Adding lxc specific hooks.

8 files changed, 327 insertions, 0 deletions

diff --git a/share/hooks/lxc/1010-login.hook.chroot b/share/hooks/lxc/1010-login.hook.chroot
new file mode 100755
index 000000000..7180c5884
--- /dev/null
+++ b/share/hooks/lxc/1010-login.hook.chroot
@@ -0,0 +1,9 @@
+#!/bin/sh
+
+set -e
+
+# Disabling loginuid (requires read-write proc filesystem)
+if grep -E -qs "^ *session *required *pam_loginuid.so" /etc/pam.d/login
+then
+	sed -i -e 's|^.*\(session.*required.*pam_loginuid.so\)$|#\1|' /etc/pam.d/login
+fi
diff --git a/share/hooks/lxc/1020-cron.hook.chroot b/share/hooks/lxc/1020-cron.hook.chroot
new file mode 100755
index 000000000..3f8d6976a
--- /dev/null
+++ b/share/hooks/lxc/1020-cron.hook.chroot
@@ -0,0 +1,9 @@
+#!/bin/sh
+
+set -e
+
+# Disabling loginuid (requires read-write proc filesystem)
+if grep -E -qs "^ *session *required *pam_loginuid.so" /etc/pam.d/cron
+then
+	sed -i -e 's|^.*\(session.*required.*pam_loginuid.so\)$|#\1|' /etc/pam.d/cron
+fi
diff --git a/share/hooks/lxc/1030-util-linux.hook.chroot b/share/hooks/lxc/1030-util-linux.hook.chroot
new file mode 100755
index 000000000..1383e0bfe
--- /dev/null
+++ b/share/hooks/lxc/1030-util-linux.hook.chroot
@@ -0,0 +1,37 @@
+#!/bin/sh
+
+set -e
+
+# /etc/default/hwclock is supported as of util-linux version 2.20.1-5
+_UTIL_LINUX_VERSION="$(dpkg -l util-linux | awk '/^ii/ { print $3 }')"
+
+if dpkg --compare-versions "${_UTIL_LINUX_VERSION}" lt 2.20.1-5~
+then
+	exit 0
+fi
+
+if [ -e /etc/default/hwclock ]
+then
+	. /etc/default/hwclock
+
+	# HWCLOCKACCESS is commented in /etc/default/hwclock
+	if [ -z "${HWCLOCKACCESS}" ]
+	then
+		# uncommenting it
+		sed -e "s|^# *HWCLOCKACCESS=|HWCLOCKACCESS=|" \
+			/etc/default/hwclock > /etc/default/hwclock.tmp
+	else
+		cp /etc/default/hwclock /etc/default/hwclock.tmp
+	fi
+else
+	touch /etc/default/hwclock.tmp
+fi
+
+# Set the hwclock parameters
+grep -Eq '^ *HWCLOCKACCESS=' /etc/default/hwclock.tmp || \
+	echo "HWCLOCKACCESS=" >> /etc/default/hwclock.tmp
+
+sed -i -e "s|^ *HWCLOCKACCESS=.*|HWCLOCKACCESS=\"${_HWCLOCKACCESS}\"|" \
+	/etc/default/hwclock.tmp
+
+mv /etc/default/hwclock.tmp /etc/default/hwclock
diff --git a/share/hooks/lxc/1040-rsyslog.hook.chroot b/share/hooks/lxc/1040-rsyslog.hook.chroot
new file mode 100755
index 000000000..c755c35b0
--- /dev/null
+++ b/share/hooks/lxc/1040-rsyslog.hook.chroot
@@ -0,0 +1,11 @@
+#!/bin/sh
+
