[mirror_lxc.git] / templates / lxc-alpine.in

#!/bin/sh
# vim: set ts=4:

# Exit on error and treat unset variables as an error.
set -eu

#
# LXC template for Alpine Linux 3+
#

# Note: Do not replace tabs with spaces, it would break heredocs!

# Authors:
# Jakub Jirutka <jakub@jirutka.cz>

# This library is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public
# License as published by the Free Software Foundation; either
# version 2.1 of the License, or (at your option) any later version.
#
# This library is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
# Lesser General Public License for more details.
#
# You should have received a copy of the GNU Lesser General Public
# License along with this library; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA


#===========================  Constants  ============================#

# Make sure the usual locations are in PATH
export PATH=$PATH:/usr/sbin:/usr/bin:/sbin:/bin

readonly LOCAL_STATE_DIR='@LOCALSTATEDIR@'
readonly LXC_TEMPLATE_CONFIG='@LXCTEMPLATECONFIG@'
readonly LXC_CACHE_DIR="${LXC_CACHE_PATH:-"$LOCAL_STATE_DIR/cache/lxc"}/alpine"

# SHA256 checksums of GPG keys for APK.
readonly APK_KEYS_SHA256="\
9c102bcc376af1498d549b77bdbfa815ae86faa1d2d82f040e616b18ef2df2d4  alpine-devel@lists.alpinelinux.org-4a6a0840.rsa.pub
2adcf7ce224f476330b5360ca5edb92fd0bf91c92d83292ed028d7c4e26333ab  alpine-devel@lists.alpinelinux.org-4d07755e.rsa.pub
ebf31683b56410ecc4c00acd9f6e2839e237a3b62b5ae7ef686705c7ba0396a9  alpine-devel@lists.alpinelinux.org-5243ef4b.rsa.pub
1bb2a846c0ea4ca9d0e7862f970863857fc33c32f5506098c636a62a726a847b  alpine-devel@lists.alpinelinux.org-524d27bb.rsa.pub
12f899e55a7691225603d6fb3324940fc51cd7f133e7ead788663c2b7eecb00c  alpine-devel@lists.alpinelinux.org-5261cecb.rsa.pub
73867d92083f2f8ab899a26ccda7ef63dfaa0032a938620eda605558958a8041  alpine-devel@lists.alpinelinux.org-58199dcc.rsa.pub
9a4cd858d9710963848e6d5f555325dc199d1c952b01cf6e64da2c15deedbd97  alpine-devel@lists.alpinelinux.org-58cbb476.rsa.pub
780b3ed41786772cbc7b68136546fa3f897f28a23b30c72dde6225319c44cfff  alpine-devel@lists.alpinelinux.org-58e4f17d.rsa.pub"

readonly APK_KEYS_URI='http://alpinelinux.org/keys'
readonly DEFAULT_MIRROR_URL='http://dl-cdn.alpinelinux.org/alpine'

: ${APK_KEYS_DIR:=/etc/apk/keys}
if ! ls "$APK_KEYS_DIR"/alpine* >/dev/null 2>&1; then
	APK_KEYS_DIR="$LXC_CACHE_DIR/bootstrap/keys"
fi
readonly APK_KEYS_DIR

: ${APK:=$(command -v apk || true)}
if [ ! -x "$APK" ]; then
	APK="$LXC_CACHE_DIR/bootstrap/sbin/apk.static"
fi
readonly APK


#========================  Helper Functions  ========================#

usage() {
	cat <<-EOF
		Template specific options can be passed to lxc-create after a '--' like this:

		   lxc-create --name=NAME [lxc-create-options] -- [template-options] [PKG...]

		PKG  Additional APK package(s) to install into the container.

		Template options:
		   -a ARCH, --arch=ARCH   The container architecture (e.g. x86, x86_64); defaults
		                          to the host arch.
		   -d, --debug            Run this script in a debug mode (set -x and wget w/o -q).
		   -F, --flush-cache      Remove cached files before build.
		   -m URL --mirror=URL    The Alpine mirror to use; defaults to $DEFAULT_MIRROR_URL.
		   -r VER, --release=VER  The Alpine release branch to install; default is the
		                          latest stable.

		Environment variables:
		   APK             The apk-tools binary to use when building rootfs. If not set
		                   or not executable and apk is not on PATH, then the script
		                   will download the latest apk-tools-static.
		   APK_KEYS_DIR    Path to directory with GPG keys for APK. If not set and
		                   /etc/apk/keys does not contain alpine keys, then the script
		                   will download the keys from ${APK_KEYS_URI}.
		   LXC_CACHE_PATH  Path to the cache directory where to store bootstrap files
		                   and APK packages.
	EOF
}

die() {
	local retval=$1; shift

	printf 'ERROR: %s\n' "$@" 1>&2
	exit $retval
}

einfo() {
	printf "\n==> $1\n"
}

fetch() {
	if [ "$DEBUG" = 'yes' ]; then
		wget -T 10 -O - $@
	else
		wget -T 10 -O - -q $@
	fi
}

