
|
9
|
+
if [ ! "$username" = "root" ]; then
|
10
|
+
echo "This command has to be run as root!"
|
11
|
+
exit 1
|
12
|
+
fi
|
13
|
+
|
14
|
+
cache="/var/cache/lxc/ubuntu"
|
15
|
+
suite=$1
|
16
|
+
|
17
|
+
arch=$(arch)
|
18
|
+
if [ "$arch" == "x86_64" ]; then
|
19
|
+
arch=amd64
|
20
|
+
fi
|
21
|
+
|
22
|
+
if [ "$arch" == "i686" ]; then
|
23
|
+
arch=i386
|
24
|
+
fi
|
25
|
+
|
26
|
+
if [ -e "$cache/$suite-$arch.tar.gz" ]; then
|
27
|
+
echo "Cache rootfs already exists!"
|
28
|
+
exit 0
|
29
|
+
fi
|
30
|
+
|
31
|
+
lucid_packages=dialog,apt,apt-utils,resolvconf,iproute,inetutils-ping,dhcp3-client,ssh,lsb-release,wget,gpgv,gnupg,sudo,ruby,rubygems1.8,ruby-dev,libopenssl-ruby,build-essential,ssl-cert
|
32
|
+
natty_packages=dialog,apt,apt-utils,resolvconf,iproute,inetutils-ping,isc-dhcp-client,isc-dhcp-common,ssh,lsb-release,gnupg,netbase,lxcguest,sudo,ruby,rubygems1.8,ruby-dev,libruby,build-essential,wget,ssl-cert
|
33
|
+
# check the mini ubuntu was not already downloaded
|
34
|
+
rm -rf "$cache/$suite-$arch"
|
35
|
+
mkdir -p "$cache/$suite-$arch"
|
36
|
+
if [ $? -ne 0 ]; then
|
37
|
+
echo "Failed to create '$cache/$suite-$arch' directory"
|
38
|
+
exit 1
|
39
|
+
fi
|
40
|
+
|
41
|
+
# download a mini ubuntu into a cache
|
42
|
+
echo "Downloading ubuntu minimal ..."
|
43
|
+
eval "packages=\$${suite}_packages"
|
44
|
+
cmd="debootstrap --verbose --variant=minbase --components=main,universe --arch=$arch --include=$packages $suite $cache/$suite-$arch"
|
45
|
+
echo $cmd
|
46
|
+
eval $cmd
|
47
|
+
if [ $? -ne 0 ]; then
|
48
|
+
echo "Failed to download the rootfs, aborting."
|
49
|
+
exit 1
|
50
|
+
fi
|
51
|
+
|
52
|
+
echo "Download complete."
|
53
|
+
|
54
|
+
# install chef
|
55
|
+
cat <<EOF > "$cache/$suite-$arch/tmp/install-chef-ubuntu.sh"
|
56
|
+
echo "deb http://apt.opscode.com/ $suite-0.10 main" | tee /etc/apt/sources.list.d/opscode.list
|
57
|
+
|
58
|
+
mkdir -p /etc/apt/trusted.gpg.d
|
59
|
+
gpg --keyserver keys.gnupg.net --recv-keys 83EF826A
|
60
|
+
gpg --export packages@opscode.com | tee /etc/apt/trusted.gpg.d/opscode-keyring.gpg > /dev/null
|
61
|
+
apt-get update
|
62
|
+
apt-get install ucf --force-yes -y
|
63
|
+
yes | apt-get install opscode-keyring --force-yes -y # permanent upgradeable keyring
|
64
|
+
|
65
|
+
export DEBIAN_FRONTEND=noninteractive
|
66
|
+
apt-get install chef --force-yes -qy
|
67
|
+
EOF
|
68
|
+
chroot "$cache/$suite-$arch" bash /tmp/install-chef-ubuntu.sh
|
69
|
+
|
70
|
+
# compress root image
|
71
|
+
echo "Packaging rootfs ..."
|
72
|
+
(cd $cache/$suite-$arch && tar zcf $suite-$arch.tar.gz .)
|
73
|
+
mv $cache/$suite-$arch/$suite-$arch.tar.gz $cache
|
74
|
+
|
75
|
+
|
@@ -0,0 +1,24 @@
|
|
1
|
+
#!/bin/bash
|
2
|
+
|
3
|
+
username=`id -nu`
|
4
|
+
if [ ! "$username" = "root" ]; then
|
5
|
+
echo "This command has to be run as root!"