+set -e
+
+for _FILE in /etc/rsyslog.conf /etc/rsyslog.d/*
+do
+	if [ -e "${_FILE}" ]
+	then
+		sed -i -e 's|^ *$ModLoad *imklog|#$ModLoad imklog|' "${_FILE}"
+	fi
+done
diff --git a/share/hooks/lxc/1050-selinux.hook.chroot b/share/hooks/lxc/1050-selinux.hook.chroot
new file mode 100755
index 000000000..450f61911
--- /dev/null
+++ b/share/hooks/lxc/1050-selinux.hook.chroot
@@ -0,0 +1,8 @@
+#!/bin/sh
+
+set -e
+
+# Disable SELinux
+mkdir -p /sys/fs/selinux
+echo 0 > /sys/fs/selinux/enforce.tmp
+mv /sys/fs/selinux/enforce.tmp /sys/fs/selinux/enforce
diff --git a/share/hooks/lxc/1060-openssh-server.hook.chroot b/share/hooks/lxc/1060-openssh-server.hook.chroot
new file mode 100755
index 000000000..029a8d983
--- /dev/null
+++ b/share/hooks/lxc/1060-openssh-server.hook.chroot
@@ -0,0 +1,9 @@
+#!/bin/sh
+
+set -e
+
+# Disabling loginuid (requires read-write proc filesystem)
+if grep -E -qs "^ *session *required *pam_loginuid.so" /etc/pam.d/sshd
+then
+	sed -i -e 's|^.*\(session.*required.*pam_loginuid.so\)$|#\1|' /etc/pam.d/sshd
+fi
diff --git a/share/hooks/lxc/1070-sysvinit.hook.chroot b/share/hooks/lxc/1070-sysvinit.hook.chroot
new file mode 100755
index 000000000..80abe9c3a
--- /dev/null
+++ b/share/hooks/lxc/1070-sysvinit.hook.chroot
@@ -0,0 +1,177 @@
+#!/bin/sh
+
+set -e
+
+_LXC_CONSOLES="6"
+_LXC_DISABLE_SERVICES="checkroot.sh hwclockfirst.sh hwclock.sh kmod module-init-tools mountall.sh mountkernfs.sh umountfs umountroot"
+
+if [ ! -e /usr/share/sysvinit/inittab ]
+then
+	# System does not use sysvinit
+	exit 0
+fi
+
+# Revert /etc/inittab
+cp -p /usr/share/sysvinit/inittab /etc/inittab.tmp
+
+# Disable sulogin
+#   ~~:S:wait:/sbin/sulogin
+sed -i -e 's|\(^[^#].*S:wait:.*$\)|#\1|' /etc/inittab.tmp
+
+# Disable ctrlaltdel
+#   ca:12345:ctrlaltdel:/sbin/shutdown -t1 -a -r now
+sed -i -e 's|\(^[^#].*:ctrlaltdel:.*$\)|#\1|' /etc/inittab.tmp
+
+# Disable power
+#   pf::powerwait:/etc/init.d/powerfail start
+#   pn::powerfailnow:/etc/init.d/powerfail now
+#   po::powerokwait:/etc/init.d/powerfail stop
+sed -i -e 's|\(^[^#].*:power.*:.*$\)|#\1|' /etc/inittab.tmp
+
+# Disable normal getty
+#  1:2345:respawn:/sbin/getty 38400 tty1
+#  2:23:respawn:/sbin/getty 38400 tty2
+#  3:23:respawn:/sbin/getty 38400 tty3
+#  ...
+# Keep container getty
+#  1:2345:respawn:/sbin/getty 38400 console
+#  c1:23:respawn:/sbin/getty 38400 tty1
+#  c2:23:respawn:/sbin/getty 38400 tty2
+#  ...