latest_release_branch() {
	local arch="$1"
	local branch=$(fetch "$MIRROR_URL/latest-stable/releases/$arch/latest-releases.yaml" \
		| sed -En 's/^[ \t]*branch: (.*)$/\1/p' \
		| head -n 1)
	[ -n "$branch" ] && echo "$branch"
}

parse_arch() {
	case "$1" in
		x86 | i[3-6]86) echo 'x86';;
		x86_64 | amd64) echo 'x86_64';;
		aarch64 | arm64) echo 'aarch64';;
		armv7) echo 'armv7';;
		arm*) echo 'armhf';;
		ppc64le) echo 'ppc64le';;
		*) return 1;;
	esac
}

run_exclusively() {
	local lock_name="$1"
	local timeout=$2
	shift 2

	mkdir -p "$LOCAL_STATE_DIR/lock/subsys"

	local retval
	{
		echo -n "Obtaining an exclusive lock..."
		if ! flock -x 9; then
			echo ' failed.'
			return 1
		fi
		echo ' done'

		"$@"; retval=$?
	} 9> "$LOCAL_STATE_DIR/lock/subsys/lxc-alpine-$lock_name"

	return $retval
}


#============================  Bootstrap  ===========================#

bootstrap() {
	if [ "$FLUSH_CACHE" = 'yes' ] && [ -d "$LXC_CACHE_DIR/bootstrap" ]; then
		einfo 'Cleaning cached bootstrap files'
		rm -Rf "$LXC_CACHE_DIR/bootstrap"
	fi

	einfo 'Fetching and/or verifying APK keys'
	fetch_apk_keys "$APK_KEYS_DIR"

	if [ ! -x "$APK" ]; then
		einfo 'Fetching apk-tools static binary'

		local host_arch=$(parse_arch $(uname -m))
		fetch_apk_static "$LXC_CACHE_DIR/bootstrap" "$host_arch"
	fi
}

fetch_apk_keys() {
	local dest="$1"
	local line keyname

	mkdir -p "$dest"
	cd "$dest"

	echo "$APK_KEYS_SHA256" | while read -r line; do
		keyname="${line##* }"
		if [ ! -s "$keyname" ]; then
			fetch "$APK_KEYS_URI/$keyname" > "$keyname"
		fi
		echo "$line" | sha256sum -c -
	done || exit 2

	cd - >/dev/null
}

fetch_apk_static() {
	local dest="$1"
	local arch="$2"
	local pkg_name='apk-tools-static'

	mkdir -p "$dest"

	local pkg_ver=$(fetch "$MIRROR_URL/latest-stable/main/$arch/APKINDEX.tar.gz" \
		| tar -xzO APKINDEX \
		| sed -n "/P:${pkg_name}/,/^$/ s/V:\(.*\)$/\1/p")

	[ -n "$pkg_ver" ] || die 2 "Cannot find a version of $pkg_name in APKINDEX"

	fetch "$MIRROR_URL/latest-stable/main/$arch/${pkg_name}-${pkg_ver}.apk" \
		| tar -xz -C "$dest" sbin/  # --extract --gzip --directory

	[ -s "$dest/sbin/apk.static" ] || die 2 'apk.static not found'

	local keyname=$(echo "$dest"/sbin/apk.static.*.pub | sed 's/.*\.SIGN\.RSA\.//')
	openssl dgst -sha1 \
		-verify "$APK_KEYS_DIR/$keyname" \
		-signature "$dest/sbin/apk.static.SIGN.RSA.$keyname" \
		"$dest/sbin/apk.static" \
		|| die 2 'Signature verification for apk.static failed'

	# Note: apk doesn't return 0 for --version
	local out="$("$dest"/sbin/apk.static --version)"
	echo "$out"

	[ "${out%% *}" = 'apk-tools' ] || die 3 'apk.static --version failed'
}


#============================  Install  ============================#

install() {
	local dest="$1"
	local arch="$2"
	local branch="$3"
	local extra_packages="$4"
	local apk_cache="$LXC_CACHE_DIR/apk/$arch"

	if [ "$FLUSH_CACHE" = 'yes' ] && [ -d "$apk_cache" ]; then
		einfo "Cleaning cached APK packages for $arch"
		rm -Rf "$apk_cache"
	fi
	mkdir -p "$apk_cache"

	einfo "Installing Alpine Linux in $dest"
	cd "$dest"

	mkdir -p etc/apk
	ln -s "$apk_cache" etc/apk/cache

	local repo; for repo in main community; do
		echo "$MIRROR_URL/$branch/$repo" >> etc/apk/repositories
	done

	install_packages "$arch" "alpine-base $extra_packages"
	make_dev_nodes
	setup_inittab
	setup_hosts
	setup_network
	setup_services

	chroot . /bin/true \
		|| die 3 'Failed to execute /bin/true in chroot, the builded rootfs is broken!'

	rm etc/apk/cache
	cd - >/dev/null
}

install_packages() {
	local arch="$1"
	local packages="$2"

