Package: freedombox-setup Version: 0.6 Severity: normal Tags: patch -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
This patch proposes to remove LXC from freedombox-setup. The following is the rationale: - - LXC has not been used in FreedomBox at all. - - Maintaining security updates inside all the LXC containers will be hard. At least current implementation seems to indicated that we will be creating a container with full Debian root install for each application. - - We have instead decided to provide similar security using systemd's unit files and apparmor profiles. These changes will go into Debian and will be maintained by Debian maintainers. - - During the last hackathon we have agreed to remove LXC infavor of working on systemd/apparmor. - -- System Information: Debian Release: stretch/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Foreign Architectures: i386, armhf Kernel: Linux 4.2.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJWVUAfAAoJEDbDYUQMm8lxDTYQAJZqr1xc5BCI+z4nma0VP6dv uV79y4ua1/qTBSHHkOujE+JIMhTvgzoX0R313mP048+hr4fAUt0yrcNYp+QmahhO 3CHoUc1uuQTENQuURYQr4bZ93g5xNaVoGhSbLjkfB2fsBCqno88YG3cSH4XhPA4Q UGQ1/dPgQ16B7HuSbazm53Mq3Bhxf5OUS8eivzfah8H36sYrxVb7Lsd+B8rm2R2k IRUjoNShE86MsPAb1E9e60tq8k44RU+n2oMpf5SeaFhy93Vzhqv+hq5xheJAE6k/ KBUkGw1ebh80IJZH0oJX3TcE+OZKsy32s4tNsnRe18V+mh8JbMwW2AjljyezmMla J7SV+54ilvaSGOmr0Ln+Mg8A1oxhsmROPRiqmZstiOrCS9H4sMj/2IodDZwL29VH I5fcd4fVFl8Mom+jxKuU5AFaKaGFCArqr0d9+bzNqYI2BGoIMEpxK6ltX08IB9f5 GfuXzMaHCVKgHjC/XOP+o4OLldzSjlaPLRJFrdRMt01WqPRnncYPoL0BRmGS7IKC w7F8O2wD3GXNObYi9bMdWX+VJyOWNUV01KGCWmRc6OO9crMebb59QYLxBHQyMPy3 OM6ZcXt4DaqHzWlPd/7oKm6fF6XfdQ3i+zqVUVqxuu8B2+UG41QTzFSmBQNxPwSY MLUUAg5fjAUZz5KT9wWh =Yn8Y -----END PGP SIGNATURE-----
>From bb4b4c5f25044c39d58223377eaac4ddf3091371 Mon Sep 17 00:00:00 2001 From: Sunil Mohan Adapa <su...@medhas.org> Date: Wed, 25 Nov 2015 10:14:57 +0530 Subject: [PATCH] Remove LXC - LXC has not been used in FreedomBox at all. - Maintaining security updates inside all the LXC containers will be hard. At least current implementation seems to indicated that we will be creating a container with full Debian root install for each application. - We have instead decided to provide similar security using systemd's unit files and apparmor profiles. These changes will go into Debian and will be maintained by Debian maintainers. - During the last hackathon we have agreed to remove LXC infavor of working on systemd/apparmor. --- data/usr/share/lxc/templates/lxc-debian-freedombox | 370 --------------------- debian/copyright | 24 -- debian/freedombox-setup.freedombox-first-run.init | 2 +- debian/freedombox-setup.install | 1 - setup.d/20_lxc | 25 -- 5 files changed, 1 insertion(+), 421 deletions(-) delete mode 100755 data/usr/share/lxc/templates/lxc-debian-freedombox delete mode 100755 setup.d/20_lxc diff --git a/data/usr/share/lxc/templates/lxc-debian-freedombox b/data/usr/share/lxc/templates/lxc-debian-freedombox deleted file mode 100755 index 753bc78..0000000 --- a/data/usr/share/lxc/templates/lxc-debian-freedombox +++ /dev/null @@ -1,370 +0,0 @@ -#!/bin/bash - -# -# lxc: linux Container library - -# Authors: -# Daniel Lezcano <daniel.lezc...