+sed -i -e 's|\(^[^#,^c].*:respawn:/sbin/getty.*[^console,linux]$\)|#\1|' /etc/inittab.tmp
+
+# Enable container getty
+#  1:2345:respawn:/sbin/getty 38400 console
+#  c1:23:respawn:/sbin/getty 38400 tty1
+#  c2:23:respawn:/sbin/getty 38400 tty2
+
+if [ -e /etc/progress-linux_version ]
+then
+	_OPTIONS="--nohostname 38400"
+else
+	_OPTIONS="38400"
+fi
+
+# Assemble new entries
+_CONSOLES="\n#-- live-debconfig begin\n1:2345:respawn:/sbin/getty ${_OPTIONS} console"
+
+for _CONSOLE in $(seq 1 ${_LXC_CONSOLES})
+do
+	_CONSOLES="${_CONSOLES}\nc${_CONSOLE}:12345:respawn:/sbin/getty ${_OPTIONS} tty${_CONSOLE} linux"
+done
+
+_CONSOLES="${_CONSOLES}\n#-- live-debconfig end"
+
+# Remove old entries
+sed -i -e '/#-- live-debconfig begin/,/#-- live-debconfig end/d' /etc/inittab.tmp
+
+# Add new entries
+_CONSOLE="$(grep '#[0-9].*:respawn:/sbin/getty' /etc/inittab.tmp | tail -1)"
+
+sed -i -e "s|\(${_CONSOLE}\)|\1${_CONSOLES}|" /etc/inittab.tmp
+
+# Enable powerfail entries for lxc-shutdown
+if ! grep -qs ^p0:: /etc/inittab.tmp
+then
+	echo "p0::powerfail:/sbin/init 0" >> /etc/inittab.tmp
+fi
+
+if ! grep -qs ^p6:: /etc/inittab.tmp
+then
+	echo "p6::ctrlaltdel:/sbin/init 6" >> /etc/inittab.tmp
+fi
+
+mv /etc/inittab.tmp /etc/inittab
+
+# squeeze and newer have /dev/tty and /dev/tty0 by default
+for _CONSOLE in $(seq 1 ${_LXC_CONSOLES})
+do
+	if [ ! -e "/dev/tty${_CONSOLE}" ]
+	then
+		mknod "/dev/tty${_CONSOLE}" c 4 "${_CONSOLE}"
+	fi
+done
+
+# Remove uneeded services in a container
+for _SERVICE in ${_LXC_DISABLE_SERVICES}
+do
+	# service does not exist
+	if [ ! -e /etc/init.d/${_SERVICE} ]
+	then
+		continue
+	fi
+
+	_ALREADY_DISABLED="false"
+
+	# service is already disabled
+	for _RUNLEVEL in /etc/rc*.d
+	do
+		if ! ls ${_RUNLEVEL}/K*${_SERVICE} > /dev/null 2>&1
+		then
+			# disabled services have stop links in all runlevels
+			# if at least one runlevel does not have a stop link,
+			# then the service was not disabled and we need to continue
+			# with disabling the service later on
+			_ALREADY_DISABLED="false"
+			break
+		fi
+
+		# service is indeed already disabled
+		_ALREADY_DISABLED="true"
+	done
+
+	if [ "${_ALREADY_DISABLED}" = "false" ]
+	then
+		if ls /etc/rc*.d/K*${_SERVICE} > /dev/null 2>&1 && \
+		   ! ls /etc/rc*.d/S*${_SERVICE} > /dev/null 2>&1
+		then
+			# service has only stop links
+			# therefore, using 'update-rc.d disable' does not work,
+			# and using 'update-rc.d remove' is not upgrade safe
+			# (on upgrades, the stop links would be re-added).
+			for _SYMLINK in /etc/rc*.d/K*${_SERVICE}
+			do
+				LIVE_INITSCRIPT_EMPTY="true"
+
+				rm -f ${_SYMLINK}
+				ln -s /bin/live-initscripts-empty-stop ${_SYMLINK}
+			done
+		fi
+
+		# service is a normal service with both start and stop links
+		update-rc.d -f ${_SERVICE} disable 2>&1 | \
+			grep -v -e "^insserv: warning:" \
+				-e "^update-rc.d: warning:" \
+				-e "^update-rc.d: using dependency based boot sequencing" \
+				-e "^update-rc.d: error: .* Default-Start contains no runlevels, aborting." \
+			|| true
+	fi
+done
+
+case ${LIVE_INITSCRIPT_EMPTY} in
+	true)
+
+cat > /bin/live-initscripts-empty-stop < EOF
+#!/bin/sh
+
+### BEGIN INIT INFO
+# Provides:		live-build
+# Required-Start:
+# Required-Stop:
+# Should-Start:
+# Should-Stop:
+# Default-Start:
+# Default-Stop:		0 6
+# Short-Description:	Live System Build Components
+# Description:		live-build contains the components to build a live
+#			system from a configuration directory.