	$APK --arch="$arch" --root=. --keys-dir="$APK_KEYS_DIR" \
		--update-cache --initdb add $packages
}

make_dev_nodes() {
	mkdir -p -m 755 dev/pts
	mkdir -p -m 1777 dev/shm

	mknod -m 666 dev/zero c 1 5
	mknod -m 666 dev/full c 1 7
	mknod -m 666 dev/random c 1 8
	mknod -m 666 dev/urandom c 1 9

	local i; for i in $(seq 0 4); do
		mknod -m 620 dev/tty$i c 4 $i
		chown 0:5 dev/tty$i  # root:tty
	done

	mknod -m 666 dev/tty c 5 0
	chown 0:5 dev/tty  # root:tty
	mknod -m 620 dev/console c 5 1
	mknod -m 666 dev/ptmx c 5 2
	chown 0:5 dev/ptmx  # root:tty
}

setup_inittab() {
	# Remove unwanted ttys.
	sed -i '/^tty[5-9]\:\:.*$/d' etc/inittab

	cat <<-EOF >> etc/inittab
		# Main LXC console console
		::respawn:/sbin/getty 38400 console
	EOF
}

setup_hosts() {
	# This runscript injects localhost entries with the current hostname
	# into /etc/hosts.
	cat <<'EOF' > etc/init.d/hosts
#!/sbin/openrc-run

start() {
	local start_tag='# begin generated'
	local end_tag='# end generated'

	local content=$(
		cat <<-EOF
			$start_tag by /etc/init.d/hosts
			127.0.0.1  $(hostname).local $(hostname) localhost
			::1        $(hostname).local $(hostname) localhost
			$end_tag
		EOF
	)

	if grep -q "^${start_tag}" /etc/hosts; then
		# escape \n, busybox sed doesn't like them
		content=${content//$'\n'/\\$'\n'}

		sed -ni "/^${start_tag}/ {
				a\\${content}
				# read and discard next line and repeat until $end_tag or EOF
				:a; n; /^${end_tag}/!ba; n
			}; p" /etc/hosts
	else
		printf "$content" >> /etc/hosts
	fi
}
EOF
	chmod +x etc/init.d/hosts

	# Wipe it, will be generated by the above runscript.
	echo -n > etc/hosts
}

setup_network() {
	# Note: loopback is automatically started by LXC.
	cat <<-EOF > etc/network/interfaces
		auto eth0
		iface eth0 inet dhcp
		hostname \$(hostname)
	EOF
}

setup_services() {
	local svc_name

	# Specify the LXC subsystem.
	sed -i 's/^#*rc_sys=.*/rc_sys="lxc"/' etc/rc.conf

	# boot runlevel
	for svc_name in bootmisc hosts syslog; do
		ln -s /etc/init.d/$svc_name etc/runlevels/boot/$svc_name
	done

	# default runlevel
	for svc_name in networking cron crond; do
		# issue 1164: alpine renamed cron to crond
		# Use the one that exists.
		if [ -e etc/init.d/$svc_name ]; then
			ln -s /etc/init.d/$svc_name etc/runlevels/default/$svc_name
		fi
	done
}


#===========================  Configure  ===========================#

configure_container() {
	local config="$1"
	local hostname="$2"
	local arch="$3"

	cat <<-EOF >> "$config"

		# Specify container architecture.
		lxc.arch = $arch

		# Set hostname.
		lxc.uts.name = $hostname

		# If something doesn't work, try to comment this out.
		# Dropping sys_admin disables container root from doing a lot of things
		# that could be bad like re-mounting lxc fstab entries rw for example,
		# but also disables some useful things like being able to nfs mount, and
		# things that are already namespaced with ns_capable() kernel checks, like
		# hostname(1).
		lxc.cap.drop = sys_admin

		# Include common configuration.
		lxc.include = $LXC_TEMPLATE_CONFIG/alpine.common.conf
	EOF
}


#=============================  Main  ==============================#

if [ "$(id -u)" != "0" ]; then
	die 1 "This script must be run as 'root'"
fi

# Parse command options.
options=$(getopt -o a:dFm:n:p:r:h -l arch:,debug,flush-cache,mirror:,name:,\
path:,release:,rootfs:,help,mapped-uid:,mapped-gid: -- "$@")
eval set -- "$options"

# Clean variables and set defaults.
arch="$(uname -m)"
debug='no'
flush_cache='no'
mirror_url=
name=
path=
release=
rootfs=

# Process command options.
while [ $# -gt 0 ]; do
	case $1 in
		-a | --arch)
			arch=$2; shift 2
		;;
		-d | --debug)
			debug='yes'; shift 1
		;;
		-F | --flush-cache)
			flush_cache='yes'; shift 1
		;;
		-m | --mirror)
			mirror_url=$2; shift 2
		;;
		-n | --name)
			name=$2; shift 2
		;;
		-p | --path)
			path=$2; shift 2
		;;
		-r | --release)
			release=$2; shift 2
		;;
		--rootfs)
			rootfs=$2; shift 2
		;;
		-h | --help)
			usage; exit 0
		;;
		--)
			shift; break
		;;
		--mapped-[ug]id)
			die 1 "This template can't be used for unprivileged containers." \
				'You may want to try the "download" template instead.'
		;;
		*)
			echo "Unknown option: $1" 1>&2
			usage; exit 1
		;;
	esac
done

extra_packages="$@"

