diff --git a/debian/changelog b/debian/changelog index 3396a436..239d5aa5 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,15 @@ +livecd-rootfs (2.453) artful; urgency=medium + + [ Chris Glass ] + * Create vagrant user for vagrant image, per upstream requirements. + + [ Colin Watson ] + * Mount and unmount /dev recursively, to cope with setups where there are + interesting bind-mounts under /dev (e.g. loop devices bind-mounted by + LXD). LP: #1716465. + + -- Steve Langasek Mon, 11 Sep 2017 11:39:11 -0700 + livecd-rootfs (2.452) artful; urgency=medium * Fix suppressing kpartx error diff --git a/live-build/functions b/live-build/functions index 7d645b9e..d0bda550 100644 --- a/live-build/functions +++ b/live-build/functions @@ -79,8 +79,7 @@ mount_image() { setup_mountpoint() { local mountpoint="$1" - mount --bind /dev "$mountpoint/dev" - mount devpts-live -t proc "$mountpoint/dev/pts" + mount --rbind /dev "$mountpoint/dev" mount proc-live -t proc "$mountpoint/proc" mount sysfs-live -t sysfs "$mountpoint/sys" mount -t tmpfs none "$mountpoint/tmp" @@ -141,11 +140,7 @@ umount_settle() { umount_partition() { local mountpoint=${1} mv resolv.conf.tmp "$mountpoint/etc/resolv.conf" - for submnt in proc sys dev/pts dev tmp; - do - umount $mountpoint/$submnt - done - umount $mountpoint + umount -R $mountpoint udevadm settle if [ -n "${rootfs_dev_mapper}" -a -b "${rootfs_dev_mapper}" ]; then diff --git a/live-build/ubuntu-cpc/hooks/032-root-squashfs.binary b/live-build/ubuntu-cpc/hooks/032-root-squashfs.binary index 84c19920..8c1580ea 100755 --- a/live-build/ubuntu-cpc/hooks/032-root-squashfs.binary +++ b/live-build/ubuntu-cpc/hooks/032-root-squashfs.binary @@ -39,8 +39,7 @@ chroot binary/boot/squashfs.dir dpkg-divert --remove --local --rename /usr/sbin/ mv resolv.conf.tmp "binary/boot/squashfs.dir/etc/resolv.conf" umount "binary/boot/squashfs.dir/proc" umount "binary/boot/squashfs.dir/sys" -umount "binary/boot/squashfs.dir/dev/pts" -umount "binary/boot/squashfs.dir/dev" +umount -R "binary/boot/squashfs.dir/dev" umount "binary/boot/squashfs.dir/tmp" squashfs_f="${PWD}/livecd.ubuntu-cpc.squashfs" diff --git a/live-build/ubuntu-cpc/hooks/042-vagrant.binary b/live-build/ubuntu-cpc/hooks/042-vagrant.binary index ed45e44c..d763ff18 100755 --- a/live-build/ubuntu-cpc/hooks/042-vagrant.binary +++ b/live-build/ubuntu-cpc/hooks/042-vagrant.binary @@ -67,6 +67,29 @@ chroot ${mount_d} apt-get update # avoid pulling into a cloud image. chroot ${mount_d} apt-get install --no-install-recommends -y virtualbox-guest-utils chroot ${mount_d} apt-get clean + +# Create and setup users inside the image. +# Vagrant users expect a "vagrant" user with a "vagrant" username. +# See https://www.vagrantup.com/docs/boxes/base.html +# Note: We decided NOT to allow root login with a default password. +chroot ${mount_d} adduser vagrant +echo "vagrant:vagrant" | chroot ${mount_d} chpasswd + +# The vagrant user should have passwordless sudo. +cat << EOF > ${mount_d}/etc/sudoers.d/vagrant +vagrant ALL=(ALL) NOPASSWD:ALL +EOF + +# Add the insecure vagrant pubkey to the vagrant user, as is expected by the +# vagrant ecosystem (https://www.vagrantup.com/docs/boxes/base.html) +chroot ${mount_d} chmod 0440 /etc/sudoers.d/vagrant +chroot ${mount_d} mkdir -p /home/vagrant/.ssh +cat << EOF > ${mount_d}/home/vagrant/.ssh/authorized_keys +ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA6NF8iallvQVp22WDkTkyrtvp9eWW6A8YVr+kz4TjGYe7gHzIw+niNltGEFHzD8+v1I2YJ6oXevct1YeS0o9HZyN1Q9qgCgzUFtdOKLv6IedplqoPkcmF0aYet2PkEDo3MlTBckFXPITAMzF8dJSIFo9D8HfdOV0IAdx4O7PtixWKn5y2hMNG0zQPyUecp4pzC6kivAIhyfHilFR61RGL+GPXQ2MWZWFYbAGjyiYJnAmCP3NOTd0jMZEnDkbUvxhMmBYSdETk1rRgm+R4LOzFUGaHqHDLKLX+FIPKcF96hrucXzcWyLbIbEgE98OHlnVYCzRdK8jlqm8tehUc9c9WhQ== vagrant insecure public key +EOF +chroot ${mount_d} chown -R vagrant:vagrant /home/vagrant/.ssh +chroot ${mount_d} chmod 700 /home/vagrant/.ssh + umount_disk_image "$mount_d" rmdir "$mount_d" @@ -80,12 +103,6 @@ prefix="${distro}-${suite}-${version}-cloudimg" vmdk_f="${box_d}/${prefix}.vmdk" create_vmdk ${derivative_img} ${vmdk_f} -# Vagrant needs a base user. We either inject the well-known SSH key -# or use password authentication. Both are ugly. So we'll use a password -# and make it random. This obviously is insecure...but at least its -# better than the alternatives. -ubuntu_user_pass=$(openssl rand -hex 12) - #################################### # Create the ConfigDrive # This is a cloud-init piece that instructs cloud-init to configure @@ -98,9 +115,6 @@ cdrom_vmdk_f="${box_d}/${prefix}-configdrive.vmdk" # except via local host. cat > ${seed_d}/user-data <