diff --git a/share/hooks/lxc/1010-login.hook.chroot b/share/hooks/lxc/1010-login.hook.chroot new file mode 100755 index 000000000..7180c5884 --- /dev/null +++ b/share/hooks/lxc/1010-login.hook.chroot @@ -0,0 +1,9 @@ +#!/bin/sh + +set -e + +# Disabling loginuid (requires read-write proc filesystem) +if grep -E -qs "^ *session *required *pam_loginuid.so" /etc/pam.d/login +then + sed -i -e 's|^.*\(session.*required.*pam_loginuid.so\)$|#\1|' /etc/pam.d/login +fi diff --git a/share/hooks/lxc/1020-cron.hook.chroot b/share/hooks/lxc/1020-cron.hook.chroot new file mode 100755 index 000000000..3f8d6976a --- /dev/null +++ b/share/hooks/lxc/1020-cron.hook.chroot @@ -0,0 +1,9 @@ +#!/bin/sh + +set -e + +# Disabling loginuid (requires read-write proc filesystem) +if grep -E -qs "^ *session *required *pam_loginuid.so" /etc/pam.d/cron +then + sed -i -e 's|^.*\(session.*required.*pam_loginuid.so\)$|#\1|' /etc/pam.d/cron +fi diff --git a/share/hooks/lxc/1030-util-linux.hook.chroot b/share/hooks/lxc/1030-util-linux.hook.chroot new file mode 100755 index 000000000..1383e0bfe --- /dev/null +++ b/share/hooks/lxc/1030-util-linux.hook.chroot @@ -0,0 +1,37 @@ +#!/bin/sh + +set -e + +# /etc/default/hwclock is supported as of util-linux version 2.20.1-5 +_UTIL_LINUX_VERSION="$(dpkg -l util-linux | awk '/^ii/ { print $3 }')" + +if dpkg --compare-versions "${_UTIL_LINUX_VERSION}" lt 2.20.1-5~ +then + exit 0 +fi + +if [ -e /etc/default/hwclock ] +then + . /etc/default/hwclock + + # HWCLOCKACCESS is commented in /etc/default/hwclock + if [ -z "${HWCLOCKACCESS}" ] + then + # uncommenting it + sed -e "s|^# *HWCLOCKACCESS=|HWCLOCKACCESS=|" \ + /etc/default/hwclock > /etc/default/hwclock.tmp + else + cp /etc/default/hwclock /etc/default/hwclock.tmp + fi +else + touch /etc/default/hwclock.tmp +fi + +# Set the hwclock parameters +grep -Eq '^ *HWCLOCKACCESS=' /etc/default/hwclock.tmp || \ + echo "HWCLOCKACCESS=" >> /etc/default/hwclock.tmp + +sed -i -e "s|^ *HWCLOCKACCESS=.*|HWCLOCKACCESS=\"${_HWCLOCKACCESS}\"|" \ + /etc/default/hwclock.tmp + +mv /etc/default/hwclock.tmp /etc/default/hwclock diff --git a/share/hooks/lxc/1040-rsyslog.hook.chroot b/share/hooks/lxc/1040-rsyslog.hook.chroot new file mode 100755 index 000000000..c755c35b0 --- /dev/null +++ b/share/hooks/lxc/1040-rsyslog.hook.chroot @@ -0,0 +1,11 @@ +#!/bin/sh + +set -e + +for _FILE in /etc/rsyslog.conf /etc/rsyslog.d/* +do + if [ -e "${_FILE}" ] + then + sed -i -e 's|^ *$ModLoad *imklog|#$ModLoad imklog|' "${_FILE}" + fi +done diff --git a/share/hooks/lxc/1050-selinux.hook.chroot b/share/hooks/lxc/1050-selinux.hook.chroot new file mode 100755 index 000000000..450f61911 --- /dev/null +++ b/share/hooks/lxc/1050-selinux.hook.chroot @@ -0,0 +1,8 @@ +#!/bin/sh + +set -e + +# Disable SELinux +mkdir -p /sys/fs/selinux +echo 0 > /sys/fs/selinux/enforce.tmp +mv /sys/fs/selinux/enforce.tmp /sys/fs/selinux/enforce diff --git a/share/hooks/lxc/1060-openssh-server.hook.chroot b/share/hooks/lxc/1060-openssh-server.hook.chroot new file mode 100755 index 000000000..029a8d983 --- /dev/null +++ b/share/hooks/lxc/1060-openssh-server.hook.chroot @@ -0,0 +1,9 @@ +#!/bin/sh + +set -e + +# Disabling loginuid (requires read-write proc filesystem) +if grep -E -qs "^ *session *required *pam_loginuid.so" /etc/pam.d/sshd +then + sed -i -e 's|^.*\(session.*required.*pam_loginuid.so\)$|#\1|' /etc/pam.d/sshd +fi diff --git a/share/hooks/lxc/1070-sysvinit.hook.chroot b/share/hooks/lxc/1070-sysvinit.hook.chroot new file mode 100755 index 000000000..80abe9c3a --- /dev/null +++ b/share/hooks/lxc/1070-sysvinit.hook.chroot @@ -0,0 +1,177 @@ +#!