[ "$debug" = 'yes' ] && set -x

# Set global variables.
readonly DEBUG="$debug"
readonly FLUSH_CACHE="$flush_cache"
readonly MIRROR_URL="${mirror_url:-$DEFAULT_MIRROR_URL}"

# Validate options.
[ -n "$name" ] || die 1 'Missing required option --name'
[ -n "$path" ] || die 1 'Missing required option --path'

if [ -z "$rootfs" ] && [ -f "$path/config" ]; then
	rootfs="$(sed -nE 's/^lxc.rootfs.path\s*=\s*(.*)$/\1/p' "$path/config")"
fi
if [ -z "$rootfs" ]; then
	rootfs="$path/rootfs"
fi

arch=$(parse_arch "$arch") \
	|| die 1 "Unsupported architecture: $arch"

if [ -z "$release" ]; then
	release=$(latest_release_branch "$arch") \
		|| die 2 'Failed to resolve Alpine last release branch'
fi

# Here we go!
run_exclusively 'bootstrap' 10 bootstrap
run_exclusively "$arch" 30 install "$rootfs" "$arch" "$release" "$extra_packages"
configure_container "$path/config" "$name" "$arch"

einfo "Container's rootfs and config have been created"
cat <<-EOF
	Edit the config file $path/config to check/enable networking setup.
	The installed system is preconfigured for a loopback and single network
	interface configured via DHCP.

