From 13f1aa11bd770faf8e66a72a7ac34fc1f7e2305a Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Thu, 29 Jun 2017 11:14:46 +0200 Subject: Adding upstream version 20170629. Signed-off-by: Daniel Baumann --- share/bash-completion/container | 6 +++ share/config/container.conf.in | 1 + share/doc/HOST-SETUP.txt | 16 +++---- share/man/container-shell.1.txt | 33 +++++++++++++++ share/man/container-top.1.txt | 75 +++++++++++++++++++++++++++++++++ share/man/container.1.txt | 3 ++ share/scripts/curl | 5 +++ share/scripts/debconf | 82 ++++++++++++++++++++++++------------ share/scripts/debconf.d/0003-debconf | 40 +++++++++++------- share/scripts/debootstrap | 5 +++ 10 files changed, 215 insertions(+), 51 deletions(-) create mode 100644 share/man/container-top.1.txt (limited to 'share') diff --git a/share/bash-completion/container b/share/bash-completion/container index 3995a16..8847419 100644 --- a/share/bash-completion/container +++ b/share/bash-completion/container @@ -230,6 +230,12 @@ _container() esac ;; + top) + opts="-d --delay" + COMPREPLY=( $(compgen -W "${opts}" -- ${cur}) ) + return 0 + ;; + version) return 0 ;; diff --git a/share/config/container.conf.in b/share/config/container.conf.in index bf1ecc5..322e2c9 100644 --- a/share/config/container.conf.in +++ b/share/config/container.conf.in @@ -2,6 +2,7 @@ [start] cnt.auto=@CNT_AUTO@ +cnt.container-server=@CNT_CONTAINER_SERVER@ cnt.network-bridge=@CNT_NETWORK_BRIDGE@ cnt.overlay=@CNT_OVERLAY@ bind=@BIND@ diff --git a/share/doc/HOST-SETUP.txt b/share/doc/HOST-SETUP.txt index 73d1ce1..72d42d5 100644 --- a/share/doc/HOST-SETUP.txt +++ b/share/doc/HOST-SETUP.txt @@ -5,7 +5,7 @@ container-tools: Host Setup 1. Debian Packages ------------------- -apt install net-tools bridge-utils ifenslave vlan +apt install bridge-utils ifenslave vlan 2. Boot Parameters @@ -54,7 +54,7 @@ iface lo inet loopback iface eth0 inet manual -auto br0 +allow-hotplug br0 iface br0 inet dhcp bridge_ports eth0 bridge_fd 0 @@ -76,7 +76,7 @@ iface lo inet loopback iface eth0 inet manual -auto br0 +allow-hotplug br0 iface br0 inet static address 10.0.0.2 gateway 10.0.0.1 @@ -103,10 +103,10 @@ source /etc/network/interfaces.d/* auto lo iface lo inet loopback -auto eth0 +allow-hotplug eth0 iface eth0 inet dhcp -auto br0 +allow-hotplug br0 iface br0 inet static address 10.0.0.1 netmask 255.255.255.0 @@ -131,14 +131,14 @@ source /etc/network/interfaces.d/* auto lo iface lo inet loopback -auto eth0 +allow-hotplug eth0 iface eth0 inet dhcp iface eth1 inet manual iface eth2 inet manual -auto bond0 +allow-hotplug bond0 iface bond0 inet manual up ifconfig bond0 0.0.0.0 up down ifconfig bond0 down @@ -155,7 +155,7 @@ iface bond0 inet manual iface bond0.100 inet manual vlan-raw-device bond0 -auto br100 +allow-hotplug br100 iface br100 inet static address 10.100.0.2 #gateway 10.100.0.1 diff --git a/share/man/container-shell.1.txt b/share/man/container-shell.1.txt index 6d792b8..760e0c5 100644 --- a/share/man/container-shell.1.txt +++ b/share/man/container-shell.1.txt @@ -53,6 +53,39 @@ All container commands are available, see container(1). Additionally, the follow *logout*, *exit:*:: exits container-shell. +USAGE +----- +Although the container-shell can be started from a running system like any other program, the main intend is to use the +container-shell via SSH. That way otherwise unprivileged users have possibility to manage containers without +needing a regular shell login on the container server. + +For usage over SSH a unprivileged user should be