From 26c48ea475ae53ad202cdae6549eb278b94cae95 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nicolas=20Mass=C3=A9?= Date: Fri, 9 Jan 2026 13:49:17 +0000 Subject: [PATCH] WiP --- Makefile.common | 25 +++++++-- base/Makefile | 13 ++++- base/config/examples/fastfetch.env | 1 + base/config/install-fastfetch.sh | 5 +- base/install-fastfetch.service | 1 + samba/samba.container | 2 +- samba/tmpfiles.d/samba.conf | 3 +- vmagent/Makefile | 16 ++++++ .../config/examples/conf.d/remotewrite.token | 1 + vmagent/config/examples/vmagent.local.env | 3 ++ vmagent/config/vmagent.global.env | 2 + vmagent/overlay.bu | 9 ++++ vmagent/vmagent.container | 33 ++++++++++++ vsftpd/Makefile | 15 ++++++ vsftpd/config/container/Containerfile | 20 +++++++ vsftpd/config/container/container-entrypoint | 25 +++++++++ vsftpd/config/container/vsftpd-virtual | 27 ++++++++++ .../examples/vsftpd.conf.d/local-users.conf | 24 +++++++++ vsftpd/config/examples/vsftpd.conf.d/tls.conf | 5 ++ .../examples/vsftpd.conf.d/virtual-users.conf | 18 +++++++ vsftpd/config/vsftpd.conf.d/global.conf | 21 ++++++++ vsftpd/overlay.bu | 9 ++++ vsftpd/tmpfiles.d/vsftpd.conf | 6 +++ .../vsftpd-load-renewed-certificate.service | 17 ++++++ vsftpd/vsftpd.build | 9 ++++ vsftpd/vsftpd.container | 52 +++++++++++++++++++ vsftpd/vsftpd.target | 11 ++++ 27 files changed, 362 insertions(+), 11 deletions(-) create mode 100644 base/config/examples/fastfetch.env create mode 100644 vmagent/Makefile create mode 100644 vmagent/config/examples/conf.d/remotewrite.token create mode 100644 vmagent/config/examples/vmagent.local.env create mode 100644 vmagent/config/vmagent.global.env create mode 100644 vmagent/overlay.bu create mode 100644 vmagent/vmagent.container create mode 100644 vsftpd/Makefile create mode 100644 vsftpd/config/container/Containerfile create mode 100755 vsftpd/config/container/container-entrypoint create mode 100644 vsftpd/config/container/vsftpd-virtual create mode 100644 vsftpd/config/examples/vsftpd.conf.d/local-users.conf create mode 100644 vsftpd/config/examples/vsftpd.conf.d/tls.conf create mode 100644 vsftpd/config/examples/vsftpd.conf.d/virtual-users.conf create mode 100644 vsftpd/config/vsftpd.conf.d/global.conf create mode 100644 vsftpd/overlay.bu create mode 100644 vsftpd/tmpfiles.d/vsftpd.conf create mode 100644 vsftpd/vsftpd-load-renewed-certificate.service create mode 100644 vsftpd/vsftpd.build create mode 100644 vsftpd/vsftpd.container create mode 100644 vsftpd/vsftpd.target diff --git a/Makefile.common b/Makefile.common index 9713936..8aa7987 100644 --- a/Makefile.common +++ b/Makefile.common @@ -120,7 +120,7 @@ PROJECT_GID ?