lxc-ubuntu template sets user shell, without checking it's installed

Digging in to this a bit, I think the bug can be said to be in the lxc templates, where lxc-ubuntu has

do_bindhome()
{
    rootfs=$1
    user=$2

    # copy /etc/passwd, /etc/shadow, and /etc/group entries into container
    pwd=`getent passwd $user`
    if [ $? -ne 0 ]; then
        echo 'Warning: failed to copy password entry for $user'
 return
    else
        echo $pwd >> $rootfs/etc/passwd
    fi
    shad=`getent shadow $user`
    echo $shad >> $rootfs/etc/shadow

    # bind-mount the user's path into the container's /home
    h=`getent passwd $user | cut -d: -f 6`
    mkdir -p $rootfs/$h
    echo "$h $rootfs/$h none bind 0 0" >> $path/fstab
}

so that copies the pwent, including the shell, with no consideration whether it will exist....

So this could be, and maybe should be, addressed in both lxc and launchpad setuplxc.

* launchpad can work around this by just forcing the user's shell back to bash or by installing zsh (which would be slightly nicer for me, and any other users, and make things very slightly slower to download.)

* The lxc-ubuntu template probably needs to take care of this some how. I don't know how. Perhaps parsing the pwent line, and installing the right shell? I think it would be inappropriate and dangerous to change it there.

Quoting Martin Pool (<email address hidden>):
> So this could be, and maybe should be, addressed in both lxc and
> launchpad setuplxc.
>
> * launchpad can work around this by just forcing the user's shell back
> to bash or by installing zsh (which would be slightly nicer for me, and
> any other users, and make things very slightly slower to download.)
>
> * The lxc-ubuntu template probably needs to take care of this some how.
> I don't know how. Perhaps parsing the pwent line, and installing the
> right shell? I think it would be inappropriate and dangerous to change
> it there.

Thanks, Martin. I will have the template exit with error (and an error
message in case it was called by a human) if, after container creation,
the specified shell doesn't exist. (lxc-create will go on to clean up
the container)

-serge

This bug was fixed in the package lxc - 0.7.5-3ubuntu29

---------------
lxc (0.7.5-3ubuntu29) precise; urgency=low

  * 0047-bindhome-check-shell:
    - Make sure to install a bound user's shell in the container. (LP: #936762)
    - Create bound user's group in the container.
 -- Serge Hallyn <email address hidden> Mon, 20 Feb 2012 14:31:05 -0600

It sounds like that would prevent zsh users creating new containers, which
would be worse than the original bug.
On Feb 21, 2012 7:55 AM, "Launchpad Bug Tracker" <email address hidden>
wrote:

> This bug was fixed in the package lxc - 0.7.5-3ubuntu29
>
> ---------------
> lxc (0.7.5-3ubuntu29) precise; urgency=low
>
> * 0047-bindhome-check-shell:
> - Make sure to install a bound user's shell in the container. (LP:
> #936762)
> - Create bound user's group in the container.
> -- Serge Hallyn <email address hidden> Mon, 20 Feb 2012 14:31:05
> -0600
>
> ** Changed in: lxc (Ubuntu)
> Status: Confirmed => Fix Released
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/936762
>
> Title:
> lxc-ubuntu template sets user shell, without checking it's installed
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/launchpad/+bug/936762/+subscriptions
>
>

ok, having read the actual diff <http://bazaar.launchpad.net/~ubuntu-branches/ubuntu/precise/lxc/precise/revision/68> I see you do actually try to install the shell. I misunderstood your comment #3. Thanks very much.

Quoting Martin Pool (<email address hidden>):
> ok, having read the actual diff <http://bazaar.launchpad.net/~ubuntu-
> branches/ubuntu/precise/lxc/precise/revision/68> I see you do actually
> try to install the shell. I misunderstood your comment #3. Thanks very
> much.

Hi Martin,

no, you didn't misunderstand that comment. Glad to see (based on your
previous comment) I made the right choice to not do that :)

Sorry, I should have mentioned here that I'd changed my mind.

thanks
-serge