[pve-devel] [PATCH container 1/2] setup: tty paths for unprivileged containers

Wolfgang Bumiller w.bumiller at proxmox.com
Tue Dec 6 13:53:30 CET 2016 

Unprivileged containers never use the /dev/tty/ directory
subdirectory. Also gentoo and alpine never use it in lxc's
default configuration either.
---
 src/PVE/LXC/Setup/Alpine.pm    | 2 +-
 src/PVE/LXC/Setup/ArchLinux.pm | 4 ++--
 src/PVE/LXC/Setup/Base.pm      | 6 ++++++
 src/PVE/LXC/Setup/CentOS.pm    | 2 +-
 src/PVE/LXC/Setup/Gentoo.pm    | 2 +-
 src/PVE/LXC/Setup/SUSE.pm      | 2 +-
 6 files changed, 12 insertions(+), 6 deletions(-)

diff --git a/src/PVE/LXC/Setup/Alpine.pm b/src/PVE/LXC/Setup/Alpine.pm
index d69a0df..b1683f6 100644
--- a/src/PVE/LXC/Setup/Alpine.pm
+++ b/src/PVE/LXC/Setup/Alpine.pm
@@ -39,7 +39,7 @@ sub template_fixup {
     $self->ct_symlink('/etc/init.d/savecache',
                       '/etc/runlevels/shutdown/savecache');
 
-    $self->setup_securetty($conf, qw(lxc/console lxc/tty1 lxc/tty2 lxc/tty3 lxc/tty4));
+    $self->setup_securetty($conf, qw(console tty1 tty2 tty3 tty4));
 }
 
 sub setup_init {
diff --git a/src/PVE/LXC/Setup/ArchLinux.pm b/src/PVE/LXC/Setup/ArchLinux.pm
index e93293f..c9bcaaa 100644
--- a/src/PVE/LXC/Setup/ArchLinux.pm
+++ b/src/PVE/LXC/Setup/ArchLinux.pm
@@ -39,12 +39,12 @@ sub template_fixup {
                       '/etc/systemd/system/socket.target.wants/systemd-networkd.socket');
 
     # edit /etc/securetty (enable login on console)
-    $self->setup_securetty($conf, qw(console tty1 tty2 tty3 tty4));
+    $self->setup_securetty($conf);
 }
 
 sub setup_init {
     my ($self, $conf) = @_;
-    $self->setup_container_getty_service(1);
+    $self->setup_container_getty_service($conf->{unprivileged});
 }
 
 sub setup_network {
diff --git a/src/PVE/LXC/Setup/Base.pm b/src/PVE/LXC/Setup/Base.pm
index 32c1491..482395c 100644
--- a/src/PVE/LXC/Setup/Base.pm
+++ b/src/PVE/LXC/Setup/Base.pm
@@ -277,6 +277,12 @@ DATA
 sub setup_securetty {
     my ($self, $conf, @add) = @_;
 
+    if (!@add) {
+	# Default depends on whether it's an unprivileged container:
+	my $dir = $conf->{unprivileged} ? '' : 'lxc/';
+	@add = ("${dir}console", map { "${dir}tty$_" } 1..4);
+    }
+
     my $filename = "/etc/securetty";
     # root login is already allowed on every device if no securetty present
     return if !$self->ct_file_exists($filename);
diff --git a/src/PVE/LXC/Setup/CentOS.pm b/src/PVE/LXC/Setup/CentOS.pm
index 2becc35..94121ed 100644
--- a/src/PVE/LXC/Setup/CentOS.pm
+++ b/src/PVE/LXC/Setup/CentOS.pm
@@ -106,7 +106,7 @@ sub template_fixup {
 	$self->ct_file_set_contents($filename, $data);
 	
 	# edit /etc/securetty (enable login on console)
-	$self->setup_securetty($conf, qw(lxc/console lxc/tty1 lxc/tty2 lxc/tty3 lxc/tty4));
+	$self->setup_securetty($conf);
     }
 }
 
diff --git a/src/PVE/LXC/Setup/Gentoo.pm b/src/PVE/LXC/Setup/Gentoo.pm
index c1810bb..4f17c7d 100644
--- a/src/PVE/LXC/Setup/Gentoo.pm
+++ b/src/PVE/LXC/Setup/Gentoo.pm
@@ -29,7 +29,7 @@ sub new {
 
 sub template_fixup {
     my ($self, $conf) = @_;
-    $self->setup_securetty($conf, qw(lxc/console lxc/tty1 lxc/tty2 lxc/tty3 lxc/tty4));
+    $self->setup_securetty($conf, qw(console tty1 tty2 tty3 tty4));
 }
 
 sub setup_init {
diff --git a/src/PVE/LXC/Setup/SUSE.pm b/src/PVE/LXC/Setup/SUSE.pm
index c511ab6..f737ba1 100644
--- a/src/PVE/LXC/Setup/SUSE.pm
+++ b/src/PVE/LXC/Setup/SUSE.pm
@@ -38,7 +38,7 @@ sub new {
 sub template_fixup {
     my ($self, $conf) = @_;
 
-    $self->setup_securetty($conf, qw(lxc/console lxc/tty1 lxc/tty2 lxc/tty3 lxc/tty4));
+    $self->setup_securetty($conf);
 }
 
 sub setup_init {
-- 
2.1.4

More information about the pve-devel mailing list