container-foreground-cmd -> container-init

2020-03-01 16:16:48 +01:00
parent 7cf3f7a1f9
commit c38d79edc1
2 changed files with 2 additions and 3 deletions
--- a/scripts/bin/container-init
+++ b/scripts/bin/container-init
@@ -0,0 +1,89 @@
+#!/bin/sh
+
+set -eu
+
+# Create additional groups
+_IFS=${IFS}; IFS=,
+for gid in ${UNPRIVILEGED_USER_GROUPS?}; do
+	if ! getent group "${gid:?}" >/dev/null 2>&1; then
+		groupadd --gid "${gid:?}" "g_${gid:?}"
+	fi
+done
+IFS=$_IFS
+
+# Create unprivileged user and group
+if ! getent group "${UNPRIVILEGED_USER_GID:?}" >/dev/null 2>&1; then
+	groupadd --gid "${UNPRIVILEGED_USER_GID:?}" "${UNPRIVILEGED_USER_NAME:?}"
+fi
+if ! getent passwd "${UNPRIVILEGED_USER_UID:?}" >/dev/null 2>&1; then
+	useradd \
+		--uid "${UNPRIVILEGED_USER_UID:?}" \
+		--gid "${UNPRIVILEGED_USER_GID:?}" \
+		--groups "${UNPRIVILEGED_USER_GROUPS?}" \
+		--shell "${UNPRIVILEGED_USER_SHELL:?}" \
+		--create-home \
+		"${UNPRIVILEGED_USER_NAME:?}"
+fi
+
+# Copy /etc/skel/ to unprivileged user home if empty
+UNPRIVILEGED_USER_HOME=$(getent passwd "${UNPRIVILEGED_USER_NAME:?}" | cut -d: -f6)
+if [ -z "$(ls -A "${UNPRIVILEGED_USER_HOME:?}")" ]; then
+	cp -aT /etc/skel/ "${UNPRIVILEGED_USER_HOME:?}"
+	chown -R "${UNPRIVILEGED_USER_NAME:?}:" "${UNPRIVILEGED_USER_HOME:?}"
+fi
+
+# Create /run/user/${UNPRIVILEGED_USER_UID}/dbus-1/ directory
+mkdir -p /run/user/"${UNPRIVILEGED_USER_UID:?}"/dbus-1/
+chmod -R 700 /run/user/"${UNPRIVILEGED_USER_UID:?}"/
+chown -R "${UNPRIVILEGED_USER_NAME:?}:" /run/user/"${UNPRIVILEGED_USER_UID:?}"/
+
+# Set unprivileged user password
+printf '%s' "${UNPRIVILEGED_USER_NAME:?}:${UNPRIVILEGED_USER_PASSWORD:?}" | chpasswd
+unset UNPRIVILEGED_USER_PASSWORD
+
+# Dump environment variables
+export-env > /etc/profile.d/env.sh
+
+# Enable xdummy service if ENABLE_VIRTUALGL is true
+if [ "${ENABLE_VIRTUALGL:?}" = 'true' ]; then
+	ln -s /etc/sv/xdummy /etc/service/
+fi
+
+# Create RANDFILE if it does not exist
+RANDFILE=${RANDFILE-${HOME:?}/.rnd}
+if [ ! -f "${RANDFILE:?}" ]; then
+	dd if=/dev/urandom of="${RANDFILE:?}" bs=256 count=1 >/dev/null 2>&1
+fi
+
+# Generate SSH keys if they do not exist
+if [ ! -f /etc/ssh/ssh_host_ed25519_key ]; then
+	ssh-keygen -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -N '' >/dev/null
+fi
+if [ ! -f /etc/ssh/ssh_host_rsa_key ]; then
+	ssh-keygen -t rsa -b 4096 -f /etc/ssh/ssh_host_rsa_key -N '' >/dev/null
+fi
+
+# Generate self-signed certificate
+if [ ! -f "${RDP_TLS_KEY_PATH:?}" ] || [ ! -f "${RDP_TLS_CERT_PATH:?}" ]; then
+	KEY_FILE=${RDP_TLS_KEY_PATH:?}
+	CRT_FILE=${RDP_TLS_CERT_PATH:?}
+	CSR_FILE=$(mktemp -u)
+
+	(umask 077 \
+		&& openssl genrsa -out "${KEY_FILE:?}" 2048 \
+	) >/dev/null
+
+	(umask 022 \
+		&& openssl req -new -subj "/CN=$(uname -n)" -key "${KEY_FILE:?}" -out "${CSR_FILE:?}" \
+		&& openssl x509 -req -days 3650 -signkey "${KEY_FILE:?}" -in "${CSR_FILE:?}" -out "${CRT_FILE:?}" \
+		&& rm -f "${CSR_FILE:?}" \
+	) >/dev/null
+fi
+
+# Remove dbus pidfile
+if [ -e /run/dbus/pid ]; then
+	rm -f /run/dbus/pid
+fi
+
+# Start all services
+exec tini -- runsvdir -P /etc/service/