	To start the container, run "lxc-start -n $name".
	The root password is not set; to enter the container run "lxc-attach -n $name".
EOF
Commit	Line	Data
04fa4e12	1	#!/bin/sh
6515faa1	2	# vim: set ts=4:
5845ac2b JJ	3
	4	# Exit on error and treat unset variables as an error.
	5	set -eu
6515faa1 JJ	6
	7	#
	8	# LXC template for Alpine Linux 3+
	9	#
	10
	11	# Note: Do not replace tabs with spaces, it would break heredocs!
	12
	13	# Authors:
	14	# Jakub Jirutka <jakub@jirutka.cz>
	15
	16	# This library is free software; you can redistribute it and/or
	17	# modify it under the terms of the GNU Lesser General Public
	18	# License as published by the Free Software Foundation; either
	19	# version 2.1 of the License, or (at your option) any later version.
	20	#
	21	# This library is distributed in the hope that it will be useful,
	22	# but WITHOUT ANY WARRANTY; without even the implied warranty of
	23	# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
	24	# Lesser General Public License for more details.
	25	#
	26	# You should have received a copy of the GNU Lesser General Public
	27	# License along with this library; if not, write to the Free Software
	28	# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
2a9a0a08	29
6515faa1 JJ	30
6515faa1 JJ	31	#=========================== Constants ============================#
8ec981fc	32
207bf0e4	33	# Make sure the usual locations are in PATH
6515faa1 JJ	34	export PATH=$PATH:/usr/sbin:/usr/bin:/sbin:/bin
	35
	36	readonly LOCAL_STATE_DIR='@LOCALSTATEDIR@'
	37	readonly LXC_TEMPLATE_CONFIG='@LXCTEMPLATECONFIG@'
	38	readonly LXC_CACHE_DIR="${LXC_CACHE_PATH:-"$LOCAL_STATE_DIR/cache/lxc"}/alpine"
207bf0e4	39
6515faa1 JJ	40	# SHA256 checksums of GPG keys for APK.
	41	readonly APK_KEYS_SHA256="\
	42	9c102bcc376af1498d549b77bdbfa815ae86faa1d2d82f040e616b18ef2df2d4 alpine-devel@lists.alpinelinux.org-4a6a0840.rsa.pub
6460d3c5 NC	43	2adcf7ce224f476330b5360ca5edb92fd0bf91c92d83292ed028d7c4e26333ab alpine-devel@lists.alpinelinux.org-4d07755e.rsa.pub
	44	ebf31683b56410ecc4c00acd9f6e2839e237a3b62b5ae7ef686705c7ba0396a9 alpine-devel@lists.alpinelinux.org-5243ef4b.rsa.pub
	45	1bb2a846c0ea4ca9d0e7862f970863857fc33c32f5506098c636a62a726a847b alpine-devel@lists.alpinelinux.org-524d27bb.rsa.pub
2933a5ce BL	46	12f899e55a7691225603d6fb3324940fc51cd7f133e7ead788663c2b7eecb00c alpine-devel@lists.alpinelinux.org-5261cecb.rsa.pub
	47	73867d92083f2f8ab899a26ccda7ef63dfaa0032a938620eda605558958a8041 alpine-devel@lists.alpinelinux.org-58199dcc.rsa.pub
	48	9a4cd858d9710963848e6d5f555325dc199d1c952b01cf6e64da2c15deedbd97 alpine-devel@lists.alpinelinux.org-58cbb476.rsa.pub
	49	780b3ed41786772cbc7b68136546fa3f897f28a23b30c72dde6225319c44cfff alpine-devel@lists.alpinelinux.org-58e4f17d.rsa.pub"
6460d3c5	50
04fa4e12	51	readonly APK_KEYS_URI='http://alpinelinux.org/keys'
72ead1c0	52	readonly DEFAULT_MIRROR_URL='http://dl-cdn.alpinelinux.org/alpine'
6515faa1 JJ	53
6515faa1 JJ	54	: ${APK_KEYS_DIR:=/etc/apk/keys}
5845ac2b	55	if ! ls "$APK_KEYS_DIR"/alpine* >/dev/null 2>&1; then
6515faa1 JJ	56	APK_KEYS_DIR="$LXC_CACHE_DIR/bootstrap/keys"
	57	fi
	58	readonly APK_KEYS_DIR
	59
	60	: ${APK:=$(command -v apk \|\| true)}
	61	if [ ! -x "$APK" ]; then
	62	APK="$LXC_CACHE_DIR/bootstrap/sbin/apk.static"
	63	fi
	64	readonly APK
	65
	66
	67	#======================== Helper Functions ========================#
569bee5c	68
6515faa1 JJ	69	usage() {
	70	cat <<-EOF
	71	Template specific options can be passed to lxc-create after a '--' like this:
	72
1125e053 JJ	73	lxc-create --name=NAME [lxc-create-options] -- [template-options] [PKG...]
	74
	75	PKG Additional APK package(s) to install into the container.
6515faa1 JJ	76
	77	Template options:
	78	-a ARCH, --arch=ARCH The container architecture (e.g. x86, x86_64); defaults
	79	to the host arch.
04fa4e12	80	-d, --debug Run this script in a debug mode (set -x and wget w/o -q).
6515faa1	81	-F, --flush-cache Remove cached files before build.
72ead1c0	82	-m URL --mirror=URL The Alpine mirror to use; defaults to $DEFAULT_MIRROR_URL.
6515faa1 JJ	83	-r VER, --release=VER The Alpine release branch to install; default is the
	84	latest stable.
	85
	86	Environment variables:
	87	APK The apk-tools binary to use when building rootfs. If not set
	88	or not executable and apk is not on PATH, then the script
