From 5d71a7fed3ff3cbd25319d2c8ae66e8931b13d3d Mon Sep 17 00:00:00 2001 From: codehelp Date: Sat, 29 Jan 2011 15:45:07 +0000 Subject: [PATCH] Add sysvinit method to existing upstart support in script for native chroots to disable starting daemons. (Closes: #611188) git-svn-id: http://emdebian.org/svn/current@7726 563faec7-e20c-0410-992a-a66f704d0ccd --- debian/changelog | 4 +++- debian/multistrap.install | 6 +++--- examples/chroot-policy.sh | 18 ------------------ examples/chroot.conf | 30 ++++++++++++++++++++++++++++++ examples/chroot.sh | 38 +++++++++++++++++++++----------------- pod/multistrap | 15 +++++++++++++++ 6 files changed, 72 insertions(+), 39 deletions(-) delete mode 100755 examples/chroot-policy.sh create mode 100644 examples/chroot.conf diff --git a/debian/changelog b/debian/changelog index f5e6442..73cfc4d 100644 --- a/debian/changelog +++ b/debian/changelog @@ -12,8 +12,10 @@ multistrap (2.1.9) experimental; urgency=low (Closes: #610634) * Fix unpack option to look only for 'true' values. * Experimental support for debconf preseed files (Closes: #610614) + * Add sysvinit method to existing upstart support in script for native + chroots to disable starting daemons. (Closes: #611188) - -- Neil Williams Fri, 28 Jan 2011 12:57:19 +0000 + -- Neil Williams Sat, 29 Jan 2011 15:43:39 +0000 multistrap (2.1.8) experimental; urgency=low diff --git a/debian/multistrap.install b/debian/multistrap.install index 69e78c2..eadef15 100644 --- a/debian/multistrap.install +++ b/debian/multistrap.install @@ -2,13 +2,13 @@ multistrap ./usr/sbin/ doc/multistrap/man/* ./usr/share/man/ examples/device_table.txt ./usr/share/doc/multistrap/examples/ examples/multistrap-example.conf ./usr/share/doc/multistrap/examples/ +examples/setup.sh ./usr/share/doc/multistrap/examples/ +examples/config.sh ./usr/share/doc/multistrap/examples/ examples/sid.conf ./usr/share/multistrap/ examples/squeeze.conf ./usr/share/multistrap/ examples/lenny.conf ./usr/share/multistrap/ -examples/setup.sh ./usr/share/doc/multistrap/examples/ -examples/config.sh ./usr/share/doc/multistrap/examples/ examples/chroot.sh ./usr/share/multistrap/ -examples/chroot-policy.sh ./usr/share/multistrap/ +examples/chroot.conf ./usr/share/multistrap/ check-deps.sh ./usr/share/multistrap/ device-table.pl ./usr/share/multistrap/ update-rc.d ./usr/share/multistrap/ diff --git a/examples/chroot-policy.sh b/examples/chroot-policy.sh deleted file mode 100755 index 558d390..0000000 --- a/examples/chroot-policy.sh +++ /dev/null @@ -1,18 +0,0 @@ -#!/bin/sh - -set -e - -# The script is called with the following arguments: - -# $1 = $DIR - the top directory of the debootstrapped system -# $2 = $ARCH - the specified architecture, already checked with dpkg-architecture. - -# setup.sh needs to be executable. -if [ -d $1 ]; then -mkdir -p $1/usr/sbin/ -cat > $1/usr/sbin/policy-rc.d << EOF -#!/bin/sh -echo "All runlevel operations denied by policy" >&2 -EOF -chmod a+x $1/usr/sbin/policy-rc.d -fi diff --git a/examples/chroot.conf b/examples/chroot.conf new file mode 100644 index 0000000..234d13e --- /dev/null +++ b/examples/chroot.conf @@ -0,0 +1,30 @@ +# Example multistrap configuration file for native chroots. + +[General] +arch= +directory= +# same as --tidy-up option if set to true +cleanup=true +# same as --no-auth option if set to true +# keyring packages listed in each debootstrap will +# still be installed. +noauth=false +# whether