created: + + sudo adduser --gecos "container-tools,,," \ + --home /var/lib/container-tools/container-shell \ + --shell /usr/bin/container-shell + +The container-shell can then be allowed for specific SSH keys via /var/ib/container-tools/container-shell/.ssh/authorized_keys like so: + + command="/usr/bin/container-shell",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty ssh-rsa [...] + + +RESTRICTED SHELL +---------------- +The container-shell by default grants any user that has access to it to use all available container commands. + +Through two corresponding environment variables users can be allowed or disallowed to use specific container commands. +In connection with SSH this makes it possible to grant certain SSH keys (and by that, users) privileges to operate container +servers without having to give them root access, a login shell at all and prevents them from doing things they are not trusted to do. + +Example (blacklisting): In order to allow all commands except for removing and stopping containers, the following variable can be used: + + command="CONTAINER_COMMANDS_DISABLE='remove stop' /usr/bin/container-shell",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty ssh-rsa [...] + +Example (whitelisting): The other way around works too. To disallow all commands except for listing containers and showing the container-tools version, the following variable can be used: + + command="CONTAINER_COMMANDS_ENABLE='list version' /usr/bin/container-shell",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty ssh-rsa [...] + SEE ALSO -------- diff --git a/share/man/container-top.1.txt b/share/man/container-top.1.txt new file mode 100644 index 0000000..5cc2a0a --- /dev/null +++ b/share/man/container-top.1.txt @@ -0,0 +1,75 @@ +// container-tools - Manage systemd-nspawn containers +// Copyright (C) 2014-2017 Daniel Baumann +// +// This program is free software: you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation, either version 3 of the License, or +// (at your option) any later version. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License +// along with this program. If not, see . + +CONTAINER-TOP(1) +================ +:doctype: manpage +:man manual: Open Infrastructure +:man source: container-tools +:man version: {revnumber} + + +NAME +---- +container-top - Dynamic list container on the system + + +SYNOPSIS +-------- +*container top* ['OPTIONS'] + + +DESCRIPTION +----------- +The container top command dynamically lists container on the system. + + +OPTIONS +------- +The following container options are available, defaults to *--delay 1*: + +*-d, --delay='SECONDS[.TENTHS]'*:: + Specifies the delay between screen updates, defaults to 1. + + +EXAMPLES +-------- +*Dynamically list containers of the local system:*:: + sudo container top + + +SEE ALSO +-------- +container-tools(7), +container(1). + + +HOMEPAGE +-------- +More information about container-tools and the Open Infrastructure project can be found on the homepage at https://open-infrastructure.net. + + +CONTACT +------- +Bug reports, feature requests, help, patches, support and everything else +are welcome on the Open Infrastructure Software Mailing List . + +Debian specific bugs can also be reported in the Debian Bug Tracking System at https://bugs.debian.org. + + +AUTHORS +------- +container-tools was written by Daniel Baumann . diff --git a/share/man/container.1.txt b/share/man/container.1.txt index fa94d7f..6bd2a12 100644 --- a/share/man/container.1.txt +++ b/share/man/container.1.txt @@ -83,6 +83,9 @@ The following container commands are available: *status*:: Show container status, see container-status(1). +*top*:: + Dynamic list of container on the system, see container-top(1). + *version*:: Show container-tools version, see container-version(1). diff --git a/share/scripts/curl b/share/scripts/curl index 18d49c0..a338020 100755 --- a/share/scripts/curl +++ b/share/scripts/curl @@ -57,6 +57,11 @@ Parameters () shift 2 ;; + --cnt.container-server) + # ignore + shift 2 + ;; + -s|--script) # ignore shift 2 diff --git a/share/scripts/debconf b/share/scripts/debconf index c90e851..5441acc 100755 --- a/share/scripts/debconf +++ b/share/scripts/debconf @@ -57,6 +57,11 @@ Parameters () shift 2 ;; + --cnt.container-server) + # ignore + shift 2 + ;; + -s|--script) # ignore shift 2 @@ -293,10 +298,6 @@ Package: * Pin: release n=${DIST}-updates Pin-Priority: 999 -Package: * -Pin: release n=${DIST}-lts -Pin-Priority: 999 - Package: * Pin: release n=${DIST}-extras Pin-Priority: 999 @@ -486,10 +487,6 @@ Configure_system () echo "deb ${PARENT_MIRROR} ${PARENT_DIST}-updates ${PARENT_AREA}" >> "${DIRECTORY}/etc/apt/sources.list.d/debian.list" ;; - ${PARENT_DIST}-lts) - echo "deb ${PARENT_MIRROR} ${PARENT_DIST}-lts ${PARENT_AREA}" >> "${DIRECTORY}/etc/apt/sources.list.d/debian.list" - ;; - ${PARENT_DIST}-backports) echo "deb ${PARENT_MIRROR} ${PARENT_DIST}-backports ${PARENT_AREA}" >> "${DIRECTORY}/etc/apt/sources.list.d/debian.list" ;; @@ -534,14 +531,6 @@ Configure_system () echo "deb ${MIRROR} ${DIST}-updates-staging ${AREA}" >> "${DIRECTORY}/etc/apt/sources.list.d/progress-linux.list" ;; - ${DIST}-lts) - echo "deb ${MIRROR} ${DIST}-lts ${AREA}" >> "${DIRECTORY}/etc/apt/sources.list.d/progress-linux.list" - ;; - - ${DIST}-lts-staging) - echo "deb ${MIRROR} ${DIST}-lts-staging ${AREA}" >> "${DIRECTORY}/etc/apt/sources.list.d/progress-linux.list" - ;; - ${DIST}-extras) if echo "${AREA}" | grep -qs non-free then @@ -724,7 +713,6 @@ EOF rm -f "${DIRECTORY}/.container-command" fi - } Configure_network () @@ -811,8 +799,6 @@ EOF Configure_systemd_networkd () { - # FIXME: postup/postdown: multi-interface route - DIRECTORY="${1}" # Enable systemd-networkd @@ -830,8 +816,8 @@ Configure_systemd_networkd () eval IPV4_ADDRESS="$`echo NETWORK${NUMBER}_IPV4_ADDRESS`" eval IPV4_GATEWAY="$`echo NETWORK${NUMBER}_IPV4_GATEWAY`" eval IPV4_NETMASK="$`echo NETWORK${NUMBER}_IPV4_NETMASK`" -# eval IPV4_POST_UP="$`echo NETWORK${NUMBER}_IPV4_POST_UP`" -# eval IPV4_POST_DOWN="$`echo NETWORK${NUMBER}_IPV4_POST_DOWN`" + eval IPV4_POST_UP="$`echo NETWORK${NUMBER}_IPV4_POST_UP`" + eval IPV4_POST_DOWN="$`echo NETWORK${NUMBER}_IPV4_POST_DOWN`" if [ -z "${IPV4_METHOD}" ] then @@ -879,6 +865,46 @@ EOF fi esac + if [ -n "${IPV4_POST_UP}" ] + then + +cat > "${DIRECTORY}/etc/systemd/system/cnt-ipv4-post-up-eth${NUMBER}.service" << EOF +[Unit] +Description=container-tools IPV4_POST_UP +After=network-online.target +Wants=network-online.target + +[Service] +Type=oneshot +ExecStart=/bin/sh -c "${IPV4_POST_UP}" + +[Install] +WantedBy=multi-user.target +EOF + + chroot "${DIRECTORY}" systemctl enable cnt-ipv4-post-up-eth${NUMBER}.service + fi + + if [ -n "${IPV4_POST_DOWN}" ] + then + +cat > "${DIRECTORY}/etc/systemd/system/cnt-ipv4-post-down-eth${NUMBER}.service" << EOF +[Unit] +Description=container-tools IPV4_POST_DOWN +After=network.target +Wants=network.target + +[Service] +Type=oneshot +ExecStart=/bin/sh -c "${IPV4_POST_DOWN}" + +[Install] +WantedBy=multi-user.target +EOF + + chroot "${DIRECTORY}" systemctl enable cnt-ipv4-post-down-eth${NUMBER}.service + fi + NUMBER="$((${NUMBER} + 1))" done } @@ -904,12 +930,14 @@ Commands () HOSTNAME_SHORT="$(echo ${NAME} | cut -c-8)" HOST_INTERFACE_NAME="$(echo ${NETWORK0_VETH:-veth-${HOSTNAME_SHORT}-0})" - sed -i -e "s|^cnt.auto=.