|
6
|
+
exit 1
|
7
|
+
fi
|
8
|
+
|
9
|
+
apt-get install -y lxc bridge-utils debootstrap
|
10
|
+
|
11
|
+
if [[ ! `ip link ls dev br0` ]]; then
|
12
|
+
brctl addbr br0
|
13
|
+
ifconfig br0 192.168.20.1 netmask 255.255.255.0 up
|
14
|
+
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
|
15
|
+
sysctl -w net.ipv4.ip_forward=1
|
16
|
+
fi
|
17
|
+
|
18
|
+
if [[ ! -d /cgroup ]]; then
|
19
|
+
mkdir -p /cgroup
|
20
|
+
fi
|
21
|
+
|
22
|
+
if [[ ! `mount | grep cgroup` ]]; then
|
23
|
+
mount none -t cgroup /cgroup
|
24
|
+
fi
|
@@ -0,0 +1,283 @@
|
|
1
|
+
#!/bin/bash
|
2
|
+
|
3
|
+
echo "Creating centos-6 node..."
|
4
|
+
|
5
|
+
configure_centos()
|
6
|
+
{
|
7
|
+
rootfs=$1
|
8
|
+
hostname=$2
|
9
|
+
|
10
|
+
# disable selinux in centos
|
11
|
+
mkdir -p $rootfs/selinux
|
12
|
+
echo 0 > $rootfs/selinux/enforce
|
13
|
+
|
14
|
+
# add host root ssh access
|
15
|
+
mkdir $rootfs/root/.ssh
|
16
|
+
chmod 0600 $rootfs/root/.ssh
|
17
|
+
cat <<-EOF > $rootfs/root/.ssh/authorized_keys
|
18
|
+
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDCguB7XL3ARzLZYLsIMZe4UUO371m+H5C6V8MhtmSlgXtgHDo7eZhNSm5zCeoyGd32OKeLxuxCCEkXfDDF1aa2a6twcASE3pmWNdnBS7auiOH4P7g+eQ4Aw9v7DdESbIVgHF/NDiAEFFdmApYNM3oCX2FhEVNVKxkkIokUr4axYFJzmJ6Xoi5Sd8JtPC85FZVXqDucZDnHQlOcCkbSo0UOmsWQGwtu8eUHoDeUG0dB8ntb9xlBeLctdrAPhuFYCX8IfFkdcakkzv61ETPbKE6g9wdTDC/TEep7/AHGYmarziRnwKiVOL1jnE1coOJLqy8wOC3dKGmRZy9D4sTc+FRV root insecure public key