	89	will download the latest apk-tools-static.
	90	APK_KEYS_DIR Path to directory with GPG keys for APK. If not set and
	91	/etc/apk/keys does not contain alpine keys, then the script
	92	will download the keys from ${APK_KEYS_URI}.
20f39db7 JJ	93	LXC_CACHE_PATH Path to the cache directory where to store bootstrap files
20f39db7 JJ	94	and APK packages.
6515faa1	95	EOF
569bee5c NC	96	}
569bee5c NC	97
6515faa1 JJ	98	die() {
	99	local retval=$1; shift
	100
5845ac2b	101	printf 'ERROR: %s\n' "$@" 1>&2
6515faa1	102	exit $retval
2a9a0a08 NC	103	}
2a9a0a08 NC	104
6515faa1	105	einfo() {
5845ac2b	106	printf "\n==> $1\n"
6515faa1	107	}
691ac4a3	108
6515faa1 JJ	109	fetch() {
6515faa1 JJ	110	if [ "$DEBUG" = 'yes' ]; then
04fa4e12	111	wget -T 10 -O - $@
6515faa1	112	else
04fa4e12	113	wget -T 10 -O - -q $@
6515faa1 JJ	114	fi
6515faa1 JJ	115	}
2a9a0a08	116
6515faa1 JJ	117	latest_release_branch() {
6515faa1 JJ	118	local arch="$1"
04fa4e12	119	local branch=$(fetch "$MIRROR_URL/latest-stable/releases/$arch/latest-releases.yaml" \
6515faa1 JJ	120	\| sed -En 's/^[ \t]branch: (.)$/\1/p' \
	121	\| head -n 1)
	122	[ -n "$branch" ] && echo "$branch"
	123	}
2a9a0a08	124
6515faa1 JJ	125	parse_arch() {
	126	case "$1" in
	127	x86 \| i[3-6]86) echo 'x86';;
	128	x86_64 \| amd64) echo 'x86_64';;
12d233d5 CL	129	aarch64 \| arm64) echo 'aarch64';;
12d233d5 CL	130	armv7) echo 'armv7';;
6515faa1	131	arm*) echo 'armhf';;
2933a5ce	132	ppc64le) echo 'ppc64le';;
6515faa1 JJ	133	*) return 1;;
	134	esac
	135	}
2a9a0a08	136
6515faa1 JJ	137	run_exclusively() {
	138	local lock_name="$1"
	139	local timeout=$2
	140	shift 2
2a9a0a08	141
6515faa1	142	mkdir -p "$LOCAL_STATE_DIR/lock/subsys"
2a9a0a08	143
6515faa1 JJ	144	local retval
6515faa1 JJ	145	{
04fa4e12 JJ	146	echo -n "Obtaining an exclusive lock..."
04fa4e12 JJ	147	if ! flock -x 9; then
6515faa1 JJ	148	echo ' failed.'
	149	return 1
	150	fi
	151	echo ' done'
	152
	153	"$@"; retval=$?
	154	} 9> "$LOCAL_STATE_DIR/lock/subsys/lxc-alpine-$lock_name"
	155
	156	return $retval
2a9a0a08 NC	157	}
2a9a0a08 NC	158
6515faa1 JJ	159
	160	#============================ Bootstrap ===========================#
	161
	162	bootstrap() {
5845ac2b	163	if [ "$FLUSH_CACHE" = 'yes' ] && [ -d "$LXC_CACHE_DIR/bootstrap" ]; then
6515faa1 JJ	164	einfo 'Cleaning cached bootstrap files'
	165	rm -Rf "$LXC_CACHE_DIR/bootstrap"
	166	fi
	167
	168	einfo 'Fetching and/or verifying APK keys'
	169	fetch_apk_keys "$APK_KEYS_DIR"
	170
	171	if [ ! -x "$APK" ]; then
	172	einfo 'Fetching apk-tools static binary'
	173
	174	local host_arch=$(parse_arch $(uname -m))
	175	fetch_apk_static "$LXC_CACHE_DIR/bootstrap" "$host_arch"
	176	fi
2a9a0a08 NC	177	}
2a9a0a08 NC	178
6515faa1 JJ	179	fetch_apk_keys() {
	180	local dest="$1"
	181	local line keyname
	182
	183	mkdir -p "$dest"
04fa4e12	184	cd "$dest"
6515faa1 JJ	185
	186	echo "$APK_KEYS_SHA256" \| while read -r line; do
	187	keyname="${line##* }"
fc20af63	188	if [ ! -s "$keyname" ]; then
04fa4e12	189	fetch "$APK_KEYS_URI/$keyname" > "$keyname"
6515faa1	190	fi
04fa4e12	191	echo "$line" \| sha256sum -c -
6515faa1 JJ	192	done \|\| exit 2
6515faa1 JJ	193
5845ac2b	194	cd - >/dev/null
6515faa1 JJ	195	}
	196
	197	fetch_apk_static() {
	198	local dest="$1"
	199	local arch="$2"
	200	local pkg_name='apk-tools-static'
	201
	202	mkdir -p "$dest"
	203
04fa4e12 JJ	204	local pkg_ver=$(fetch "$MIRROR_URL/latest-stable/main/$arch/APKINDEX.tar.gz" \
04fa4e12 JJ	205	\| tar -xzO APKINDEX \
6515faa1 JJ	206	\| sed -n "/P:${pkg_name}/,/^$/ s/V:\(.*\)$/\1/p")
	207
	208	[ -n "$pkg_ver" ] \|\| die 2 "Cannot find a version of $pkg_name in APKINDEX"
	209
04fa4e12 JJ	210	fetch "$MIRROR_URL/latest-stable/main/$arch/${pkg_name}-${pkg_ver}.apk" \
04fa4e12 JJ	211	\| tar -xz -C "$dest" sbin/ # --extract --gzip --directory
6515faa1	212
fc20af63	213	[ -s "$dest/sbin/apk.static" ] \|\| die 2 'apk.static not found'
6515faa1 JJ	214
	215	local keyname=$(echo "$dest"/sbin/apk.static..pub \| sed 's/.\.SIGN\.RSA\.//')
	216	openssl dgst -sha1 \
	217	-verify "$APK_KEYS_DIR/$keyname" \
	218	-signature "$dest/sbin/apk.static.SIGN.RSA.$keyname" \
	219	"$dest/sbin/apk.static" \
	220	\|\| die 2 'Signature verification for apk.static failed'
	221
	222	# Note: apk doesn't return 0 for --version
