#!/bin/sh
#  Copyright (C) 2000-2013, Parallels, Inc. All rights reserved.
#
#  This program is free software; you can redistribute it and/or modify
#  it under the terms of the GNU General Public License as published by
#  the Free Software Foundation; either version 2 of the License, or
#  (at your option) any later version.
#
#  This program is distributed in the hope that it will be useful,
#  but WITHOUT ANY WARRANTY; without even the implied warranty of
#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#  GNU General Public License for more details.
#
#  You should have received a copy of the GNU General Public License
#  along with this program; if not, write to the Free Software
#  Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
#
#
# Runs on the host system and performs these postinstall tasks
# for a particular container (specified by $VE_ROOT environment):
#
# 1. Randomizes /etc/crontab and /etc/cron.d/* files so all crontab tasks
#    of all containers will not start at the same time.
#    NOTE: if you don't want a particular file to be randomized,
#    make sure it contains the word VZCTL_POSTCREATE_SKIP somewhere.
#
# 2. Disables root password if it is empty.
#
# 3. Seeds /etc/hosts with localhost entries for IPv4 and IPv6
#
# 4. Creates empty /etc/resolv.conf
#
# 5. Sets file caps for recent Fedora releases, as they can
#    not be saved in a template tarball.

randcrontab()
{
	local file
	for file in ${VE_ROOT}/etc/crontab ${VE_ROOT}/etc/cron.d/*; do
		[ -f "${file}" ] || continue
		grep -wq VZCTL_POSTCREATE_SKIP "${file}" && continue

		/bin/cp -fp ${file} ${file}.$$
		cat ${file} | awk '
BEGIN { srand(); }
{
	if ($0 ~ /^[ \t]*#/ || $0 ~ /^[ \t]+*$/) {
		print $0;
		next;
	}
	if ((n = split($0, ar)) < 7) {
		print $0;
		next;
	}
	# min
	if (ar[1] ~ /^[0-9]+$/) {
		ar[1] = int(rand() * 59);
	} else if (ar[1] ~/^-\*\/[0-9]+$/) {
		r = int(rand() * 40) + 15;
		ar[1] = "-*/" r;
	}
	# hour
	if (ar[2] ~ /^[0-9]+$/) {
		ar[2] = int(rand() * 6);
	}
	# day
	if (ar[3] ~ /^[0-9]+$/) {
		ar[3] = int(rand() * 31) + 1;
	}
	line = ar[1];
	for (i = 2; i <= n; i++) {
		line = line " "  ar[i];
	}
	print line;
}' >		${file}.$$ && /bin/mv -f ${file}.$$ ${file}
		/bin/rm -f ${file}.$$ 2>/dev/null
	done
}

disableroot()
{
	local file=${VE_ROOT}"/etc/passwd"

	[ -f "$file" ] || return 0

	if /bin/grep -q "^root::" "${file}" 2>/dev/null; then
		/bin/sed 's/^root::/root:!!:/g' < ${file} > ${file}.$$ &&
			/bin/mv -f ${file}.$$ ${file}
		/bin/rm -f ${file}.$$ 2>/dev/null
	fi
}

set_network()
{
	local file=${VE_ROOT}"/etc/hosts"
	if ! grep -qw '127.0.0.1' ${file} 2>/dev/null; then
		echo '127.0.0.1 localhost.localdomain localhost' >> ${file}
	fi
	if ! grep -qw '::1' ${file} 2>/dev/null; then
		echo "::1 localhost.localdomain localhost" >> ${file}
	fi

	# Some distros' network scripts emit ugly warnings about non-existing
	# /etc/resolv.conf, so it won't hurt to create an empty one
	file=${VE_ROOT}"/etc/resolv.conf"
	if [ ! -e "${file}" ]; then
		touch ${file}
	fi
}

_sc()
{
	local val=$1
	shift
	local f file
	for f in $*; do
		file=${VE_ROOT}${f}
		if [ -e $file ]; then
			setfattr -n security.capability -v $val $file
		fi
	done
}

set_file_caps()
{
	# Perform this only for Fedora 15 to 19
	grep -qEw '1[5-9]' ${VE_ROOT}/etc/fedora-release 2>/dev/null || return

	_sc 0sAQAAAgkAAAAAAAAAAAAAAAAAAAA= /usr/libexec/pt_chown
	_sc 0sAQAAAsIAAAAAAAAAAAAAAAAAAAA= /usr/sbin/suexec
	_sc 0sAQAAAgAgAAAAAAAAAAAAAAAAAAA= /bin/ping /bin/ping6

	# also, for Fedora 18+
	grep -qEw '1[89]' ${VE_ROOT}/etc/fedora-release 2>/dev/null || return
	_sc 0sAQAAAgAgAAAAAAAAAAAAAAAAAAA= /usr/sbin/arping /usr/sbin/clockdiff
	_sc 0sAQAAAgIACAAAAAAAAAAAAAAAAAA= /usr/bin/systemd-detect-virt
}

[ -z "${VE_ROOT}" ] && exit 1
umask 0022
randcrontab
disableroot
set_network
set_file_caps

exit 0