|
19
|
+
EOF
|
20
|
+
|
21
|
+
# copy host resolve
|
22
|
+
cp /etc/resolv.conf $rootfs/etc/resolv.conf
|
23
|
+
|
24
|
+
# add default route to host
|
25
|
+
cat <<EOF > $rootfs/etc/rc.local
|
26
|
+
#!/bin/sh -e
|
27
|
+
route add default gw 192.168.20.1
|
28
|
+
exit 0
|
29
|
+
EOF
|
30
|
+
|
31
|
+
# set the hostname
|
32
|
+
cat <<EOF > $rootfs/etc/hostname
|
33
|
+
$hostname
|
34
|
+
EOF
|
35
|
+
# set minimal hosts
|
36
|
+
cat <<EOF > $rootfs/etc/hosts
|
37
|
+
127.0.0.1 localhost $hostname
|
38
|
+
EOF
|
39
|
+
|
40
|
+
cat <<EOF > $rootfs/etc/init/console.conf
|
41
|
+
# console - mingetty
|
42
|
+
#
|
43
|
+
# This service maintains a console on tty1 from the point the system is
|
44
|
+
# started until it is shut down again.
|
45
|
+
|
46
|
+
start on stopped rc RUNLEVEL=[2345]
|
47
|
+
stop on runlevel [!2345]
|
48
|
+
|
49
|
+
respawn
|
50
|
+
exec /sbin/mingetty console
|
51
|
+
EOF
|
52
|
+
|
53
|
+
cat <<EOF > $rootfs/etc/fstab
|
54
|
+
none /dev/pts devpts defaults 0 0
|
55
|
+
EOF
|
56
|
+
|
57
|
+
[ ! -f $rootfs/etc/init/kexec-disable.conf ] || mv $rootfs/etc/init/kexec-disable.conf $rootfs/etc/init/kexec-disable.conf.orig
|
58
|
+
sed -i -e 's:/sbin/start_udev:#/sbin/start_udev:' $rootfs/etc/rc.d/rc.sysinit
|
59
|
+
|
60
|
+
sed -i -e 's:\(Defaults *requiretty\):# \1:' $rootfs/etc/sudoers
|
61
|
+
|
62
|
+
# create necessary devices
|
63
|
+
rm $rootfs/dev/null
|
64
|
+
mknod -m 666 $rootfs/dev/null c 1 3
|
65
|
+
mknod -m 666 $rootfs/dev/random c 1 8
|
66
|
+
mknod -m 666 $rootfs/dev/urandom c 1 9
|
67
|
+
mkdir -m 755 $rootfs/dev/pts
|
68
|
+
mknod -m 666 $rootfs/dev/tty c 5 0
|
69
|
+
mknod -m 666 $rootfs/dev/tty0 c 4 0
|
70
|
+
mknod -m 666 $rootfs/dev/tty1 c 4 1
|
71
|
+
mknod -m 666 $rootfs/dev/tty2 c 4 2
|
72
|
+
mknod -m 666 $rootfs/dev/tty3 c 4 3
|
73
|
+
mknod -m 666 $rootfs/dev/tty4 c 4 4
|
74
|
+
mknod -m 600 $rootfs/dev/console c 5 1
|
75
|
+
mknod -m 666 $rootfs/dev/full c 1 7
|
76
|
+
mknod -m 600 $rootfs/dev/initctl p
|
77
|
+
|
78
|
+
# change root password
|
79
|
+
echo "Set root password to 'root'"
|
80
|
+
echo "root:root" | chroot $rootfs chpasswd
|
81
|
+
|
82
|
+
return 0
|
83
|
+
}
|
84
|
+
|
85
|
+
copy_centos()
|
86
|
+
{
|
87
|
+
cache=$1
|
88
|
+
arch=$2
|
89
|
+
rootfs=$3
|
90
|
+
|
91
|
+
# make a local copy of the minicentos
|
92
|
+
echo "Extracting rootfs image to $rootfs ..."
|
93
|
+
mkdir $rootfs
|
94
|
+
tar zxf $cache/centos-6-$arch.tar.gz -C $rootfs || return 1
|
95
|
+
return 0
|
96
|
+
}
|
97
|
+
|
98
|
+
install_centos()
|
99
|
+
{
|
100
|
+
cache="/var/cache/lxc/centos"
|
101
|
+
rootfs=$1
|
102
|
+
mkdir -p /var/lock/subsys/
|
103
|
+
(
|
104
|
+
flock -n -x 200
|
105
|
+
if [ $? -ne 0 ]; then
|
106
|
+
echo "Cache repository is busy."
|
107
|
+
return 1
|
108
|
+
fi
|
109
|
+
|
110
|
+
arch=$(arch)
|
111
|
+
if [ "$arch" == "i686" ]; then
|
112
|
+
arch=i386
|
113
|
+
fi
|
114
|
+
|
115
|
+
echo "Checking image cache in $cache/rootfs-$arch ... "
|
116
|
+
if [ ! -e "$cache/rootfs-$arch" ]; then
|
117
|
+
if [ $? -ne 0 ]; then
|
118
|
+
echo "Failed to download 'centos base'"
|
119
|
+
return 1
|
120
|
+
fi
|
121
|
+
fi
|
122
|
+
|
123
|
+
copy_centos $cache $arch $rootfs
|
124
|
+
if [ $? -ne 0 ]; then
|
125
|
+
echo "Failed to copy rootfs"
|
126
|
+
return 1
|
127
|
+
fi
|
128
|
+
|
129
|
+
return 0
|
130
|
+
|
131
|
+
) 200>/var/lock/subsys/lxc
|
132
|
+
|
133
|
+
return $?
