From 1748fdcf2640887adf530d2d910569fe0a4c8de5 Mon Sep 17 00:00:00 2001
From: Vincent Batts <vbatts@hashbangbash.com>
Date: Wed, 17 Oct 2018 13:34:56 -0400
Subject: [PATCH] initial commit

Signed-off-by: Vincent Batts <vbatts@hashbangbash.com>
---
 .gitignore            |  1 +
 Makefile              | 46 +++++++++++++++++++++++++++++++++++++++++
 README.md             |  8 ++++++++
 ctr-create-user.sh    | 41 ++++++++++++++++++++++++++++++++++++
 ctr-delete-user.sh    | 19 +++++++++++++++++
 ctr-port.conf         |  2 ++
 ctr-wrapper.sh        | 23 +++++++++++++++++++++
 host-ctr-scripts.spec | 48 +++++++++++++++++++++++++++++++++++++++++++
 8 files changed, 188 insertions(+)
 create mode 100644 .gitignore
 create mode 100644 Makefile
 create mode 100644 README.md
 create mode 100755 ctr-create-user.sh
 create mode 100644 ctr-delete-user.sh
 create mode 100644 ctr-port.conf
 create mode 100755 ctr-wrapper.sh
 create mode 100644 host-ctr-scripts.spec

diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..e7a9c13
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1 @@
+*.rpm
diff --git a/Makefile b/Makefile
new file mode 100644
index 0000000..1efb83a
--- /dev/null
+++ b/Makefile
@@ -0,0 +1,46 @@
+pkgname		:= host-ctr-scripts
+specname	?= $(pkgname).spec
+pwd		:= $(shell pwd)
+NAME		?= $(shell rpmspec -q --qf "%{name}" $(specname))
+VERSION		?= $(shell rpmspec -q --qf "%{version}" $(specname))
+RELEASE		?= $(shell rpmspec -q --qf "%{release}" $(specname))
+NVR		:= $(NAME)-$(VERSION)-$(RELEASE)
+outdir		?= $(pwd)
+
+default: srpm
+
+all: rpm srpm
+
+name:
+	@echo $(NVR)
+
+rpm:
+	rpmbuild \
+                --define '_sourcedir $(pwd)' \
+                --define '_specdir $(pwd)' \
+                --define '_builddir $(pwd)' \
+                --define '_srcrpmdir $(outdir)' \
+                --define '_rpmdir $(outdir)' \
+                -bb ./$(specname)
+
+srpm: $(NVR).src.rpm
+
+$(NVR).src.rpm: $(specname) $(wildcard *.diff)
+	rpmbuild \
+                --define '_sourcedir $(pwd)' \
+                --define '_specdir $(pwd)' \
+                --define '_builddir $(pwd)' \
+                --define '_srcrpmdir $(outdir)' \
+                --define '_rpmdir $(outdir)' \
+                --nodeps \
+                -bs ./$(specname)
+
+builddep: $(NVR).src.rpm
+	dnf builddep -y $<
+
+rebuild: builddep
+	rpmbuild --rebuild $(NVR).src.rpm
+
+clean:
+	rm -rf *~ *.rpm noarch
+
diff --git a/README.md b/README.md
new file mode 100644
index 0000000..84db285
--- /dev/null
+++ b/README.md
@@ -0,0 +1,8 @@
+
+
+
+See https://git.thisco.de/vbatts/bip-box for building the bip container.
+
+
+For the force-command of the users created with this tool, create the group ctr-only (`groupadd ctr-only`),
+and then add `%ctr-only  ALL = NOPASSWD: /usr/local/bin/ctr-wrapper.sh` to the sudoers (`visudo`).