to add the /suite to be explicit about where apt +# needs to look for packages. Default is false. +explicitsuite=false +# extract all downloaded archives (default is true) +unpack=true +# this setupscript is just for native chroots +# to stop daemons from starting during configuration. +setupscript=/usr/share/multistrap/chroot.sh +# the order of sections is not important. +# the debootstrap option determines which repository +# is used to calculate the list of Priority: required packages. +debootstrap=Debian +aptsources=Debian + +[Debian] +packages=apt +source=http://ftp.uk.debian.org/debian +keyring=debian-archive-keyring +suite=squeeze diff --git a/examples/chroot.sh b/examples/chroot.sh index d66d2c2..2d598fc 100755 --- a/examples/chroot.sh +++ b/examples/chroot.sh @@ -2,36 +2,40 @@ set -e -# This setup script is an alternative method of adjusting the tarball -# contents immediately after multistrap has unpacked the packages. - -# At this stage, any operations inside the rootfs must not try to -# execute any binaries within the rootfs. - # The script is called with the following arguments: - # $1 = $DIR - the top directory of the debootstrapped system # $2 = $ARCH - the specified architecture, already checked with dpkg-architecture. - # setup.sh needs to be executable. TARGET=$1 - +# upstart support if [ -x "$TARGET/sbin/initctl" ]; then - mv "$TARGET/sbin/start-stop-daemon" "$TARGET/sbin/start-stop-daemon.REAL" - echo \ + echo "initctl: Trying to prevent daemons from starting in $TARGET" + mv "$TARGET/sbin/start-stop-daemon" "$TARGET/sbin/start-stop-daemon.REAL" + echo \ "#!/bin/sh echo echo echo \"Warning: Fake start-stop-daemon called, doing nothing\"" > "$TARGET/sbin/start-stop-daemon" - chmod 755 "$TARGET/sbin/start-stop-daemon" + chmod 755 "$TARGET/sbin/start-stop-daemon" fi - if [ -x "$TARGET/sbin/initctl" ]; then - mv "$TARGET/sbin/initctl" "$TARGET/sbin/initctl.REAL" - echo \ + echo "initctl: Trying to prevent daemons from starting in $TARGET" + mv "$TARGET/sbin/initctl" "$TARGET/sbin/initctl.REAL" + echo \ "#!/bin/sh echo echo \"Warning: Fake initctl called, doing nothing\"" > "$TARGET/sbin/initctl" - chmod 755 "$TARGET/sbin/initctl" + chmod 755 "$TARGET/sbin/initctl" +fi + +# sysvinit support - exit value of 101 is essential. +if [ -x "$TARGET/sbin/init" && ! -f "$TARGET/usr/sbin/policy-rc.d" ]; then + echo "sysvinit: Using policy-rc.d to prevent daemons from starting in $TARGET" + mkdir -p $TARGET/usr/sbin/ + cat > $TARGET/usr/sbin/policy-rc.d << EOF +#!/bin/sh +echo "sysvinit: All runlevel operations denied by policy" >&2 +exit 101 +EOF + chmod a+x $TARGET/usr/sbin/policy-rc.d fi - \ No newline at end of file diff --git a/pod/multistrap b/pod/multistrap index 6642d77..07cf098 100644 --- a/pod/multistrap +++ b/pod/multistrap @@ -350,6 +350,21 @@ A native multistrap can be used directly with chroot, so C runs C at the end of the multistrap process. +=head1 Daemons in chroots + +Depending on which system you using to provide the packages for +C, native chroots should generally not allow daemons to +start inside the chroot. Use the F +as your C or include that script in your own setup script. + + setupscript=/usr/share/multistrap/chroot.sh + +F copes with systems using F and F. + +See also + + http://people.debian.org/~hmh/invokerc.d-policyrc.d-specification.txt + =head1 Cascading configuration To support multiple variants of a basic (common) configuration,