Merge pull request #2179 from deitch/read-only-securetty

Use existing securetty
2025-07-21 18:11:35 +00:00 · 2017-07-11 23:19:43 +01:00 · 2017-07-11 23:19:43 +01:00 · f98a56fc2c
commit f98a56fc2c
parent 4b3fc038b7 5d18cba75f
12 changed files with 25 additions and 11 deletions
--- a/examples/docker.yml
+++ b/examples/docker.yml
@ -20,7 +20,7 @@ onboot:
    command: ["/mount.sh", "/var/lib/docker"]
 services:
  - name: getty
-    image: linuxkit/getty:5ab31289889d61a5d2ecbeea8e36ce74ac54737c
+    image: linuxkit/getty:0bd92d5f906491c20e4177c57f965338fe5a8c5f
    env:
     - INSECURE=true
  - name: rngd
--- a/examples/gcp.yml
+++ b/examples/gcp.yml
@ -16,7 +16,7 @@ onboot:
    image: linuxkit/metadata:f122f1b4e873f1d08cd67bd9105385fd923af0cb
 services:
  - name: getty
-    image: linuxkit/getty:5ab31289889d61a5d2ecbeea8e36ce74ac54737c
+    image: linuxkit/getty:0bd92d5f906491c20e4177c57f965338fe5a8c5f
    env:
     - INSECURE=true
  - name: rngd
--- a/examples/getty.yml
+++ b/examples/getty.yml
@ -14,7 +14,7 @@ onboot:
    command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
 services:
  - name: getty
-    image: linuxkit/getty:5ab31289889d61a5d2ecbeea8e36ce74ac54737c
+    image: linuxkit/getty:0bd92d5f906491c20e4177c57f965338fe5a8c5f
    # to make insecure with passwordless root login, uncomment following lines
    #env:
    # - INSECURE=true
--- a/examples/minimal.yml
+++ b/examples/minimal.yml
@ -11,7 +11,7 @@ onboot:
    command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
 services:
  - name: getty
-    image: linuxkit/getty:5ab31289889d61a5d2ecbeea8e36ce74ac54737c
+    image: linuxkit/getty:0bd92d5f906491c20e4177c57f965338fe5a8c5f
    env:
     - INSECURE=true
 trust:
--- a/examples/node_exporter.yml
+++ b/examples/node_exporter.yml
@ -7,7 +7,7 @@ init:
  - linuxkit/containerd:c977f27c234d55b85172813b8451f67ea86be4a3
 services:
  - name: getty
-    image: linuxkit/getty:5ab31289889d61a5d2ecbeea8e36ce74ac54737c
+    image: linuxkit/getty:0bd92d5f906491c20e4177c57f965338fe5a8c5f
    env:
     - INSECURE=true
  - name: rngd
--- a/examples/redis-os.yml
+++ b/examples/redis-os.yml
@ -13,7 +13,7 @@ onboot:
    command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
 services:
  - name: getty
-    image: linuxkit/getty:5ab31289889d61a5d2ecbeea8e36ce74ac54737c
+    image: linuxkit/getty:0bd92d5f906491c20e4177c57f965338fe5a8c5f
    env:
     - INSECURE=true
  - name: redis
--- a/examples/sshd.yml
+++ b/examples/sshd.yml
@ -11,7 +11,7 @@ onboot:
    image: linuxkit/sysctl:d1a43c7c91e92374766f962dc8534cf9508756b0
 services:
  - name: getty
-    image: linuxkit/getty:5ab31289889d61a5d2ecbeea8e36ce74ac54737c
+    image: linuxkit/getty:0bd92d5f906491c20e4177c57f965338fe5a8c5f
    env:
     - INSECURE=true
  - name: rngd
--- a/examples/swap.yml
+++ b/examples/swap.yml
@ -24,7 +24,7 @@ onboot:
    command: ["/swap.sh", "--path", "/var/external/swap", "--size", "1G", "--encrypt"]
 services:
  - name: getty
-    image: linuxkit/getty:5ab31289889d61a5d2ecbeea8e36ce74ac54737c
+    image: linuxkit/getty:0bd92d5f906491c20e4177c57f965338fe5a8c5f
    env:
     - INSECURE=true
  - name: rngd
--- a/examples/vmware.yml
+++ b/examples/vmware.yml
@ -11,7 +11,7 @@ onboot:
    image: linuxkit/sysctl:d1a43c7c91e92374766f962dc8534cf9508756b0
 services:
  - name: getty
-    image: linuxkit/getty:5ab31289889d61a5d2ecbeea8e36ce74ac54737c
+    image: linuxkit/getty:0bd92d5f906491c20e4177c57f965338fe5a8c5f
    env:
     - INSECURE=true
  - name: rngd
--- a/examples/vultr.yml
+++ b/examples/vultr.yml
@ -16,7 +16,7 @@ onboot:
    image: linuxkit/metadata:f122f1b4e873f1d08cd67bd9105385fd923af0cb
 services:
  - name: getty
-    image: linuxkit/getty:5ab31289889d61a5d2ecbeea8e36ce74ac54737c
+    image: linuxkit/getty:0bd92d5f906491c20e4177c57f965338fe5a8c5f
    env:
     - INSECURE=true
  - name: rngd
--- a/pkg/getty/README.md
+++ b/pkg/getty/README.md
@ -16,6 +16,12 @@ services:
 The above will launch a getty for each console defined in the cmdline, i.e. `/proc/cmdline`.


+### securetty
+Every console defined in the `cmdline` **must** also already exist in `/etc/securetty` if you wish to login on that tty as root. If it does not exist, a getty will be started, but you will not be able to login as root. A warning message will be sent to that tty.
+
+If you are using a console that is not in `securetty`, you can add it by overriding the default `securetty` file in the linuxkit root filesystem using `files:` in your moby `.yml` file.
+
+
 ### Login Options
 There are 3 ways to launch a getty on a linuxkit instance:

--- a/pkg/getty/usr/bin/rungetty.sh
+++ b/pkg/getty/usr/bin/rungetty.sh
@ -35,7 +35,8 @@ start_getty() {
 	fi

 	if ! grep -q -w "$tty" "$securetty"; then
-		echo "$tty" >> "$securetty"
+		# we could not find the tty in securetty, so start a getty but warn that root login will not work
+		echo "getty: cmdline has console=$tty but does not exist in $securetty; will not be able to log in as root on this tty $tty." > /dev/$tty
 	fi
 	# respawn forever
 	infinite_loop setsid.getty -w /sbin/agetty $loginargs $line $speed $tty $term &
@ -49,6 +50,13 @@ if [ -f $ROOTSHADOW ]; then
 	echo >> /etc/shadow
 fi

+ROOTSTTY=/hostroot/etc/securetty
+if [ -f $ROOTSTTY ]; then
+	cp $ROOTSTTY /etc/securetty
+	# just in case someone forgot a newline
+	echo >> /etc/securetty
+fi
+
 for opt in $(cat /proc/cmdline); do
 	case "$opt" in
 	console=*)