+# X-Start-Before:
+# X-Stop-After:
+# X-Interactive:
+### END INIT INFO
+
+exit 0
+EOF
+
+	;;
+esac
diff --git a/share/hooks/lxc/1080-systemd.hook.chroot b/share/hooks/lxc/1080-systemd.hook.chroot
new file mode 100755
index 000000000..4ac5baded
--- /dev/null
+++ b/share/hooks/lxc/1080-systemd.hook.chroot
@@ -0,0 +1,67 @@
+#!/bin/sh
+
+set -e
+
+if [ ! -e /lib/systemd/systemd ]
+then
+	# System does not use systemd
+	exit 0
+fi
+
+_LXC_CONSOLES="6"
+_LXC_DISABLE_SERVICES="checkroot.service dev-hugepages.mount dev-mqueue.mount proc-sys-fs-binfmt_misc.automount remount-rootfs.service run-lock.mount run-user.mount swap.target sys-kernel-debug.mount sys-kernel-security.mount systemd-modules-load.service systemd-remount-api-vfs.service systemd-sysctl.service systemd-update-utmp-runlevel.service udev.service udev-settle.service udev-trigger.service user.mount var-lock.mount systemd-update-utmp-runlevel.service rescue.target sys-fs-fuse-connections.mount"
+
+# systemd starts counting consoles at 0, not 1 like sysvinit.
+_LXC_CONSOLES="$((${_LXC_CONSOLES} - 1))"
+
+# Disable sulogin
+ln -sf /dev/null /etc/systemd/system/console-shell.service
+
+# Disable ctrlaltdel
+ln -sf /dev/null /etc/systemd/system/ctrl-alt-del.target
+
+# Disable normal getty
+rm -f /etc/systemd/system/getty.target.wants/getty@*.service
+
+# Enable container getty
+sed -e 's|^ *BindTo=|#BindTo=|' /lib/systemd/system/getty@.service > /etc/systemd/system/getty.target.wants/getty@console.service
+
+for _CONSOLE in $(seq 0 ${_LXC_CONSOLES})
+do
+	if [ -L /etc/systemd/system/getty.target.wants/getty@tty${_CONSOLE}.service ]
+	then
+		rm -f /etc/systemd/system/getty.target.wants/getty@tty${_CONSOLE}.service
+	fi
+
+	sed -e 's|^ *BindTo=|#BindTo=|' /lib/systemd/system/getty@.service > /etc/systemd/system/getty.target.wants/getty@tty${_CONSOLE}.service
+done
+
+# Enable powerfail for lxc-shutdown
+ln -sf /lib/systemd/system/reboot.target /etc/systemd/system/sigpwr.target
+
+# Disable default cpu and cpupacct
+grep -Eq '^ *JoinControllers=' /etc/systemd/system.conf || echo "JoinControllers=" >> /etc/systemd/system.conf
+
+sed -e 's|^ *JoinControllers=.*|JoinControllers=|' /etc/systemd/system.conf > /etc/systemd/system.conf.tmp
+mv /etc/systemd/system.conf.tmp /etc/systemd/system.conf
+
+# squeeze and newer have /dev/tty and /dev/tty0 by default
+for _CONSOLE in $(seq 0 ${_LXC_CONSOLES})
+do
+	if [ ! -e "/dev/tty${_CONSOLE}" ]
+	then
+		mknod "/dev/tty${_CONSOLE}" c 4 "${_CONSOLE}"
+	fi
+done
+
+# Remove uneeded services in a container
+for _SERVICE in ${_LXC_DISABLE_SERVICES}
+do
+	ln -sf "/dev/null" "/etc/systemd/system/${_SERVICE}"
+done
+
+# Disable setting CapabilityBoundingSet for journald
+sed -e 's/^ *CapabilityBoundingSet/\#&/' /lib/systemd/system/systemd-journald.service > /etc/systemd/system/systemd-journald.service
+
+# Disable setting CapabilityBoundingSet for logind
+sed -e 's/^ *CapabilityBoundingSet/\#&/' /lib/systemd/system/systemd-logind.service > /etc/systemd/system/systemd-logind.service