= 0 reverse = $(let first rest,$1,$(if $(rest),$(call reverse,$(rest)) )$(first)) # Ensure that the Makefile is not run from the top-level directory and that it is run as root. -pre-requisites: +pre-requisites:: @if [ -z "$(TOP_LEVEL_DIR)" ]; then \ echo "Do not run this Makefile from the top-level directory!" >&2; \ exit 1; \ @@ -222,6 +222,11 @@ install-files-pre:: # This target can be extended by Makefiles sourcing this one. install-files-post:: +# Generated systemd units (quadlets) cannot be enabled. +# That's why we filter them out from the list of units to be enabled. +install-actions uninstall: ENABLE_UNITS = $(filter-out $(QUADLET_UNIT_NAMES),$(SYSTEMD_MAIN_UNIT_NAMES) $(SYSTEMD_TIMER_NAMES)) +install-actions uninstall: START_UNITS = $(SYSTEMD_MAIN_UNIT_NAMES) + # Perform post-installation actions such as enabling and starting units. install-actions: install-actions-pre systemctl daemon-reload @@ -233,9 +238,13 @@ install-actions: install-actions-pre fi; \ if [ -f /etc/sysctl.d/$(PROJECT_NAME).conf ]; then \ run sysctl -q -p /etc/sysctl.d/$(PROJECT_NAME).conf; \ + fi ; \ + if [ -n "$(ENABLE_UNITS)" ]; then \ + run systemctl enable $(ENABLE_UNITS); \ + fi ; \ + if [ -n "$(START_UNITS)" ]; then \ + run systemctl start $(START_UNITS); \ fi - systemctl enable $(SYSTEMD_MAIN_UNIT_NAMES) $(SYSTEMD_TIMER_NAMES) - systemctl start $(SYSTEMD_MAIN_UNIT_NAMES) $(MAKE) install-actions-post # Custom commands to be run before performing post-installation actions. @@ -269,8 +278,14 @@ install-post:: uninstall: FILES_TO_REMOVE := $(call reverse,$(TARGET_EXAMPLE_FILES) $(TARGET_FILES)) uninstall: pre-requisites uninstall-pre - systemctl disable $(SYSTEMD_MAIN_UNIT_NAMES) $(SYSTEMD_TIMER_NAMES) || true - systemctl stop $(SYSTEMD_UNIT_NAMES) $(QUADLET_UNIT_NAMES) || true + @run() { echo $$*; "$$@"; }; \ + set -Eeuo pipefail; \ + if [ -n "$(ENABLE_UNITS)" ]; then \ + run systemctl disable $(ENABLE_UNITS) || true; \ + fi ; \ + if [ -n "$(START_UNITS)" ]; then \ + run systemctl stop $(START_UNITS) || true; \ + fi @run() { echo $$*; "$$@"; }; \ set -Eeuo pipefail; \ if [ -f /etc/tmpfiles.d/$(PROJECT_NAME).conf ]; then \ diff --git a/base/Makefile b/base/Makefile index 2ab0cb6..1b0f2e7 100644 --- a/base/Makefile +++ b/base/Makefile @@ -1,3 +1,14 @@ TOP_LEVEL_DIR := .. include $(TOP_LEVEL_DIR)/Makefile.common -SYSTEMD_MAIN_UNIT_NAMES := var-lib-virtiofs-data.mount rpm-ostree-install-qemu-guest-agent.service install-fastfetch.service +SYSTEMD_MAIN_UNIT_NAMES += var-lib-virtiofs-data.mount +SYSTEMD_MAIN_UNIT_NAMES += rpm-ostree-install-qemu-guest-agent.service +SYSTEMD_MAIN_UNIT_NAMES += install-fastfetch.service + +pre-requisites:: + @set -Eeuo pipefail; \ + for tool in rpm-ostree; do \ + if ! which $$tool &>/dev/null ; then \ + echo "$$tool is not installed. Please install it first." >&2; \ + exit 1; \ + fi ; \ + done diff --git a/base/config/examples/fastfetch.env b/base/config/examples/fastfetch.env new file mode 100644 index 0000000..7d24013 --- /dev/null +++ b/base/config/examples/fastfetch.env @@ -0,0 +1 @@ +FASTFETCH_VERSION="2.45.0" diff --git a/base/config/install-fastfetch.sh b/base/config/install-fastfetch.sh index 9531dc3..2ab1d35 100755 --- a/base/config/install-fastfetch.sh +++ b/base/config/install-fastfetch.sh @@ -1,11 +1,12 @@ #!/bin/bash set -Eeuo pipefail -FASTFETCH_VERSION="$(curl -sSfL https://api.github.com/repos/fastfetch-cli/fastfetch/releases | jq -r '.