/bin/sh + +set -e + +_LXC_CONSOLES="6" +_LXC_DISABLE_SERVICES="checkroot.sh hwclockfirst.sh hwclock.sh kmod module-init-tools mountall.sh mountkernfs.sh umountfs umountroot" + +if [ ! -e /usr/share/sysvinit/inittab ] +then + # System does not use sysvinit + exit 0 +fi + +# Revert /etc/inittab +cp -p /usr/share/sysvinit/inittab /etc/inittab.tmp + +# Disable sulogin +# ~~:S:wait:/sbin/sulogin +sed -i -e 's|\(^[^#].*S:wait:.*$\)|#\1|' /etc/inittab.tmp + +# Disable ctrlaltdel +# ca:12345:ctrlaltdel:/sbin/shutdown -t1 -a -r now +sed -i -e 's|\(^[^#].*:ctrlaltdel:.*$\)|#\1|' /etc/inittab.tmp + +# Disable power +# pf::powerwait:/etc/init.d/powerfail start +# pn::powerfailnow:/etc/init.d/powerfail now +# po::powerokwait:/etc/init.d/powerfail stop +sed -i -e 's|\(^[^#].*:power.*:.*$\)|#\1|' /etc/inittab.tmp + +# Disable normal getty +# 1:2345:respawn:/sbin/getty 38400 tty1 +# 2:23:respawn:/sbin/getty 38400 tty2 +# 3:23:respawn:/sbin/getty 38400 tty3 +# ... +# Keep container getty +# 1:2345:respawn:/sbin/getty 38400 console +# c1:23:respawn:/sbin/getty 38400 tty1 +# c2:23:respawn:/sbin/getty 38400 tty2 +# ... +sed -i -e 's|\(^[^#,^c].*:respawn:/sbin/getty.*[^console,linux]$\)|#\1|' /etc/inittab.tmp + +# Enable container getty +# 1:2345:respawn:/sbin/getty 38400 console +# c1:23:respawn:/sbin/getty 38400 tty1 +# c2:23:respawn:/sbin/getty 38400 tty2 + +if [ -e /etc/progress-linux_version ] +then + _OPTIONS="--nohostname 38400" +else + _OPTIONS="38400" +fi + +# Assemble new entries +_CONSOLES="\n#-- live-debconfig begin\n1:2345:respawn:/sbin/getty ${_OPTIONS} console" + +for _CONSOLE in $(seq 1 ${_LXC_CONSOLES}) +do + _CONSOLES="${_CONSOLES}\nc${_CONSOLE}:12345:respawn:/sbin/getty ${_OPTIONS} tty${_CONSOLE} linux" +done + +_CONSOLES="${_CONSOLES}\n#-- live-debconfig end" + +# Remove old entries +sed -i -e '/#-- live-debconfig begin/,/#-- live-debconfig end/d' /etc/inittab.tmp + +# Add new entries +_CONSOLE="$(grep '#[0-9].*:respawn:/sbin/getty' /etc/inittab.tmp | tail -1)" + +sed -i -e "s|\(${_CONSOLE}\)|\1${_CONSOLES}|" /etc/inittab.tmp + +# Enable powerfail entries for lxc-shutdown +if ! grep -qs ^p0:: /etc/inittab.tmp +then + echo "p0::powerfail:/sbin/init 0" >> /etc/inittab.tmp +fi + +if ! grep -qs ^p6:: /etc/inittab.tmp +then + echo "p6::ctrlaltdel:/sbin/init 6" >> /etc/inittab.tmp +fi + +mv /etc/inittab.tmp /etc/inittab + +# squeeze and newer have /dev/tty and /dev/tty0 by default +for _CONSOLE in $(seq 1 ${_LXC_CONSOLES}) +do + if [ ! -e "/dev/tty${_CONSOLE}" ] + then + mknod "/dev/tty${_CONSOLE}" c 4 "${_CONSOLE}" + fi +done + +# Remove uneeded services in a container +for _SERVICE in ${_LXC_DISABLE_SERVICES} +do + # service does not exist + if [ ! -e /etc/init.d/${_SERVICE} ] + then + continue + fi + + _ALREADY_DISABLED="false" + + # service is already disabled + for _RUNLEVEL in /etc/rc*.d + do + if ! ls ${_RUNLEVEL}/K*${_SERVICE} > /dev/null 2>&1 + then + # disabled services have stop links in all runlevels + # if at least one runlevel does not have a stop link, + # then the service was not disabled and we need to continue + # with disabling the service later on + _ALREADY_DISABLED="false" + break + fi + + # service is indeed already disabled + _ALREADY_DISABLED="true" + done + + if [ "${_ALREADY_DISABLED}" = "false" ] + then + if ls /etc/rc*.d/K*${_SERVICE} > /dev/null 2>&1 && \ + ! ls /etc/rc*.d/S*${_SERVICE} > /dev/null 2>&1 + then + # service has only stop links + # therefore, using 'update-rc.d disable' does not work, + # and using 'update-rc.d remove' is not upgrade safe + # (on upgrades, the stop links would be re-added). + for _SYMLINK in /etc/rc*.d/K*${_SERVICE} + do + LIVE_INITSCRIPT_EMPTY="true" + + rm -f ${_SYMLINK} + ln -s /bin/live-initscripts-empty-stop ${_SYMLINK} + done + fi + + # service is a normal service with both start and stop links + update-rc.d -f ${_SERVICE} disable 2>&1 | \ + grep -v -e "^insserv: warning:" \ + -e "^update-rc.d: warning:" \ + -e "^update-rc.d: using dependency based boot sequencing" \ + -e "^update-rc.d: error: .