|
134
|
+
}
|
135
|
+
|
136
|
+
copy_configuration()
|
137
|
+
{
|
138
|
+
path=$1
|
139
|
+
rootfs=$2
|
140
|
+
name=$3
|
141
|
+
|
142
|
+
cat <<EOF >> $path/config
|
143
|
+
lxc.utsname = $name
|
144
|
+
|
145
|
+
lxc.tty = 4
|
146
|
+
lxc.pts = 1024
|
147
|
+
lxc.rootfs = $rootfs
|
148
|
+
lxc.mount = $path/fstab
|
149
|
+
|
150
|
+
lxc.cgroup.devices.deny = a
|
151
|
+
|
152
|
+
lxc.cgroup.devices.allow = b 1:0 rwm
|
153
|
+
lxc.cgroup.devices.allow = b 1:1 rwm
|
154
|
+
lxc.cgroup.devices.allow = c 1:1 rwm
|
155
|
+
lxc.cgroup.devices.allow = c 1:2 rwm
|
156
|
+
lxc.cgroup.devices.allow = c 1:4 rwm
|
157
|
+
lxc.cgroup.devices.allow = c 1:6 rwm
|
158
|
+
lxc.cgroup.devices.allow = c 1:7 rwm
|
159
|
+
lxc.cgroup.devices.allow = c 1:11 rwm
|
160
|
+
|
161
|
+
lxc.cgroup.devices.allow = c 2:* rwm
|
162
|
+
lxc.cgroup.devices.allow = c 3:* rwm
|
163
|
+
|
164
|
+
# /dev/null and zero
|
165
|
+
lxc.cgroup.devices.allow = c 1:3 rwm
|
166
|
+
lxc.cgroup.devices.allow = c 1:5 rwm
|
167
|
+
# consoles
|
168
|
+
lxc.cgroup.devices.allow = c 5:1 rwm
|
169
|
+
lxc.cgroup.devices.allow = c 5:0 rwm
|
170
|
+
lxc.cgroup.devices.allow = c 4:0 rwm
|
171
|
+
lxc.cgroup.devices.allow = c 4:1 rwm
|
172
|
+
# /dev/{,u}random
|
173
|
+
lxc.cgroup.devices.allow = c 1:9 rwm
|
174
|
+
lxc.cgroup.devices.allow = c 1:8 rwm
|
175
|
+
lxc.cgroup.devices.allow = c 136:* rwm
|
176
|
+
lxc.cgroup.devices.allow = c 5:2 rwm
|
177
|
+
# rtc
|
178
|
+
lxc.cgroup.devices.allow = c 254:0 rwm
|
179
|
+
EOF
|
180
|
+
|
181
|
+
cat <<EOF > $path/fstab
|
182
|
+
proc $rootfs/proc proc nodev,noexec,nosuid 0 0
|
183
|
+
devpts $rootfs/dev/pts devpts defaults 0 0
|
184
|
+
sysfs $rootfs/sys sysfs defaults 0 0
|
185
|
+
EOF
|
186
|
+
|
187
|
+
if [ $? -ne 0 ]; then
|
188
|
+
echo "Failed to add configuration"
|
189
|
+
return 1
|
190
|
+
fi
|
191
|
+
|
192
|
+
return 0
|
193
|
+
}
|
194
|
+
|
195
|
+
clean()
|
196
|
+
{
|
197
|
+
cache="/var/cache/lxc/centos"
|
198
|
+
|
199
|
+
if [ ! -e $cache ]; then
|
200
|
+
exit 0
|
201
|
+
fi
|
202
|
+
|
203
|
+
# lock, so we won't purge while someone is creating a repository
|
204
|
+
(
|
205
|
+
flock -n -x 200
|
206
|
+
if [ $? != 0 ]; then
|
207
|
+
echo "Cache repository is busy."
|
208
|
+
exit 1
|
209
|
+
fi
|
210
|
+
|
211
|
+
echo -n "Purging the download cache..."
|
212
|
+
rm --preserve-root --one-file-system -rf $cache && echo "Done." || exit 1
|
213
|
+
exit 0
|
214
|
+
|
215
|
+
) 200>/var/lock/subsys/lxc
|
216
|
+
}
|
217
|
+
|
218
|
+
usage()
|
219
|
+
{
|
220
|
+
cat <<EOF
|
221
|
+
$1 -h|--help -p|--path=<path> --clean
|
222
|
+
EOF
|
223
|
+
return 0
|
224
|
+
}
|
225
|
+
|
226
|
+
options=$(getopt -o hp:n:c -l help,path:,name:,clean -- "$@")
|
227
|
+
if [ $? -ne 0 ]; then
|
228
|
+
usage $(basename $0)
|
229
|
+
exit 1
|
230
|
+
fi
|
231
|
+
eval set -- "$options"
|
232
|
+
|
233
|
+
while true
|
234
|
+
do
|
235
|
+
case "$1" in
|
236
|
+
-h|--help) usage $0 && exit 0;;
|
237
|
+