@free.fr> - -# This library is free software; you can redistribute it and/or -# modify it under the terms of the GNU Lesser General Public -# License as published by the Free Software Foundation; either -# version 2.1 of the License, or (at your option) any later version. - -# This library is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -# Lesser General Public License for more details. - -# You should have received a copy of the GNU Lesser General Public -# License along with this library; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA - -# ============================================================== -# This is a slightly modified version by Rob van der Hoeven -# I use it for my FreedomBox project: http://freedomboxblog.nl -# ============================================================== - -SUITE=${SUITE:-squeeze} -MIRROR=${MIRROR:-http://http.debian.net/debian} - -configure_debian() -{ - rootfs=$1 - hostname=$2 - - # squeeze only has /dev/tty and /dev/tty0 by default, - # therefore creating missing device nodes for tty1-4. - for tty in $(seq 1 4); do - if [ ! -e $rootfs/dev/tty$tty ]; then - mknod $rootfs/dev/tty$tty c 4 $tty - fi - done - - # configure the inittab - cat <<EOF > $rootfs/etc/inittab -id:3:initdefault: -si::sysinit:/etc/init.d/rcS -l0:0:wait:/etc/init.d/rc 0 -l1:1:wait:/etc/init.d/rc 1 -l2:2:wait:/etc/init.d/rc 2 -l3:3:wait:/etc/init.d/rc 3 -l4:4:wait:/etc/init.d/rc 4 -l5:5:wait:/etc/init.d/rc 5 -l6:6:wait:/etc/init.d/rc 6 -# Normally not reached, but fallthrough in case of emergency. -z6:6:respawn:/sbin/sulogin -1:2345:respawn:/sbin/getty 38400 console -c1:12345:respawn:/sbin/getty 38400 tty1 linux -c2:12345:respawn:/sbin/getty 38400 tty2 linux -c3:12345:respawn:/sbin/getty 38400 tty3 linux -c4:12345:respawn:/sbin/getty 38400 tty4 linux -p6::ctrlaltdel:/sbin/init 6 -p0::powerfail:/sbin/init 0 -EOF - - # disable selinux in debian - mkdir -p $rootfs/selinux - echo 0 > $rootfs/selinux/enforce - - # configure the network using the dhcp - cat <<EOF > $rootfs/etc/network/interfaces -auto lo -iface lo inet loopback - -auto eth0 -iface eth0 inet dhcp -EOF - - # set the hostname - cat <<EOF > $rootfs/etc/hostname -$hostname -EOF - - # let dhcp client report the hostname to DHCP server - cat <<EOF >> $rootfs/etc/dhcp/dhclient.conf -send host-name "$hostname"; -send vendor-class-identifier "lxc.module"; -EOF - - # reconfigure some services - if [ -z "$LANG" ]; then - chroot $rootfs locale-gen en_US.UTF-8 UTF-8 - chroot $rootfs update-locale LANG=en_US.UTF-8 - else - chroot $rootfs locale-gen $LANG $(echo $LANG | cut -d. -f2) - chroot $rootfs update-locale LANG=$LANG - fi - - # remove pointless services in a container - chroot $rootfs /usr/sbin/update-rc.d -f checkroot.sh remove - chroot $rootfs /usr/sbin/update-rc.d -f umountfs remove - chroot $rootfs /usr/sbin/update-rc.d -f hwclock.sh remove - chroot $rootfs /usr/sbin/update-rc.d -f hwclockfirst.sh remove - - echo "root:root" | chroot $rootfs chpasswd - echo "Root password is 'root', please change !" - - return 0 -} - -cleanup() -{ - rm -rf $cache/partial-$SUITE-$arch - rm -rf $cache/rootfs-$SUITE-$arch -} - -download_debian() -{ - packages=\ -ifupdown,\ -locales,\ -libui-dialog-perl,\ -dialog,\ -isc-dhcp-client,\ -netbase,\ -net-tools,\ -iproute,\ -openssh-server - - cache=$1 - arch=$2 - - trap cleanup EXIT SIGHUP SIGINT SIGTERM - # check the mini debian was not already downloaded - mkdir -p "$cache/partial-$SUITE-$arch" - if [ $? -ne 0 ]; then - echo "Failed to create '$cache/partial-$SUITE-$arch' directory" - return 1 - fi - - # download a mini debian into a cache - echo "Downloading debian minimal ..." - debootstrap --verbose --variant=minbase --arch=$arch \ - --include=$packages \ - "$SUITE" "$cache/partial-$SUITE-$arch" $MIRROR - if [ $? -ne 0 ]; then - echo "Failed to download the rootfs, aborting." - return 1 - fi - - mv "$1/partial-$SUITE-$arch" "$1/rootfs-$SUITE-$arch" - echo "Download complete." - trap EXIT - trap SIGINT - trap SIGTERM - trap SIGHUP - - return 0 -} - -copy_debian() -{ - cache=$1 - arch=$2 - rootfs=$3 - - # make a local copy of the minidebian - echo -n "Copying rootfs to $rootfs..." - mkdir -p $rootfs - rsync -Ha "$cache/rootfs-$SUITE-$arch"/ $rootfs/ || return 1 - return 0 -} - -install_debian() -{ - cache="/var/cache/lxc/debian-$SUITE" - rootfs=$1 - mkdir -p /var/lock/subsys/ - ( - flock -n -x 200 - if [ $? -ne 0 ]; then - echo "Cache repository is busy." - return 1 - fi - - arch=$(dpkg --print-architecture) - - echo "Checking cache download in $cache/rootfs-$SUITE-$arch ... " - if [ ! -e "$cache/rootfs-$SUITE-$arch" ]; then - download_debian $cache $arch - if [ $? -ne 0 ]; then - echo "Failed to download 'debian base'" - return 1 - fi - fi - - copy_debian $cache $arch $rootfs - if [ $? -ne 0 ]; then - echo "Failed to copy rootfs" - return 1 - fi - - return 0 - - ) 200>/var/lock/subsys/lxc-debian - - return $? -} - -# nice trick from: http://mindref.blogspot.com/2011/01/debian-lxc-create.html -hex() -{ - echo "`tr -dc A-F0-9 < /dev/urandom | head -c 2 | xargs`" -} - -copy_configuration() -{ - path=$1 - rootfs=$2 - hostname=$3 - - grep -q "^lxc.rootfs" $path/config 2>/dev/null || echo "lxc.rootfs = $rootfs" >> $path/config - cat <<EOF >> $path/config -lxc.tty = 4 -lxc.pts = 1024 -lxc.utsname = $hostname - -# When using LXC with apparmor, uncomment the next line to run unconfined: -#lxc.aa_profile = unconfined - -lxc.cgroup.devices.deny = a -# /dev/null and zero -lxc.cgroup.devices.allow = c 1:3 rwm -lxc.cgroup.devices.allow = c 1:5 rwm -# consoles -lxc.cgroup.devices.allow = c 5:1 rwm -lxc.cgroup.devices.allow = c 5:0 rwm -lxc.cgroup.devices.allow = c 4:0 rwm -lxc.cgroup.devices.allow = c 4:1 rwm -# /dev/{,u}random -lxc.cgroup.devices.allow = c 1:9 rwm -lxc.cgroup.devices.allow = c 1:8 rwm -lxc.cgroup.devices.allow = c 136:* rwm -lxc.cgroup.devices.allow = c 5:2 rwm -# rtc -lxc.cgroup.devices.allow = c 254:0 rwm - -# mounts point -lxc.mount.entry = proc proc proc nodev,noexec,nosuid 0 0 -lxc.mount.entry = devpts dev/pts devpts defaults 0 0 -lxc.mount.entry = sysfs sys sysfs defaults 0 0 - -# networking -lxc.network.type = veth -lxc.network.flags = up -lxc.network.link = br0 -lxc.network.ipv4 = 0.0.0.0/24 -lxc.network.hwaddr = 00:1E:$(hex):$(hex):$(hex):$(hex) -EOF - - if [ $? -ne 0 ]; then - echo "Failed to add configuration" - return 1 - fi - - return 0 -} - -clean() -{ - cache="/var/cache/lxc/debian-$SUITE" - - if [ ! -e $cache ]; then - exit 0 - fi - - # lock, so we won't purge while someone is creating a repository - ( - flock -x 200 - if [ $? != 0 ]; then - echo "Cache repository is busy." - exit 1 - fi - - echo -n "Purging the download cache..." - rm --preserve-root --one-file-system -rf $cache && echo "Done." || exit 1 - exit 0 - - ) 200>/var/lock/subsys/lxc-debian -} - -usage() -{ - cat <<EOF -$1 -h|--help -p|--path=<path> --clean -EOF - return 0 -} - -options=$(getopt -o hp:n:c -l help,path:,name:,clean -- "$@") -if [ $? -ne 0 ]; then - usage $(basename $0) - exit 1 -fi -eval set -- "$options" - -while true -do - case "$1" in - -h|--help) usage $0 && exit 0;; - -p|--path) path=$2; shift 2;; - -n|--name) name=$2; shift 2;; - -c|--clean) clean=$2; shift 2;; - --) shift 1; break ;; - *) break ;; - esac -done - -if [ ! -z "$clean" -a -z "$path" ]; then - clean || exit 1 - exit 0 -fi - -type debootstrap -if [ $? -ne 0 ]; then - echo "'debootstrap' command is missing" - exit 1 -fi - -if [ -z "$path" ]; then - echo "'path' parameter is required" - exit 1 -fi - -if [ "$(id -u)" != "0" ]; then - echo "This script should be run as 'root'" - exit 1 -fi - -# detect rootfs -config="$path/config" -if grep -q '^lxc.rootfs' $config 2>/dev/null ; then - rootfs=`grep 'lxc.rootfs =' $config | awk -F= '{ print $2 }'` -else - rootfs=$path/rootfs -fi - - -install_debian $rootfs -if [ $? -ne 0 ]; then - echo "failed to install debian" - exit 1 -fi - -configure_debian $rootfs $name -if [ $? -ne 0 ]; then - echo "failed to configure debian for a container" - exit 1 -fi - -copy_configuration $path $rootfs $name -if [ $? -ne 0 ]; then - echo "failed write configuration file" - exit 1 -fi - -if [ ! -z $clean ]; then - clean || exit 1 - exit 0 -fi diff --git a/debian/copyright b/debian/copyright index 62dd7b0..60c8274 100644 --- a/debian/copyright +++ b/debian/copyright @@ -14,12 +14,6 @@ Copyright: © 2013 Petter Reinholdtsen <p...