diff --git a/examples/docker.yml b/examples/docker.yml index 8efd7ef05..980c1f72b 100644 --- a/examples/docker.yml +++ b/examples/docker.yml @@ -20,7 +20,7 @@ onboot: command: ["/mount.sh", "/var/lib/docker"] services: - name: getty - image: linuxkit/getty:5ab31289889d61a5d2ecbeea8e36ce74ac54737c + image: linuxkit/getty:0bd92d5f906491c20e4177c57f965338fe5a8c5f env: - INSECURE=true - name: rngd diff --git a/examples/gcp.yml b/examples/gcp.yml index 1d11038ad..59c81abf2 100644 --- a/examples/gcp.yml +++ b/examples/gcp.yml @@ -16,7 +16,7 @@ onboot: image: linuxkit/metadata:f122f1b4e873f1d08cd67bd9105385fd923af0cb services: - name: getty - image: linuxkit/getty:5ab31289889d61a5d2ecbeea8e36ce74ac54737c + image: linuxkit/getty:0bd92d5f906491c20e4177c57f965338fe5a8c5f env: - INSECURE=true - name: rngd diff --git a/examples/getty.yml b/examples/getty.yml index 49b2d6b67..9bf5decf9 100644 --- a/examples/getty.yml +++ b/examples/getty.yml @@ -14,7 +14,7 @@ onboot: command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"] services: - name: getty - image: linuxkit/getty:5ab31289889d61a5d2ecbeea8e36ce74ac54737c + image: linuxkit/getty:0bd92d5f906491c20e4177c57f965338fe5a8c5f # to make insecure with passwordless root login, uncomment following lines #env: # - INSECURE=true diff --git a/examples/minimal.yml b/examples/minimal.yml index 42342b802..63941f2a0 100644 --- a/examples/minimal.yml +++ b/examples/minimal.yml @@ -11,7 +11,7 @@ onboot: command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"] services: - name: getty - image: linuxkit/getty:5ab31289889d61a5d2ecbeea8e36ce74ac54737c + image: linuxkit/getty:0bd92d5f906491c20e4177c57f965338fe5a8c5f env: - INSECURE=true trust: diff --git a/examples/node_exporter.yml b/examples/node_exporter.yml index 1c5236bc9..f11021560 100644 --- a/examples/node_exporter.yml +++ b/examples/node_exporter.yml @@ -7,7 +7,7 @@ init: - linuxkit/containerd:c977f27c234d55b85172813b8451f67ea86be4a3 services: - name: getty - image: linuxkit/getty:5ab31289889d61a5d2ecbeea8e36ce74ac54737c + image: linuxkit/getty:0bd92d5f906491c20e4177c57f965338fe5a8c5f env: - INSECURE=true - name: rngd diff --git a/examples/redis-os.yml b/examples/redis-os.yml index a501ee07f..fca2240f0 100644 --- a/examples/redis-os.yml +++ b/examples/redis-os.yml @@ -13,7 +13,7 @@ onboot: command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"] services: - name: getty - image: linuxkit/getty:5ab31289889d61a5d2ecbeea8e36ce74ac54737c + image: linuxkit/getty:0bd92d5f906491c20e4177c57f965338fe5a8c5f env: - INSECURE=true - name: redis diff --git a/examples/sshd.yml b/examples/sshd.yml index 19f9b7499..b1b8e2fda 100644 --- a/examples/sshd.yml +++ b/examples/sshd.yml @@ -11,7 +11,7 @@ onboot: image: linuxkit/sysctl:d1a43c7c91e92374766f962dc8534cf9508756b0 services: - name: getty - image: linuxkit/getty:5ab31289889d61a5d2ecbeea8e36ce74ac54737c + image: linuxkit/getty:0bd92d5f906491c20e4177c57f965338fe5a8c5f env: - INSECURE=true - name: rngd diff --git a/examples/swap.yml b/examples/swap.yml index 439341723..289598d3a 100644 --- a/examples/swap.yml +++ b/examples/swap.yml @@ -24,7 +24,7 @@ onboot: command: ["/swap.sh", "--path", "/var/external/swap", "--size", "1G", "--encrypt"] services: - name: getty - image: linuxkit/getty:5ab31289889d61a5d2ecbeea8e36ce74ac54737c + image: linuxkit/getty:0bd92d5f906491c20e4177c57f965338fe5a8c5f env: - INSECURE=true - name: rngd diff --git a/examples/vmware.yml b/examples/vmware.yml index 7616bdb2f..3a08cd657 100644 --- a/examples/vmware.yml +++ b/examples/vmware.yml @@ -11,7 +11,7 @@ onboot: image: linuxkit/sysctl:d1a43c7c91e92374766f962dc8534cf9508756b0 services: - name: getty - image: linuxkit/getty:5ab31289889d61a5d2ecbeea8e36ce74ac54737c + image: linuxkit/getty:0bd92d5f906491c20e4177c57f965338fe5a8c5f env: - INSECURE=true - name: rngd diff --git a/examples/vultr.yml b/examples/vultr.yml index 9995db5cd..60ace820f 100644 --- a/examples/vultr.yml +++ b/examples/vultr.yml @@ -16,7 +16,7 @@ onboot: image: linuxkit/metadata:f122f1b4e873f1d08cd67bd9105385fd923af0cb services: - name: getty - image: linuxkit/getty:5ab31289889d61a5d2ecbeea8e36ce74ac54737c + image: linuxkit/getty:0bd92d5f906491c20e4177c57f965338fe5a8c5f env: - INSECURE=true - name: rngd diff --git a/pkg/getty/README.md b/pkg/getty/README.md index af50dacfd..c8213ac05 100644 --- a/pkg/getty/README.md +++ b/pkg/getty/README.md @@ -16,6 +16,12 @@ services: The above will launch a getty for each console defined in the cmdline, i.e. `/proc/cmdline`. +### securetty +Every console defined in the `cmdline` **must** also already exist in `/etc/securetty` if you wish to login on that tty as root. If it does not exist, a getty will be started, but you will not be able to login as root. A warning message will be sent to that tty. + +If you are using a console that is not in `securetty`, you can add it by overriding the default `securetty` file in the linuxkit root filesystem using `files:` in your moby `.yml` file. + + ### Login Options There are 3 ways to launch a getty on a linuxkit instance: diff --git a/pkg/getty/usr/bin/rungetty.sh b/pkg/getty/usr/bin/rungetty.sh index 454c0d6e3..6b3e709d8 100755 --- a/pkg/getty/usr/bin/rungetty.sh +++ b/pkg/getty/usr/bin/rungetty.sh @@ -35,7 +35,8 @@ start_getty() { fi if ! grep -q -w "$tty" "$securetty"; then - echo "$tty" >> "$securetty" + # we could not find the tty in securetty, so start a getty but warn that root login will not work + echo "getty: cmdline has console=$tty but does not exist in $securetty; will not be able to log in as root on this tty $tty." > /dev/$tty fi # respawn forever infinite_loop setsid.getty -w /sbin/agetty $loginargs $line $speed $tty $term & @@ -49,6 +50,13 @@ if [ -f $ROOTSHADOW ]; then echo >> /etc/shadow fi +ROOTSTTY=/hostroot/etc/securetty +if [ -f $ROOTSTTY ]; then + cp $ROOTSTTY /etc/securetty + # just in case someone forgot a newline + echo >> /etc/securetty +fi + for opt in $(cat /proc/cmdline); do case "$opt" in console=*)