-p|--path) path=$2; shift 2;;
|
238
|
+
-n|--name) name=$2; shift 2;;
|
239
|
+
-c|--clean) clean=$2; shift 2;;
|
240
|
+
--) shift 1; break ;;
|
241
|
+
*) break ;;
|
242
|
+
esac
|
243
|
+
done
|
244
|
+
|
245
|
+
if [ ! -z "$clean" -a -z "$path" ]; then
|
246
|
+
clean || exit 1
|
247
|
+
exit 0
|
248
|
+
fi
|
249
|
+
|
250
|
+
if [ -z "$path" ]; then
|
251
|
+
echo "'path' parameter is required"
|
252
|
+
exit 1
|
253
|
+
fi
|
254
|
+
|
255
|
+
if [ "$(id -u)" != "0" ]; then
|
256
|
+
echo "This script should be run as 'root'"
|
257
|
+
exit 1
|
258
|
+
fi
|
259
|
+
|
260
|
+
rootfs=$path/rootfs
|
261
|
+
|
262
|
+
install_centos $rootfs
|
263
|
+
if [ $? -ne 0 ]; then
|
264
|
+
echo "failed to install centos"
|
265
|
+
exit 1
|
266
|
+
fi
|
267
|
+
|
268
|
+
configure_centos $rootfs $name
|
269
|
+
if [ $? -ne 0 ]; then
|
270
|
+
echo "failed to configure centos for a container"
|
271
|
+
exit 1
|
272
|
+
fi
|
273
|
+
|
274
|
+
copy_configuration $path $rootfs $name
|
275
|
+
if [ $? -ne 0 ]; then
|
276
|
+
echo "failed write configuration file"
|
277
|
+
exit 1
|
278
|
+
fi
|
279
|
+
|
280
|
+
if [ ! -z $clean ]; then
|
281
|
+
clean || exit 1
|
282
|
+
exit 0
|
283
|
+
fi
|
@@ -0,0 +1,332 @@
|
|
1
|
+
#!/bin/bash
|
2
|
+
|
3
|
+
echo "Creating lucid node..."
|
4
|
+
|
5
|
+
configure_ubuntu()
|
6
|
+
{
|
7
|
+
rootfs=$1
|
8
|
+
hostname=$2
|
9
|
+
|
10
|
+
# disable selinux in ubuntu
|
11
|
+
mkdir -p $rootfs/selinux
|
12
|
+
echo 0 > $rootfs/selinux/enforce
|
13
|
+
|
14
|
+
# add host root ssh access
|
15
|
+
mkdir $rootfs/root/.ssh
|
16
|
+
chmod 0600 $rootfs/root/.ssh
|
17
|
+
cat <<-EOF > $rootfs/root/.ssh/authorized_keys
|
18
|
+
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDCguB7XL3ARzLZYLsIMZe4UUO371m+H5C6V8MhtmSlgXtgHDo7eZhNSm5zCeoyGd32OKeLxuxCCEkXfDDF1aa2a6twcASE3pmWNdnBS7auiOH4P7g+eQ4Aw9v7DdESbIVgHF/NDiAEFFdmApYNM3oCX2FhEVNVKxkkIokUr4axYFJzmJ6Xoi5Sd8JtPC85FZVXqDucZDnHQlOcCkbSo0UOmsWQGwtu8eUHoDeUG0dB8ntb9xlBeLctdrAPhuFYCX8IfFkdcakkzv61ETPbKE6g9wdTDC/TEep7/AHGYmarziRnwKiVOL1jnE1coOJLqy8wOC3dKGmRZy9D4sTc+FRV root insecure public key
|
19
|
+
EOF
|
20
|
+
|
21
|
+
# copy host resolve
|
22
|
+
rm $rootfs/etc/resolv.conf
|
23
|
+
cp /etc/resolv.conf $rootfs/etc/resolv.conf
|
24
|
+
|
25
|
+
# add default route to host
|
26
|
+
cat <<EOF > $rootfs/etc/rc.local
|
27
|
+
#!/bin/sh -e
|
28
|
+
route add default gw 192.168.20.1
|
29
|
+
exit 0
|
30
|
+
EOF
|
31
|
+
|
32
|
+
# disable selinux in ubuntu
|
33
|
+
mkdir -p $rootfs/selinux
|
34
|
+
echo 0 > $rootfs/selinux/enforce
|
35
|
+
|
36
|
+
# set the hostname
|
37
|
+
cat <<EOF > $rootfs/etc/hostname
|
38
|
+
$hostname
|
39
|
+
EOF
|
40
|
+
# set minimal hosts
|
41
|
+
cat <<EOF > $rootfs/etc/hosts
|
42
|
+
127.0.0.1 localhost $hostname
|
43
|
+
EOF
|
44
|
+
|
45
|
+
# provide the lxc service
|
46
|
+
cat <<EOF > $rootfs/etc/init/lxc.conf
|
47
|
+
# fake some events needed for correct startup other services
|
48
|
+
|
49
|
+
description "Container Upstart"