[] | select(.prerelease == false and .draft == false) | .tag_name' | sort -V | tail -1)" +FASTFETCH_LATEST_VERSION="$(curl -sSfL https://api.github.com/repos/fastfetch-cli/fastfetch/releases | jq -r '.[] | select(.prerelease == false and .draft == false) | .tag_name' | sort -V | tail -1)" +FASTFETCH_VERSION="${FASTFETCH_VERSION:-$FASTFETCH_LATEST_VERSION}" FASTFETCH_BIN="/usr/local/bin/fastfetch" declare -A ARCH_MAP=( ["aarch64"]="aarch64" ["x86_64"]="amd64" ) if [ ! -f "$FASTFETCH_BIN" ]; then arch="$(arch)" arch=${ARCH_MAP[$arch]} echo "Installing fastfetch $FASTFETCH_VERSION for $arch..." - curl -sSfL https://github.com/fastfetch-cli/fastfetch/releases/download/$FASTFETCH_VERSION/fastfetch-linux-$arch.tar.gz | tar -zx --strip-components=2 -C /usr/local + curl -sSfL https://github.com/fastfetch-cli/fastfetch/releases/download/$FASTFETCH_VERSION/fastfetch-linux-$arch.tar.gz | tar -zx --strip-components=2 -C /usr/local --no-same-owner fi diff --git a/base/install-fastfetch.service b/base/install-fastfetch.service index bb82c9e..019abad 100644 --- a/base/install-fastfetch.service +++ b/base/install-fastfetch.service @@ -8,6 +8,7 @@ ConditionPathExists=!/usr/local/bin/fastfetch Type=oneshot RemainAfterExit=yes ExecStart=/etc/quadlets/base/install-fastfetch.sh +EnvironmentFile=-/etc/quadlets/base/fastfetch.env [Install] WantedBy=multi-user.target diff --git a/samba/samba.container b/samba/samba.container index c83141b..c3e39f8 100644 --- a/samba/samba.container +++ b/samba/samba.container @@ -23,7 +23,7 @@ User=0 # Storage Volume=/var/lib/quadlets/samba/data:/var/lib/samba:Z Volume=/var/lib/quadlets/samba/log:/var/log/samba:Z -Volume=/var/lib/virtiofs/data:/data +Volume=/var/lib/virtiofs/data/storage:/data Volume=/etc/quadlets/samba/smb.conf.d:/etc/samba/smb.conf.d:Z Volume=/run/quadlets/samba/passwd:/etc/passwd:Z Volume=/run/quadlets/samba/group:/etc/group:Z diff --git a/samba/tmpfiles.d/samba.conf b/samba/tmpfiles.d/samba.conf index 91277b8..ee22792 100644 --- a/samba/tmpfiles.d/samba.conf +++ b/samba/tmpfiles.d/samba.conf @@ -1,8 +1,7 @@ d$ /var/lib/quadlets/samba/data 0755 0 0 - d$ /var/lib/quadlets/samba/log 0755 0 0 - d$ /var/lib/quadlets/samba/cache 0755 0 0 - -d$ /var/lib/virtiofs/data/foo 0755 0 0 - -d$ /var/lib/virtiofs/data/bar 0755 0 0 - +d$ /var/lib/virtiofs/data/storage 0755 0 0 - d$ /run/quadlets/samba 0700 0 0 - C$ /run/quadlets/samba/passwd - - - - /etc/passwd C$ /run/quadlets/samba/group - - - - /etc/group diff --git a/vmagent/Makefile b/vmagent/Makefile new file mode 100644 index 0000000..b2e3e3c --- /dev/null +++ b/vmagent/Makefile @@ -0,0 +1,16 @@ +## +## Makefile for Victoria Metrics Agent quadlet +## + +# Victoria Metrics Agent quadlet is mapped to the 10025 user (vmagent) and 10000 group (itix-svc) +PROJECT_UID = 10025 +PROJECT_GID = 10000 + +# Include common Makefile +TOP_LEVEL_DIR := .. +include $(TOP_LEVEL_DIR)/Makefile.common + +SYSTEMD_MAIN_UNIT_NAMES += vmagent.service + +$(TARGET_CHROOT)/etc/quadlets/vmagent/conf.d: + install -d -m 0700 -o $(PROJECT_UID) -g $(PROJECT_GID) -D $< $@ diff --git a/vmagent/config/examples/conf.d/remotewrite.token b/vmagent/config/examples/conf.d/remotewrite.token new file mode 100644 index 0000000..12ae593 --- /dev/null +++ b/vmagent/config/examples/conf.d/remotewrite.token @@ -0,0 +1 @@ +REDACTED \ No newline at end of file diff --git a/vmagent/config/examples/vmagent.local.env b/vmagent/config/examples/vmagent.local.env new file mode 100644 index 0000000..ea28654 --- /dev/null +++ b/vmagent/config/examples/vmagent.local.env @@ -0,0 +1,3 @@ +remoteWrite_url=https://victoriametrics.example.tld/api/v1/write +remoteWrite_basicAuth_passwordFile=/etc/vmagent/remotewrite.token +remoteWrite_basicAuth_username=remotewrite diff --git a/vmagent/config/vmagent.global.env b/vmagent/config/vmagent.global.env new file mode 100644 index 0000000..246376f --- /dev/null +++ b/vmagent/config/vmagent.global.env @@ -0,0 +1,2 @@ +httpListenAddr=127.0.0.1:8428 +remoteWrite_tmpDataPath=/var/lib/vmagent/tmp diff --git a/vmagent/overlay.bu b/vmagent/overlay.bu new file mode 100644 index 0000000..19d2c41 --- /dev/null +++ b/vmagent/overlay.bu @@ -0,0 +1,9 @@ +variant: fcos +version: 1.4.0 +passwd: + users: + - name: vmagent + uid: 10025 + gecos: Victoria Metrics Agent + home_dir: /var/lib/quadlets/vmagent + primary_group: itix-svc diff --git a/vmagent/vmagent.container b/vmagent/vmagent.container new file mode 100644 index 0000000..3db6523 --- /dev/null +++ b/vmagent/vmagent.container @@ -0,0 +1,33 @@ +[Unit] +Description=Victoria Metrics agent +After=local-fs.target network.target +Wants=network.target + +# Only start if the local configuration file exists +ConditionPathExists=/etc/quadlets/vmagent/vmagent.local.env + +[Container] +ContainerName=vmagent + +# Image +Image=quay.io/victoriametrics/vmagent:latest +AutoUpdate=registry + +# Security +User=10025 +Group=10000 + +# Storage +Volume=/var/lib/quadlets/vmagent:/var/lib/vmagent:Z +Volume=/etc/quadlets/vmagent/conf.d:/etc/vmagent:ro + +# Network +Network=host + +# Configuration +EnvironmentFile=/etc/quadlets/vmagent/vmagent.global.env +EnvironmentFile=/etc/quadlets/vmagent/vmagent.local.env +Exec=-envflag.enable + +[Install] +WantedBy=multi-user.target diff --git a/vsftpd/Makefile b/vsftpd/Makefile new file mode 100644 index 0000000..2a8a6cb --- /dev/null +++ b/vsftpd/Makefile @@ -0,0 +1,15 @@ +## +## Makefile for Vsftpd quadlet +## + +DEPENDENCIES = lego + +# Vsftpd quadlet is mapped to the 10015 user (vsftpd) and 10000 group (itix-svc) +PROJECT_UID = 10015 +PROJECT_GID = 10000 + +# Include common Makefile +TOP_LEVEL_DIR := .. +include $(TOP_LEVEL_DIR)/Makefile.common + + diff --git a/vsftpd/config/container/Containerfile b/vsftpd/config/container/Containerfile new file mode 100644 index 0000000..5507668 --- /dev/null +++ b/vsftpd/config/container/Containerfile @@ -0,0 +1,20 @@ +FROM quay.io/centos/centos:stream10 + +# Install Vsftpd +RUN dnf config-manager --set-enabled