*|cnt.auto=${CNT_AUTO}|" "${CONFIG}/${NAME}.conf" - sed -i -e "s|^cnt.network-bridge=.*|cnt.network-bridge=${HOST_INTERFACE_NAME}:${NETWORK0_BRIDGE:-br0}|g" "${CONFIG}/${NAME}.conf" - sed -i -e "s|^cnt.overlay=.*|cnt.overlay=${CNT_OVERLAY}|g" "${CONFIG}/${NAME}.conf" - sed -i -e "s|^bind=.*|bind=${BIND}|" "${CONFIG}/${NAME}.conf" - sed -i -e "s|^bind-ro=.*|bind-ro=${BIND_RO}|" "${CONFIG}/${NAME}.conf" - sed -i -e "s|^network-veth-extra=.*|network-veth-extra=${HOST_INTERFACE_NAME}:eth0|g" "${CONFIG}/${NAME}.conf" + sed -i -e "s|^cnt.auto=.*|cnt.auto=${CNT_AUTO}|g" \ + -e "s|^cnt.container-server=.*|cnt.container-server=${CNT_CONTAINER_SERVER}|g" \ + -e "s|^cnt.network-bridge=.*|cnt.network-bridge=${HOST_INTERFACE_NAME}:${NETWORK0_BRIDGE:-br0}|g" \ + -e "s|^cnt.overlay=.*|cnt.overlay=${CNT_OVERLAY}|g" \ + -e "s|^bind=.*|bind=${BIND}|g" \ + -e "s|^bind-ro=.*|bind-ro=${BIND_RO}|g" \ + -e "s|^network-veth-extra=.*|network-veth-extra=${HOST_INTERFACE_NAME}:eth0|g" \ + "${CONFIG}/${NAME}.conf" for NUMBER in $(seq 1 ${NETWORK_NUMBER}) do diff --git a/share/scripts/debconf.d/0003-debconf b/share/scripts/debconf.d/0003-debconf index 1364bd0..8e78b3e 100755 --- a/share/scripts/debconf.d/0003-debconf +++ b/share/scripts/debconf.d/0003-debconf @@ -182,8 +182,8 @@ Archives () ;; *) - db_subst cnt-debconf/archives CHOICES "Security, Updates, LTS, Backports, Proposed Updates" - db_subst cnt-debconf/archives CHOICES_C "${DISTRIBUTION}-security, ${DISTRIBUTION}-updates, ${DISTRIBUTION}-lts, ${DISTRIBUTION}-backports, ${DISTRIBUTION}-proposed-updates" + db_subst cnt-debconf/archives CHOICES "Security, Updates, Backports, Proposed Updates" + db_subst cnt-debconf/archives CHOICES_C "${DISTRIBUTION}-security, ${DISTRIBUTION}-updates, ${DISTRIBUTION}-backports, ${DISTRIBUTION}-proposed-updates" case "${PARENT_DISTRIBUTION}" in sid) @@ -191,7 +191,7 @@ Archives () ;; *) - #db_set cnt-debconf/archives "${DISTRIBUTION}-security, ${DISTRIBUTION}-updates, ${DISTRIBUTION}-lts, ${DISTRIBUTION}-backports" + #db_set cnt-debconf/archives "${DISTRIBUTION}-security, ${DISTRIBUTION}-updates, ${DISTRIBUTION}-backports" db_set cnt-debconf/archives "${DISTRIBUTION}-security, ${DISTRIBUTION}-updates" ;; esac @@ -204,10 +204,10 @@ Archives () progress-linux) DIST="$(echo ${DISTRIBUTION} | sed -e 's|-backports||')" - db_subst cnt-debconf/archives CHOICES "staging, Security, Security (staging), Updates, Updates (staging), LTS, LTS (staging), Extras, Extras (staging), Backports, Backports (staging), Backports Extras, Backports Extras (staging)" - db_subst cnt-debconf/archives CHOICES_C "${DIST}-staging, ${DIST}-security, ${DIST}-security-staging, ${DIST}-updates, ${DIST}-updates-staging, ${DIST}-lts, ${DIST}-lts-staging, ${DIST}-extras, ${DIST}-extras-staging, ${DIST}-backports, ${DIST}-backports-staging, ${DIST}-backports-extras, ${DIST}-backports-extras-staging" + db_subst cnt-debconf/archives CHOICES "staging, Security, Security (staging), Updates, Updates (staging), Extras, Extras (staging), Backports, Backports (staging), Backports Extras, Backports Extras (staging)" + db_subst cnt-debconf/archives CHOICES_C "${DIST}-staging, ${DIST}-security, ${DIST}-security-staging, ${DIST}-updates, ${DIST}-updates-staging, ${DIST}-extras, ${DIST}-extras-staging, ${DIST}-backports, ${DIST}-backports-staging, ${DIST}-backports-extras, ${DIST}-backports-extras-staging" - db_set cnt-debconf/archives "${DIST}-security, ${DIST}-updates, ${DIST}-lts, ${DIST}-extras, ${DIST}-backports, ${DIST}-backports-extras" + db_set cnt-debconf/archives "${DIST}-security, ${DIST}-updates, ${DIST}-extras, ${DIST}-backports, ${DIST}-backports-extras" db_fset cnt-debconf/archives seen false ;; esac @@ -235,12 +235,12 @@ Parent_archives () then case "${MODE}" in progress-linux) - db_subst cnt-debconf/parent-archives CHOICES "Security, Updates, LTS, Backports, Proposed Updates" - db_subst cnt-debconf/parent-archives CHOICES_C "${PARENT_DISTRIBUTION}-security, ${PARENT_DISTRIBUTION}-updates, ${PARENT_DISTRIBUTION}-lts, ${PARENT_DISTRIBUTION}-backports, ${PARENT_DISTRIBUTION}-proposed-updates" + db_subst cnt-debconf/parent-archives CHOICES "Security, Updates, Backports, Proposed Updates" + db_subst cnt-debconf/parent-archives CHOICES_C "${PARENT_DISTRIBUTION}-security, ${PARENT_DISTRIBUTION}-updates, ${PARENT_DISTRIBUTION}-backports, ${PARENT_DISTRIBUTION}-proposed-updates" case "${PARENT_DISTRIBUTION}" in *) - #db_set cnt-debconf/parent-archives "${PARENT_DISTRIBUTION}-security, ${PARENT_DISTRIBUTION}-lts, ${PARENT_DISTRIBUTION}-updates, ${PARENT_DISTRIBUTION}-backports" + #db_set cnt-debconf/parent-archives "${PARENT_DISTRIBUTION}-security, ${PARENT_DISTRIBUTION}-updates, ${PARENT_DISTRIBUTION}-backports" db_set cnt-debconf/parent-archives "${PARENT_DISTRIBUTION}-security, ${PARENT_DISTRIBUTION}-updates" ;; esac @@ -253,7 +253,7 @@ Parent_archives () ;; *) - db_subst cnt-debconf/parent-archives CHOICES "Security, Updates, LTS, Backports, Proposed Updates" + db_subst cnt-debconf/parent-archives CHOICES "Security, Updates, Backports, Proposed Updates" db_subst cnt-debconf/parent-archives CHOICES_C "${ARCHIVES}" db_set cnt-debconf/parent-archives "${ARCHIVES}" @@ -270,7 +270,7 @@ Parent_archives () progress-linux) case "${PARENT_DISTRIBUTION}" in *) - #PARENT_ARCHIVES="${PARENT_DISTRIBUTION}-security, ${PARENT_DISTRIBUTION}-updates, ${PARENT_DISTRIBUTION}-lts, ${PARENT_DISTRIBUTION}-backports" + #PARENT_ARCHIVES="${PARENT_DISTRIBUTION}-security, ${PARENT_DISTRIBUTION}-updates, ${PARENT_DISTRIBUTION}-backports" PARENT_ARCHIVES="${PARENT_DISTRIBUTION}-security, ${PARENT_DISTRIBUTION}-updates" ;; esac @@ -1008,18 +1008,26 @@ Internal_options () if db_get cnt-debconf/auto then - CNT_AUTO="${RET:-FQDN}" # string (w/o empty) + CNT_AUTO="${RET:-true}" # string (w/o empty) fi - CNT_AUTO="${CNT_AUTO:-FQDN}" + CNT_AUTO="${CNT_AUTO:-true}" + echo "CNT_AUTO=\"${CNT_AUTO}\"" >> "${DEBCONF_TMPDIR}/debconf.default" + + if db_get cnt-debconf/container-server + then + CNT_CONTAINER_SERVER="${RET:-FQDN}" # string (w/o empty) + fi + + CNT_CONTAINER_SERVER="${CNT_CONTAINER_SERVER:-FQDN}" - case "${CNT_AUTO}" in + case "${CNT_CONTAINER_SERVER}" in FQDN) - CNT_AUTO="$(hostname -f)" + CNT_CONTAINER_SERVER="$(hostname -f)" ;; esac - echo "CNT_AUTO=\"${CNT_AUTO}\"" >> "${DEBCONF_TMPDIR}/debconf.default" + echo "CNT_CONTAINER_SERVER=\"${CNT_CONTAINER_SERVER}\"" >> "${DEBCONF_TMPDIR}/debconf.default" if db_get cnt-debconf/bind then diff --git a/share/scripts/debootstrap b/share/scripts/debootstrap index 79a3193..0c19d54 100755 --- a/share/scripts/debootstrap +++ b/share/scripts/debootstrap @@ -56,6 +56,11 @@ Parameters () shift 2 ;; + --cnt.container-server) + # ignore + shift 2 + ;; + -s|--script) # ignore shift 2 -- cgit v1.2.3