@debian.org> License: GPL-3.0+ -Files: lxc-templates/lxc-debian-freedombox -Copyright: - © 2007-2012 IBM Corporation and Daniel Lezcano <daniel.lezc...@free.fr> - © 2013 Rob van der Hoeven <robvanderhoe...@ziggo.nl> -License: LGPL-2.1+ - License: GPL-3.0+ This package is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -36,21 +30,3 @@ License: GPL-3.0+ . On Debian systems, the complete text of the GNU General Public License version 3 can be found in "/usr/share/common-licenses/GPL-3". - -License: LGPL-2.1+ - This library is free software; you can redistribute it and/or modify - it under the terms of the GNU Lesser General Public License as - published by the Free Software Foundation; either version 2.1 of the - License, or (at your option) any later version. - . - This library is distributed in the hope that it will be useful, but - WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - Lesser General Public License for more details. - . - You should have received a copy of the GNU Lesser General Public - License along with this library; if not, see - <http://www.gnu.org/licenses/>. - . - The complete text of the GNU General Public License - can be found in /usr/share/common-licenses/LGPL-2.1 file. diff --git a/debian/freedombox-setup.freedombox-first-run.init b/debian/freedombox-setup.freedombox-first-run.init index 2775574..bb8cd96 100755 --- a/debian/freedombox-setup.freedombox-first-run.init +++ b/debian/freedombox-setup.freedombox-first-run.init @@ -5,7 +5,7 @@ # Default-Stop: # Required-Start: $network $remote_fs $syslog # Required-Stop: $remote_fs $syslog -# Should-Start: firewalld tor haveged lxc +# Should-Start: firewalld tor haveged # Short-Description: Finish Freedombox install after first boot # Description: # Script to complete the post-install process on first FBX boot. diff --git a/debian/freedombox-setup.install b/debian/freedombox-setup.install index f62c49d..25739e3 100644 --- a/debian/freedombox-setup.install +++ b/debian/freedombox-setup.install @@ -7,5 +7,4 @@ data/etc/avahi/services/*.service etc/avahi/services data/etc/sudoers.d/freedombox etc/sudoers.d data/etc/sysctl.d/freedombox.conf etc/sysctl.d data/etc/update-motd.d/50-freedombox etc/update-motd.d/ -data/usr/share/lxc/templates/lxc-debian-freedombox usr/share/lxc/templates data/usr/share/pam-configs/*-freedombox usr/share/pam-configs diff --git a/setup.d/20_lxc b/setup.d/20_lxc deleted file mode 100755 index 5754c2f..0000000 --- a/setup.d/20_lxc +++ /dev/null @@ -1,25 +0,0 @@ -#!/bin/sh -# -# Prepare support for LXC, to allow us to put each service in its own -# container. -# Based on <URL: https://wiki.debian.org/LXC > and -# <URL: http://freedomboxblog.nl/articles-tagged-software-architecture >. - -create_lxc_box() { - virtname="$1" - pkgs="$2" - MIRROR=http://httpredir.debian.org/debian \ - SUITE=wheezy \ - lxc-create -n "$virtname" -t debian-freedombox - if [ "$pkgs" ] ; then - lxc-start -d -n "$virtname" - lxc-attach -n "$virtname" -- \ - DEBIAN_FRONTEND=noninteractive apt-get install -y $pkgs - lxc-stop -n "$virtname" - fi -} - -DEBIAN_FRONTEND=noninteractive apt-get install -y lxc bridge-utils - -# The Internet router / firewall container -#create_lxc_box internet -- 2.6.1