* Default-Start contains no runlevels, aborting." \ + || true + fi +done + +case ${LIVE_INITSCRIPT_EMPTY} in + true) + +cat > /bin/live-initscripts-empty-stop < EOF +#!/bin/sh + +### BEGIN INIT INFO +# Provides: live-build +# Required-Start: +# Required-Stop: +# Should-Start: +# Should-Stop: +# Default-Start: +# Default-Stop: 0 6 +# Short-Description: Live System Build Components +# Description: live-build contains the components to build a live +# system from a configuration directory. +# X-Start-Before: +# X-Stop-After: +# X-Interactive: +### END INIT INFO + +exit 0 +EOF + + ;; +esac diff --git a/share/hooks/lxc/1080-systemd.hook.chroot b/share/hooks/lxc/1080-systemd.hook.chroot new file mode 100755 index 000000000..4ac5baded --- /dev/null +++ b/share/hooks/lxc/1080-systemd.hook.chroot @@ -0,0 +1,67 @@ +#!/bin/sh + +set -e + +if [ ! -e /lib/systemd/systemd ] +then + # System does not use systemd + exit 0 +fi + +_LXC_CONSOLES="6" +_LXC_DISABLE_SERVICES="checkroot.service dev-hugepages.mount dev-mqueue.mount proc-sys-fs-binfmt_misc.automount remount-rootfs.service run-lock.mount run-user.mount swap.target sys-kernel-debug.mount sys-kernel-security.mount systemd-modules-load.service systemd-remount-api-vfs.service systemd-sysctl.service systemd-update-utmp-runlevel.service udev.service udev-settle.service udev-trigger.service user.mount var-lock.mount systemd-update-utmp-runlevel.service rescue.target sys-fs-fuse-connections.mount" + +# systemd starts counting consoles at 0, not 1 like sysvinit. +_LXC_CONSOLES="$((${_LXC_CONSOLES} - 1))" + +# Disable sulogin +ln -sf /dev/null /etc/systemd/system/console-shell.service + +# Disable ctrlaltdel +ln -sf /dev/null /etc/systemd/system/ctrl-alt-del.target + +# Disable normal getty +rm -f /etc/systemd/system/getty.target.wants/getty@*.service + +# Enable container getty +sed -e 's|^ *BindTo=|#BindTo=|' /lib/systemd/system/getty@.service > /etc/systemd/system/getty.target.wants/getty@console.service + +for _CONSOLE in $(seq 0 ${_LXC_CONSOLES}) +do + if [ -L /etc/systemd/system/getty.target.wants/getty@tty${_CONSOLE}.service ] + then + rm -f /etc/systemd/system/getty.target.wants/getty@tty${_CONSOLE}.service + fi + + sed -e 's|^ *BindTo=|#BindTo=|' /lib/systemd/system/getty@.service > /etc/systemd/system/getty.target.wants/getty@tty${_CONSOLE}.service +done + +# Enable powerfail for lxc-shutdown +ln -sf /lib/systemd/system/reboot.target /etc/systemd/system/sigpwr.target + +# Disable default cpu and cpupacct +grep -Eq '^ *JoinControllers=' /etc/systemd/system.conf || echo "JoinControllers=" >> /etc/systemd/system.conf + +sed -e 's|^ *JoinControllers=.*|JoinControllers=|' /etc/systemd/system.conf > /etc/systemd/system.conf.tmp +mv /etc/systemd/system.conf.tmp /etc/systemd/system.conf + +# squeeze and newer have /dev/tty and /dev/tty0 by default +for _CONSOLE in $(seq 0 ${_LXC_CONSOLES}) +do + if [ ! -e "/dev/tty${_CONSOLE}" ] + then + mknod "/dev/tty${_CONSOLE}" c 4 "${_CONSOLE}" + fi +done + +# Remove uneeded services in a container +for _SERVICE in ${_LXC_DISABLE_SERVICES} +do + ln -sf "/dev/null" "/etc/systemd/system/${_SERVICE}" +done + +# Disable setting CapabilityBoundingSet for journald +sed -e 's/^ *CapabilityBoundingSet/\#&/' /lib/systemd/system/systemd-journald.service > /etc/systemd/system/systemd-journald.service + +# Disable setting CapabilityBoundingSet for logind +sed -e 's/^ *CapabilityBoundingSet/\#&/' /lib/systemd/system/systemd-logind.service > /etc/systemd/system/systemd-logind.service