|
50
|
+
|
51
|
+
start on startup
|
52
|
+
|
53
|
+
script
|
54
|
+
rm -rf /var/run/*.pid
|
55
|
+
rm -rf /var/run/network/*
|
56
|
+
/sbin/initctl emit stopped JOB=udevtrigger --no-wait
|
57
|
+
/sbin/initctl emit started JOB=udev --no-wait
|
58
|
+
end script
|
59
|
+
EOF
|
60
|
+
|
61
|
+
# fix buggus runlevel with sshd
|
62
|
+
cat <<EOF > $rootfs/etc/init/ssh.conf
|
63
|
+
# ssh - OpenBSD Secure Shell server
|
64
|
+
#
|
65
|
+
# The OpenSSH server provides secure shell access to the system.
|
66
|
+
|
67
|
+
description "OpenSSH server"
|
68
|
+
|
69
|
+
start on filesystem
|
70
|
+
stop on runlevel [!2345]
|
71
|
+
|
72
|
+
expect fork
|
73
|
+
respawn
|
74
|
+
respawn limit 10 5
|
75
|
+
umask 022
|
76
|
+
# replaces SSHD_OOM_ADJUST in /etc/default/ssh
|
77
|
+
oom never
|
78
|
+
|
79
|
+
pre-start script
|
80
|
+
test -x /usr/sbin/sshd || { stop; exit 0; }
|
81
|
+
test -e /etc/ssh/sshd_not_to_be_run && { stop; exit 0; }
|
82
|
+
test -c /dev/null || { stop; exit 0; }
|
83
|
+
|
84
|
+
mkdir -p -m0755 /var/run/sshd
|
85
|
+
end script
|
86
|
+
|
87
|
+
# if you used to set SSHD_OPTS in /etc/default/ssh, you can change the
|
88
|
+
# 'exec' line here instead
|
89
|
+
exec /usr/sbin/sshd
|
90
|
+
EOF
|
91
|
+
|
92
|
+
cat <<EOF > $rootfs/etc/init/console.conf
|
93
|
+
# console - getty
|
94
|
+
#
|
95
|
+
# This service maintains a console on tty1 from the point the system is
|
96
|
+
# started until it is shut down again.
|
97
|
+
|
98
|
+
start on stopped rc RUNLEVEL=[2345]
|
99
|
+
stop on runlevel [!2345]
|
100
|
+
|
101
|
+
respawn
|
102
|
+
exec /sbin/getty -8 38400 /dev/console
|
103
|
+
EOF
|
104
|
+
|
105
|
+
cat <<EOF > $rootfs/lib/init/fstab
|
106
|
+
# /lib/init/fstab: lxc system fstab
|
107
|
+
none /spu spufs gid=spu,optional 0 0
|
108
|
+
none /tmp none defaults 0 0
|
109
|
+
none /var/lock tmpfs nodev,noexec,nosuid,showthrough 0 0
|
110
|
+
none /lib/init/rw tmpfs mode=0755,nosuid,optional 0 0
|
111
|
+
EOF
|
112
|
+
|
113
|
+
# reconfigure some services
|
114
|
+
if [ -z "$LANG" ]; then
|
115
|
+
chroot $rootfs locale-gen en_US.UTF-8
|
116
|
+
chroot $rootfs update-locale LANG=en_US.UTF-8
|
117
|
+
else
|
118
|
+
chroot $rootfs locale-gen $LANG
|
119
|
+
chroot $rootfs update-locale LANG=$LANG
|
120
|
+
fi
|
121
|
+
|
122
|
+
# remove pointless services in a container
|
123
|
+
chroot $rootfs /usr/sbin/update-rc.d -f ondemand remove
|
124
|
+
|
125
|
+
chroot $rootfs /bin/bash -c 'cd /etc/init; for f in $(ls u*.conf); do mv $f $f.orig; done'
|
126
|
+
chroot $rootfs /bin/bash -c 'cd /etc/init; for f in $(ls tty[2-9].conf); do mv $f $f.orig; done'
|
127
|
+
chroot $rootfs /bin/bash -c 'cd /etc/init; for f in $(ls plymouth*.conf); do mv $f $f.orig; done'
|
128
|
+
chroot $rootfs /bin/bash -c 'cd /etc/init; for f in $(ls hwclock*.conf); do mv $f $f.orig; done'
|
129
|
+
chroot $rootfs /bin/bash -c 'cd /etc/init; for f in $(ls module*.conf); do mv $f $f.orig; done'
|
130
|
+
|
131
|
+
echo "Set root password to 'root'"
|
132
|
+
echo "root:root" | chroot $rootfs chpasswd
|
133
|
+
|
134
|
+
return 0
|
135
|
+
}
|
136
|
+
|
137
|
+
copy_ubuntu()
|
138
|
+
{
|
139
|
+
cache=$1
|
140
|
+
arch=$2
|
141
|
+
rootfs=$3
|
142
|
+
|
143
|
+
# make a local copy of the miniubuntu
|
144
|
+
echo "Extracting rootfs image to $rootfs ..."