	223	local out="$("$dest"/sbin/apk.static --version)"
	224	echo "$out"
	225
04fa4e12	226	[ "${out%% *}" = 'apk-tools' ] \|\| die 3 'apk.static --version failed'
6515faa1 JJ	227	}
	228
	229
	230	#============================ Install ============================#
	231
	232	install() {
6515faa1 JJ	233	local dest="$1"
	234	local arch="$2"
	235	local branch="$3"
1125e053	236	local extra_packages="$4"
20f39db7	237	local apk_cache="$LXC_CACHE_DIR/apk/$arch"
6515faa1	238
20f39db7 JJ	239	if [ "$FLUSH_CACHE" = 'yes' ] && [ -d "$apk_cache" ]; then
	240	einfo "Cleaning cached APK packages for $arch"
	241	rm -Rf "$apk_cache"
	242	fi
	243	mkdir -p "$apk_cache"
	244
	245	einfo "Installing Alpine Linux in $dest"
	246	cd "$dest"
6515faa1	247
20f39db7 JJ	248	mkdir -p etc/apk
20f39db7 JJ	249	ln -s "$apk_cache" etc/apk/cache
28814221 JJ	250
	251	local repo; for repo in main community; do
	252	echo "$MIRROR_URL/$branch/$repo" >> etc/apk/repositories
	253	done
6515faa1	254
691202ae	255	install_packages "$arch" "alpine-base $extra_packages"
6515faa1 JJ	256	make_dev_nodes
	257	setup_inittab
	258	setup_hosts
	259	setup_network
	260	setup_services
	261
	262	chroot . /bin/true \
	263	\|\| die 3 'Failed to execute /bin/true in chroot, the builded rootfs is broken!'
	264
20f39db7	265	rm etc/apk/cache
5845ac2b	266	cd - >/dev/null
6515faa1 JJ	267	}
6515faa1 JJ	268
1125e053	269	install_packages() {
7276799b VC	270	local arch="$1"
7276799b VC	271	local packages="$2"
1125e053 JJ	272
	273	$APK --arch="$arch" --root=. --keys-dir="$APK_KEYS_DIR" \
	274	--update-cache --initdb add $packages
	275	}
	276
6515faa1 JJ	277	make_dev_nodes() {
	278	mkdir -p -m 755 dev/pts
	279	mkdir -p -m 1777 dev/shm
	280
	281	mknod -m 666 dev/zero c 1 5
	282	mknod -m 666 dev/full c 1 7
	283	mknod -m 666 dev/random c 1 8
	284	mknod -m 666 dev/urandom c 1 9
	285
	286	local i; for i in $(seq 0 4); do
	287	mknod -m 620 dev/tty$i c 4 $i
	288	chown 0:5 dev/tty$i # root:tty
	289	done
	290
	291	mknod -m 666 dev/tty c 5 0
	292	chown 0:5 dev/tty # root:tty
	293	mknod -m 620 dev/console c 5 1
	294	mknod -m 666 dev/ptmx c 5 2
	295	chown 0:5 dev/ptmx # root:tty
	296	}
	297
	298	setup_inittab() {
	299	# Remove unwanted ttys.
	300	sed -i '/^tty[5-9]\:\:.*$/d' etc/inittab
	301
	302	cat <<-EOF >> etc/inittab
	303	# Main LXC console console
	304	::respawn:/sbin/getty 38400 console
	305	EOF
	306	}
	307
	308	setup_hosts() {
	309	# This runscript injects localhost entries with the current hostname
	310	# into /etc/hosts.
	311	cat <<'EOF' > etc/init.d/hosts
	312	#!/sbin/openrc-run
	313
	314	start() {
	315	local start_tag='# begin generated'
	316	local end_tag='# end generated'
	317
	318	local content=$(
	319	cat <<-EOF
	320	$start_tag by /etc/init.d/hosts
	321	127.0.0.1 $(hostname).local $(hostname) localhost
	322	::1 $(hostname).local $(hostname) localhost
	323	$end_tag
	324	EOF
	325	)
	326
	327	if grep -q "^${start_tag}" /etc/hosts; then
	328	# escape \n, busybox sed doesn't like them
	329	content=${content//$'\n'/\\$'\n'}
	330
	331	sed -ni "/^${start_tag}/ {
	332	a\\${content}
	333	# read and discard next line and repeat until $end_tag or EOF
	334	:a; n; /^${end_tag}/!ba; n
	335	}; p" /etc/hosts
	336	else
5845ac2b	337	printf "$content" >> /etc/hosts
6515faa1 JJ	338	fi
6515faa1 JJ	339	}
e5846a6f	340	EOF
6515faa1 JJ	341	chmod +x etc/init.d/hosts
	342
	343	# Wipe it, will be generated by the above runscript.
	344	echo -n > etc/hosts
2a9a0a08 NC	345	}
2a9a0a08 NC	346
6515faa1 JJ	347	setup_network() {
	348	# Note: loopback is automatically started by LXC.
	349	cat <<-EOF > etc/network/interfaces
	350	auto eth0
	351	iface eth0 inet dhcp
1c4ea80c	352	hostname \$(hostname)
6515faa1	353	EOF
2a9a0a08 NC	354	}
2a9a0a08 NC	355
6515faa1 JJ	356	setup_services() {
	357	local svc_name
	358
	359	# Specify the LXC subsystem.
	360	sed -i 's/^#rc_sys=./rc_sys="lxc"/' etc/rc.conf
	361
	362	# boot runlevel
	363	for svc_name in bootmisc hosts syslog; do
	364	ln -s /etc/init.d/$svc_name etc/runlevels/boot/$svc_name
	365	done
2a9a0a08	366
6515faa1	367	# default runlevel
b68d0b8c AA	368	for svc_name in networking cron crond; do
	369	# issue 1164: alpine renamed cron to crond
	370	# Use the one that exists.
	371	if [ -e etc/init.d/$svc_name ]; then
	372	ln -s /etc/init.d/$svc_name etc/runlevels/default/$svc_name