diff --git a/ctr-create-user.sh b/ctr-create-user.sh
new file mode 100755
index 0000000..0274e06
--- /dev/null
+++ b/ctr-create-user.sh
@@ -0,0 +1,41 @@
+#!/bin/bash
+
+set -e
+
+user="${1}"
+base_dir="/var/lib/machines"
+base_subvol="bip.f28.ro"
+
+if [ -z "${user}" ] ; then
+	echo Please provide the username to create
+	exit 1
+fi
+
+adduser -G ctr-only "${user}"
+su - "${user}" -c "ssh-keygen -f ~/.ssh/id_rsa -N ''; echo -n 'command=\"sudo /usr/local/bin/ctr-wrapper.sh\",no-port-forwarding,no-agent-forwarding,no-x11-forwarding ' > ~/.ssh/authorized_keys; cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys; chmod 0600 ~/.ssh/authorized_keys; cat ~/.ssh/id_rsa"
+new_subvol="$(echo ${base_subvol} | cut -d . -f 1)"."${user}"
+btrfs sub snap "${base_dir}"/"${base_subvol}" "${base_dir}"/"${new_subvol}"
+machinectl enable "${new_subvol}"
+
+mkdir -p /etc/systemd/nspawn
+cur_port="$(grep '^Port=' /etc/ctr-port.conf | tail -1 | cut -d = -f 2 )"
+nex_port="$(expr ${cur_port} + 1)"
+cat > /etc/systemd/nspawn/"${new_subvol}".nspawn <<EOF
+[Exec]
+Boot=yes
+
+[Network]
+Private=yes
+VirtualEthernet=yes
+Port=${nex_port}
+
+[Files]
+#BindReadOnly=/etc/resolv.conf
+EOF
+echo -e "# ${new_subvol}\nPort=${nex_port}" >> /etc/ctr-port.conf
+
+sed -i "s/CHANGE_PORT/${nex_port}/g" "${base_dir}"/"${new_subvol}"/etc/bip.conf
+sed -i "s/CHANGE_USER/${user}/g" "${base_dir}"/"${new_subvol}"/etc/bip.conf
+
+machinectl start "${new_subvol}"
+
diff --git a/ctr-delete-user.sh b/ctr-delete-user.sh
new file mode 100644
index 0000000..e99f9d4
--- /dev/null
+++ b/ctr-delete-user.sh
@@ -0,0 +1,19 @@
+#!/bin/bash
+
+set -e
+
+user="${1}"
+base_dir="/var/lib/machines"
+base_subvol="bip.f28.ro"
+
+if [ -z "${user}" ] ; then
+	echo Please provide the username to delete
+	exit 1
+fi
+
+new_subvol="$(echo ${base_subvol} | cut -d . -f 1)"."${user}"
+userdel -r "${user}"
+machinectl poweroff "${new_subvol}"
+machinectl disable "${new_subvol}"
+btrfs sub d "${base_dir}"/"${new_subvol}"
+
diff --git a/ctr-port.conf b/ctr-port.conf
new file mode 100644
index 0000000..707aaae
--- /dev/null
+++ b/ctr-port.conf
@@ -0,0 +1,2 @@
+# bip.vbatts
+Port=11238
diff --git a/ctr-wrapper.sh b/ctr-wrapper.sh
new file mode 100755
index 0000000..5192265
--- /dev/null
+++ b/ctr-wrapper.sh
@@ -0,0 +1,23 @@
+#!/bin/sh
+# Script: /usr/local/bin/wrapper.sh 
+
+case "$SSH_ORIGINAL_COMMAND" in
+	"reboot")
+		exec machinectl reboot bip."${SUDO_USER}"
+		;;
+	"start")
+		exec machinectl start bip."${SUDO_USER}"
+		;;
+	"poweroff")
+		exec machinectl poweroff bip."${SUDO_USER}"
+		;;
+	"status")
+		exec machinectl status bip."${SUDO_USER}"
+		;;
+	*)
+		exec machinectl shell bip."${SUDO_USER}"
+		#echo "Sorry. Only these commands are available to you:"
+		#echo "ps, vmstat, cupsys stop, cupsys start"
+		#exit 1
+		;;
+esac
diff --git a/host-ctr-scripts.spec b/host-ctr-scripts.spec
new file mode 100644
index 0000000..8133aa5
--- /dev/null
+++ b/host-ctr-scripts.spec
@@ -0,0 +1,48 @@
+Name:		host-ctr-scripts
+Version:	0.1
+Release:	1%{?dist}
+Summary:	scripts for connecting host users straight to a running system container
+
+Group:		system
+License:	BSD
+URL:		https://git.thisco.de/vbatts/host-ctr-scripts
+Source0:	ctr-port.conf
+Source1:	ctr-create-user.sh
+Source2:	ctr-delete-user.sh
+Source3:	ctr-wrapper.sh
+
+Requires:	bash
+Requires:	btrfs-progs
+Requires:	shadow-utils
+Requires:	util-linux
+Requires:	systemd-container
+
+BuildArch:	noarch
+
+%description
+%{summary}.
+
+
+%prep
+
+
+%build
+
+
+%install
+%{__mkdir_p} ${RPM_BUILD_ROOT}/etc
+%{__mkdir_p} ${RPM_BUILD_ROOT}/usr/local/bin
+%{__install} -m 0644 ctr-port.conf ${RPM_BUILD_ROOT}/etc/
+%{__install} -m 0755 ctr-wrapper.sh ${RPM_BUILD_ROOT}/usr/local/bin/
+%{__install} -m 0755 ctr-create-user.sh ${RPM_BUILD_ROOT}/usr/local/bin/
+%{__install} -m 0755 ctr-delete-user.sh ${RPM_BUILD_ROOT}/usr/local/bin/
+
+%files
+/etc/ctr-port.conf
+/usr/local/bin/ctr-create-user.sh
+/usr/local/bin/ctr-delete-user.sh
+/usr/local/bin/ctr-wrapper.sh
+
+
+%changelog
+