crb \ + && dnf install -y epel-release \ + && dnf install -y vsftpd procps-ng shadow-utils authselect authselect-libs pam gdbm \ + && authselect select local --force \ + && dnf clean all + +# /data holds the data to share through vsftpd +VOLUME /data + +# Expose FTP port + ports for passive mode +EXPOSE 21 20000-20100 + +ADD container-entrypoint / +ADD vsftpd-virtual /etc/pam.d/vsftpd-virtual + +ENTRYPOINT [ "/container-entrypoint" ] +CMD [ ] diff --git a/vsftpd/config/container/container-entrypoint b/vsftpd/config/container/container-entrypoint new file mode 100755 index 0000000..63cb26f --- /dev/null +++ b/vsftpd/config/container/container-entrypoint @@ -0,0 +1,25 @@ +#!/bin/sh +set -Eeuo pipefail + +# Handle the virtual user database when supplied +if [ -f /var/lib/vsftpd/users.txt ]; then + ## Format of the "users.txt" file : + # + # nicolas:$y$.... + # john:$y$.... + # + # Empty lines and comments are allowed + # + ## Hashes can be generated with : + # + # mkpasswd --method=yescrypt -s + # + + umask 0077 + touch /var/lib/vsftpd/users.txt + rm -f /var/lib/vsftpd/users.db + sed -r -e 's/^([^:]+):([^:]+)$/store "\1" "\2"/; t r; d; :r s/[\\]/\\\\$/g; s/[$]/\\$/g' < /var/lib/vsftpd/users.txt | gdbmtool --newdb /var/lib/vsftpd/users.db + umask 0022 +fi + +exec /usr/sbin/vsftpd -obackground=NO /etc/vsftpd/global.conf /etc/vsftpd/local.conf "$@" diff --git a/vsftpd/config/container/vsftpd-virtual b/vsftpd/config/container/vsftpd-virtual new file mode 100644 index 0000000..40c0864 --- /dev/null +++ b/vsftpd/config/container/vsftpd-virtual @@ -0,0 +1,27 @@ +#%PAM-1.0 + +## +## Debug instructions +## +# +# - Add the "debug" option to pam_userdb.so +# +# [...] pam_userdb.so db=/var/lib/vsftpd/users crypt=crypt debug +# +# - Execute this command in the container: +# +# socat UNIX-LISTEN:/dev/log,fork STDOUT +# + +## +## HEADS UP !!! +## +# +# pam_userdb.so is now linked to gdbm rather than berkeley db. +# so, you have to use gdbmtool to create the database, rather than db_load. +# Also, the path to the database has to include the final ".db". +# + +auth required pam_userdb.so db=/var/lib/vsftpd/users.db crypt=crypt +account required pam_userdb.so db=/var/lib/vsftpd/users.db crypt=crypt +session required pam_loginuid.so diff --git a/vsftpd/config/examples/vsftpd.conf.d/local-users.conf b/vsftpd/config/examples/vsftpd.conf.d/local-users.conf new file mode 100644 index 0000000..6eede24 --- /dev/null +++ b/vsftpd/config/examples/vsftpd.conf.d/local-users.conf @@ -0,0 +1,24 @@ +# Network parameters +pasv_address=storage.example.tld +pasv_addr_resolve=YES + +# Authenticate local users +local_enable=YES +local_root=/data +chroot_local_user=YES +pam_service_name=vsftpd + +# Enable write on the FTP server +write_enable=YES + +# Since /var/lib/virtiofs/data (/data) is writable only by root we can allow this +allow_writeable_chroot=YES + +# No anonymous access +anonymous_enable=NO + +# Misc parameters +delete_failed_uploads=NO +ftpd_banner=Storage +file_open_mode=0660 +ls_recurse_enable=YES diff --git a/vsftpd/config/examples/vsftpd.conf.d/tls.conf b/vsftpd/config/examples/vsftpd.conf.d/tls.conf new file mode 100644 index 0000000..7b2e418 --- /dev/null +++ b/vsftpd/config/examples/vsftpd.conf.d/tls.conf @@ -0,0 +1,5 @@ +ssl_enable=YES +ssl_request_cert=NO +ssl_tlsv1_2=NO +rsa_cert_file=/etc/vsftpd/tls/f.q.d.n.crt +rsa_private_key_file=/etc/vsftpd/tls/f.q.d.n.key diff --git a/vsftpd/config/examples/vsftpd.conf.d/virtual-users.conf b/vsftpd/config/examples/vsftpd.conf.d/virtual-users.conf new file mode 100644 index 0000000..ee24d84 --- /dev/null +++ b/vsftpd/config/examples/vsftpd.conf.d/virtual-users.conf @@ -0,0 +1,18 @@ +# Network parameters +pasv_address=storage.example.tld +pasv_addr_resolve=YES + +# Authenticate virtual users +guest_enable=YES +guest_username=vsftpd +local_enable=YES +virtual_use_local_privs=YES +chroot_local_user=YES +pam_service_name=vsftpd-virtual + +# Site specific config (example) +local_root=/data +# OR +#user_sub_token=$USER +#local_root=/data/$USER + diff --git a/vsftpd/config/vsftpd.conf.d/global.conf b/vsftpd/config/vsftpd.conf.d/global.conf new file mode 100644 index 0000000..4549dfa --- /dev/null +++ b/vsftpd/config/vsftpd.conf.d/global.conf @@ -0,0 +1,21 @@ +# Network parameters +listen=YES +listen_port=21 +pasv_min_port=20000 +pasv_max_port=20100 +pasv_enable=YES +pasv_promiscuous=YES + +# Be strict by default +anonymous_enable=NO +guest_enable=NO +local_enable=NO + +# Log file +vsftpd_log_file=/var/log/vsftpd/vsftpd.log +xferlog_enable=YES +syslog_enable=NO + +# Misc parameters +setproctitle_enable=YES +reverse_lookup_enable=NO diff --git a/vsftpd/overlay.bu b/vsftpd/overlay.bu new file mode 100644 index 0000000..84cf7d0 --- /dev/null +++ b/vsftpd/overlay.bu @@ -0,0 +1,9 @@ +variant: fcos +version: 1.4.0 +passwd: + users: + - name: vsftpd + uid: 10015 + gecos: Vsftpd + home_dir: /var/lib/quadlets/vsftpd + primary_group: itix-svc diff --git a/vsftpd/tmpfiles.d/vsftpd.conf b/vsftpd/tmpfiles.d/vsftpd.conf new file mode 100644 index 0000000..9befdab --- /dev/null +++ b/vsftpd/tmpfiles.d/vsftpd.conf @@ -0,0 +1,6 @@ +d$ /run/quadlets/vsftpd 0700 0 0 - +d$ /run/quadlets/vsftpd/cache 0700 0 0 - +d$ /run/quadlets/vsftpd/tls 0700 0 0 - +d$ /var/lib/virtiofs/data/storage 0755 0 0 - +d$ /var/lib/quadlets/vsftpd/log 0755 0 0 - +d$ /var/lib/quadlets/vsftpd/data 0755 0 0 - diff --git a/vsftpd/vsftpd-load-renewed-certificate.service b/vsftpd/vsftpd-load-renewed-certificate.service new file mode 100644 index 0000000..af45ede --- /dev/null +++ b/vsftpd/vsftpd-load-renewed-certificate.service @@ -0,0 +1,17 @@ +[Unit] +Description=Restart Vsftpd if a new TLS certificate is available +# Lego touch .renewed files when renewed certificates are available +ConditionPathExistsGlob=/var/lib/quadlets/lego/certificates/*.renewed +After=lego-renew.service + +[Service] +Type=oneshot +# Copy the renewed certificates to the vsftpd /run directory +ExecStartPre=/bin/sh -Eeuo pipefail -c 'install -o 10015 -g 10000 -m 0600 -t /run/quadlets/vsftpd/tls /var/lib/quadlets/lego/certificates/*.crt /var/lib/quadlets/lego/certificates/*.key' +# Restart vsftpd to load the new certificates +ExecStart=systemctl --no-block restart vsftpd.service +# Remove the flag files after restarting vsftpd +ExecStartPost=/bin/sh -Eeuo pipefail -c 'rm -f /var/lib/quadlets/lego/certificates/*.renewed' + +[Install] +WantedBy=lego-renew.service diff --git a/vsftpd/vsftpd.build b/vsftpd/vsftpd.build new file mode 100644 index 0000000..db5433e --- /dev/null +++ b/vsftpd/vsftpd.build @@ -0,0 +1,9 @@ +[Unit] +Description=Build of the Vsftpd daemon +Wants=network-online.target +After=network-online.target + +[Build] +File=/etc/quadlets/vsftpd/container/Containerfile +ImageTag=localhost/vsftpd:latest +SetWorkingDirectory=/etc/quadlets/vsftpd/container diff --git a/vsftpd/vsftpd.container b/vsftpd/vsftpd.container new file mode 100644 index 0000000..be35829 --- /dev/null +++ b/vsftpd/vsftpd.container @@ -0,0 +1,52 @@ +[Unit] +Description=Vsftpd +After=local-fs.target network.target vsftpd-build.service lego.target +Wants=vsftpd-build.service lego.target + +# Only start if the local configuration file exists +ConditionPathExists=/etc/quadlets/vsftpd/vsftpd.conf.d/local.conf + +# Stop when the target is stopped +PartOf=vsftpd.target + +[Service] +# Copy a complete version of /etc/{passwd,group,shadow} in /run/quadlets/vsftpd so that SELinux +# does not prevent Vsftpd from reading those files. +# +# Oh, and by the way, mangle /etc/passwd so that local users' homes are located in /data. +# This is required by Vsftpd to let the users login. +ExecStartPre=/bin/sh -Eeuo pipefail -c '\ + umask 0077 ; \ + for file in passwd group shadow; do \ + getent $file | (if [[ "$file" == "passwd" ]]; then \ + sed -r "s|^([^:]+:[^:]*:[^:]+:1[0-9][0-9][0-9]:[^:]*:)[^:]*(:.*)$|\\1/data\\2|" ; \ + else \ + cat ; \ + fi) > /run/quadlets/vsftpd/cache/$file ; \ + done' + +[Container] +ContainerName=vsftpd + +# Image +Image=localhost/vsftpd:latest +AutoUpdate=local + +# Security +User=0 + +# Storage +Volume=/var/lib/quadlets/vsftpd/log:/var/log/vsftpd:Z +Volume=/var/lib/quadlets/vsftpd/data:/var/lib/vsftpd:Z +Volume=/var/lib/virtiofs/data/storage:/data +Volume=/etc/quadlets/vsftpd/vsftpd.conf.d:/etc/vsftpd:ro +Volume=/run/quadlets/vsftpd/cache/passwd:/etc/passwd:Z +Volume=/run/quadlets/vsftpd/cache/group:/etc/group:Z +Volume=/run/quadlets/vsftpd/cache/shadow:/etc/shadow:Z +Volume=/run/quadlets/vsftpd/tls:/etc/vsftpd/tls:Z + +# Network +Network=host + +[Install] +WantedBy=vsftpd.target diff --git a/vsftpd/vsftpd.target b/vsftpd/vsftpd.target new file mode 100644 index 0000000..a4c910d --- /dev/null +++ b/vsftpd/vsftpd.target @@ -0,0 +1,11 @@ +[Unit] +Description=Vsftpd Service Target +Documentation=man:systemd.target(5) +Requires=vsftpd.service vsftpd-build.timer +After=vsftpd.service vsftpd-build.timer + +# Allow isolation - can stop/start this target independently +AllowIsolate=yes + +[Install] +WantedBy=multi-user.target