	373	fi
6515faa1 JJ	374	done
	375	}
	376
	377
	378	#=========================== Configure ===========================#
	379
	380	configure_container() {
	381	local config="$1"
	382	local hostname="$2"
	383	local arch="$3"
	384
	385	cat <<-EOF >> "$config"
	386
	387	# Specify container architecture.
	388	lxc.arch = $arch
	389
	390	# Set hostname.
b67771bc	391	lxc.uts.name = $hostname
6515faa1 JJ	392
	393	# If something doesn't work, try to comment this out.
	394	# Dropping sys_admin disables container root from doing a lot of things
	395	# that could be bad like re-mounting lxc fstab entries rw for example,
	396	# but also disables some useful things like being able to nfs mount, and
	397	# things that are already namespaced with ns_capable() kernel checks, like
	398	# hostname(1).
	399	lxc.cap.drop = sys_admin
	400
	401	# Include common configuration.
	402	lxc.include = $LXC_TEMPLATE_CONFIG/alpine.common.conf
	403	EOF
	404	}
	405
	406
	407	#============================= Main ==============================#
	408
6515faa1 JJ	409	if [ "$(id -u)" != "0" ]; then
6515faa1 JJ	410	die 1 "This script must be run as 'root'"
5be56973 SH	411	fi
5be56973 SH	412
6515faa1 JJ	413	# Parse command options.
6515faa1 JJ	414	options=$(getopt -o a:dFm:n:p:r:h -l arch:,debug,flush-cache,mirror:,name:,\
04fa4e12	415	path:,release:,rootfs:,help,mapped-uid:,mapped-gid: -- "$@")
5afb8096 KR	416	eval set -- "$options"
5afb8096 KR	417
6515faa1 JJ	418	# Clean variables and set defaults.
	419	arch="$(uname -m)"
	420	debug='no'
	421	flush_cache='no'
	422	mirror_url=
	423	name=
	424	path=
	425	release=
	426	rootfs=
	427
	428	# Process command options.
2a9a0a08	429	while [ $# -gt 0 ]; do
6515faa1 JJ	430	case $1 in
	431	-a \| --arch)
	432	arch=$2; shift 2
	433	;;
	434	-d \| --debug)
	435	debug='yes'; shift 1
	436	;;
	437	-F \| --flush-cache)
	438	flush_cache='yes'; shift 1
	439	;;
	440	-m \| --mirror)
	441	mirror_url=$2; shift 2
	442	;;
	443	-n \| --name)
	444	name=$2; shift 2
	445	;;
	446	-p \| --path)
	447	path=$2; shift 2
	448	;;
	449	-r \| --release)
	450	release=$2; shift 2
	451	;;
	452	--rootfs)
	453	rootfs=$2; shift 2
	454	;;
	455	-h \| --help)
	456	usage; exit 0
	457	;;
	458	--)
	459	shift; break
	460	;;
04fa4e12	461	--mapped-[ug]id)
5845ac2b JJ	462	die 1 "This template can't be used for unprivileged containers." \
5845ac2b JJ	463	'You may want to try the "download" template instead.'
04fa4e12	464	;;
6515faa1	465	*)
5845ac2b	466	echo "Unknown option: $1" 1>&2
6515faa1 JJ	467	usage; exit 1
	468	;;
	469	esac
2a9a0a08 NC	470	done
2a9a0a08 NC	471
1125e053 JJ	472	extra_packages="$@"
1125e053 JJ	473
6515faa1	474	[ "$debug" = 'yes' ] && set -x
2a9a0a08	475
6515faa1 JJ	476	# Set global variables.
	477	readonly DEBUG="$debug"
	478	readonly FLUSH_CACHE="$flush_cache"
72ead1c0	479	readonly MIRROR_URL="${mirror_url:-$DEFAULT_MIRROR_URL}"
2a9a0a08	480
6515faa1 JJ	481	# Validate options.
	482	[ -n "$name" ] \|\| die 1 'Missing required option --name'
	483	[ -n "$path" ] \|\| die 1 'Missing required option --path'
2a9a0a08	484
5845ac2b	485	if [ -z "$rootfs" ] && [ -f "$path/config" ]; then
7a96a068	486	rootfs="$(sed -nE 's/^lxc.rootfs.path\s=\s(.*)$/\1/p' "$path/config")"
6515faa1	487	fi
2a9a0a08	488	if [ -z "$rootfs" ]; then
6515faa1	489	rootfs="$path/rootfs"
2a9a0a08 NC	490	fi
2a9a0a08 NC	491
6515faa1 JJ	492	arch=$(parse_arch "$arch") \
	493	\|\| die 1 "Unsupported architecture: $arch"
	494
	495	if [ -z "$release" ]; then
	496	release=$(latest_release_branch "$arch") \
	497	\|\| die 2 'Failed to resolve Alpine last release branch'
569bee5c NC	498	fi
569bee5c NC	499
6515faa1 JJ	500	# Here we go!
6515faa1 JJ	501	run_exclusively 'bootstrap' 10 bootstrap
1125e053	502	run_exclusively "$arch" 30 install "$rootfs" "$arch" "$release" "$extra_packages"
6515faa1 JJ	503	configure_container "$path/config" "$name" "$arch"
	504
	505	einfo "Container's rootfs and config have been created"
	506	cat <<-EOF
	507	Edit the config file $path/config to check/enable networking setup.
	508	The installed system is preconfigured for a loopback and single network
	509	interface configured via DHCP.
	510
	511	To start the container, run "lxc-start -n $name".
	512	The root password is not set; to enter the container run "lxc-attach -n $name".
	513	EOF