|
145
|
+
mkdir $rootfs
|
146
|
+
tar zxf $cache/lucid-$arch.tar.gz -C $rootfs || return 1
|
147
|
+
return 0
|
148
|
+
}
|
149
|
+
|
150
|
+
install_ubuntu()
|
151
|
+
{
|
152
|
+
cache="/var/cache/lxc/ubuntu"
|
153
|
+
rootfs=$1
|
154
|
+
mkdir -p /var/lock/subsys/
|
155
|
+
(
|
156
|
+
flock -n -x 200
|
157
|
+
if [ $? -ne 0 ]; then
|
158
|
+
echo "Cache repository is busy."
|
159
|
+
return 1
|
160
|
+
fi
|
161
|
+
|
162
|
+
arch=$(arch)
|
163
|
+
if [ "$arch" == "x86_64" ]; then
|
164
|
+
arch=amd64
|
165
|
+
fi
|
166
|
+
|
167
|
+
if [ "$arch" == "i686" ]; then
|
168
|
+
arch=i386
|
169
|
+
fi
|
170
|
+
|
171
|
+
echo "Checking image cache in $cache/rootfs-$arch ... "
|
172
|
+
if [ ! -e "$cache/rootfs-$arch" ]; then
|
173
|
+
if [ $? -ne 0 ]; then
|
174
|
+
echo "Failed to download 'ubuntu base'"
|
175
|
+
return 1
|
176
|
+
fi
|
177
|
+
fi
|
178
|
+
|
179
|
+
copy_ubuntu $cache $arch $rootfs
|
180
|
+
if [ $? -ne 0 ]; then
|
181
|
+
echo "Failed to copy rootfs"
|
182
|
+
return 1
|
183
|
+
fi
|
184
|
+
|
185
|
+
return 0
|
186
|
+
|
187
|
+
) 200>/var/lock/subsys/lxc
|
188
|
+
|
189
|
+
return $?
|
190
|
+
}
|
191
|
+
|
192
|
+
copy_configuration()
|
193
|
+
{
|
194
|
+
path=$1
|
195
|
+
rootfs=$2
|
196
|
+
name=$3
|
197
|
+
|
198
|
+
cat <<EOF >> $path/config
|
199
|
+
lxc.utsname = $name
|
200
|
+
|
201
|
+
lxc.tty = 4
|
202
|
+
lxc.pts = 1024
|
203
|
+
lxc.rootfs = $rootfs
|
204
|
+
lxc.mount = $path/fstab
|
205
|
+
|
206
|
+
lxc.cgroup.devices.deny = a
|
207
|
+
# /dev/null and zero
|
208
|
+
lxc.cgroup.devices.allow = c 1:3 rwm
|
209
|
+
lxc.cgroup.devices.allow = c 1:5 rwm
|
210
|
+
# consoles
|
211
|
+
lxc.cgroup.devices.allow = c 5:1 rwm
|
212
|
+
lxc.cgroup.devices.allow = c 5:0 rwm
|
213
|
+
lxc.cgroup.devices.allow = c 4:0 rwm
|
214
|
+
lxc.cgroup.devices.allow = c 4:1 rwm
|
215
|
+
# /dev/{,u}random
|
216
|
+
lxc.cgroup.devices.allow = c 1:9 rwm
|
217
|
+
lxc.cgroup.devices.allow = c 1:8 rwm
|
218
|
+
lxc.cgroup.devices.allow = c 136:* rwm
|
219
|
+
lxc.cgroup.devices.allow = c 5:2 rwm
|
220
|
+
# rtc
|
221
|
+
lxc.cgroup.devices.allow = c 254:0 rwm
|
222
|
+
EOF
|
223
|
+
|
224
|
+
cat <<EOF > $path/fstab
|
225
|
+
proc $rootfs/proc proc nodev,noexec,nosuid 0 0
|
226
|
+
devpts $rootfs/dev/pts devpts defaults 0 0
|
227
|
+
sysfs $rootfs/sys sysfs defaults 0 0
|
228
|
+
EOF
|
229
|
+
|
230
|
+
if [ $? -ne 0 ]; then
|
231
|
+
echo "Failed to add configuration"
|
232
|
+
return 1
|
233
|
+
fi
|
234
|
+
|
235
|
+
return 0
|
236
|
+
}
|
237
|
+
|
238
|
+
clean()
|
239
|
+
{
|
240
|
+
cache="/var/cache/lxc/ubuntu"
|
241
|
+
|
242
|
+
if [ ! -e $cache ]; then
|
243
|
+
exit 0
|
244
|
+
fi
|
245
|
+
|
246
|
+
# lock, so we won't purge while someone is creating a repository
|
247
|
+
(
|
248
|
+
flock -n -x 200
|
249
|
+
if [ $? != 0 ]; then
|
250
|
+
echo "Cache repository is busy."
|
251
|
+
exit 1
|
252
|
+
fi
|
253
|
+
|
254
|
+
echo -n "Purging the download cache..."
|
255
|
+
rm --preserve-root --one-file-system -rf $cache && echo "Done." || exit 1
|
256
|
+
exit 0
|
257
|
+
|
258
|
+
) 200>/var/lock/subsys/lxc
|
259
|
+
}
|
260
|
+
|
261
|
+
usage()
|
262
|
+
{
|
263
|
+
cat <<EOF
|
264
|
+
$1 -h|--help -p|--path=<path> --clean
|
265
|
+
EOF
|
266
|
+
return 0
|
267
|
+
}
|
268
|
+
|
269
|
+
options=$(getopt -o hp:n:c -l help,path:,name:,clean -- "$@")
|
270
|
+
if [ $? -ne 0 ]; then
|
271
|
+
usage $(basename $0)
|
272
|
+
exit 1
|
273
|
+
fi
|
274
|
+
eval set -- "$options"
|
275
|
+
|
276
|
+
while true
|
277
|
+
do
|
278
|
+
case "$1" in
|
279
|
+
-h|--help) usage $0 && exit 0;;
|
280
|
+
-p|--path) path=$2; shift 2;;
|
281
|
+
-n|--name) name=$2; shift 2;;
|
282
|
+
-c|--clean) clean=$2; shift 2;;
|
283
|
+
--) shift 1; break ;;
|
284
|
+
*) break ;;
|
285
|
+
esac
|
286
|
+
done
|
287
|
+
|
288
|
+
if [ ! -z "$clean" -a -z "$path" ]; then
|
289
|
+
clean || exit 1
|
290
|
+
exit 0
|
291
|
+
fi
|
292
|
+
|
293
|
+
type debootstrap
|
294
|
+
if [ $? -ne 0 ]; then
|
295
|
+
echo "'debootstrap' command is missing"
|
296
|
+
exit 1
|
297
|
+
fi
|
298
|
+
|
299
|
+
if [ -z "$path" ]; then
|
300
|
+
echo "'path' parameter is required"
|
301
|
+
exit 1
|
302
|
+
fi
|
303
|
+
|
304
|
+
if [ "$(id -u)" != "0" ]; then
|
305
|
+
echo "This script should be run as 'root'"
|
306
|
+
exit 1
|
307
|
+
fi
|
308
|
+
|
309
|
+
rootfs=$path/rootfs
|
310
|
+
|
311
|
+
install_ubuntu $rootfs
|
312
|
+
if [ $? -ne 0 ]; then
|
313
|
+
echo "failed to install ubuntu"
|
314
|
+
exit 1
|
315
|
+
fi
|
316
|
+
|
317
|
+
configure_ubuntu $rootfs $name
|
318
|
+
if [ $? -ne 0 ]; then
|
319
|
+
echo "failed to configure ubuntu for a container"
|
320
|
+
exit 1
|
321
|
+
fi
|
322
|
+
|
323
|
+
copy_configuration $path $rootfs $name
|
324
|
+
if [ $? -ne 0 ]; then
|
325
|
+
echo "failed write configuration file"
|
326
|
+
exit 1
|
327
|
+
fi
|
328
|
+
|
329
|
+
if [ ! -z $clean ]; then
|
330
|
+
clean || exit 1
|
331
|
+
exit 0
|
332
|
+
fi
|