]>
Commit | Line | Data |
---|---|---|
eb960fea DL |
1 | #!/bin/bash |
2 | ||
3 | # | |
4 | # lxc: linux Container library | |
5 | ||
6 | # Authors: | |
7 | # Daniel Lezcano <daniel.lezcano@free.fr> | |
8 | ||
9 | # This library is free software; you can redistribute it and/or | |
10 | # modify it under the terms of the GNU Lesser General Public | |
11 | # License as published by the Free Software Foundation; either | |
12 | # version 2.1 of the License, or (at your option) any later version. | |
13 | ||
14 | # This library is distributed in the hope that it will be useful, | |
15 | # but WITHOUT ANY WARRANTY; without even the implied warranty of | |
16 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU | |
17 | # Lesser General Public License for more details. | |
18 | ||
19 | # You should have received a copy of the GNU Lesser General Public | |
20 | # License along with this library; if not, write to the Free Software | |
250b1eec | 21 | # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA |
eb960fea | 22 | |
a542dd3c BP |
23 | LXC_MAPPED_UID= |
24 | LXC_MAPPED_GID= | |
8ec981fc | 25 | |
207bf0e4 SG |
26 | # Make sure the usual locations are in PATH |
27 | export PATH=$PATH:/usr/sbin:/usr/bin:/sbin:/bin | |
28 | ||
9e214906 SH |
29 | am_in_userns() { |
30 | [ -e /proc/self/uid_map ] || { echo no; return; } | |
31 | [ "$(wc -l /proc/self/uid_map | awk '{ print $1 }')" -eq 1 ] || { echo yes; return; } | |
32 | line=$(awk '{ print $1 " " $2 " " $3 }' /proc/self/uid_map) | |
33 | [ "$line" = "0 0 4294967295" ] && { echo no; return; } | |
34 | echo yes | |
35 | } | |
36 | ||
37 | in_userns=0 | |
38 | [ $(am_in_userns) = "yes" ] && in_userns=1 | |
39 | ||
eb960fea DL |
40 | install_busybox() |
41 | { | |
42 | rootfs=$1 | |
43 | name=$2 | |
44 | res=0 | |
45 | tree="\ | |
32b37181 | 46 | $rootfs/selinux \ |
eb960fea DL |
47 | $rootfs/dev \ |
48 | $rootfs/home \ | |
49 | $rootfs/root \ | |
50 | $rootfs/etc \ | |
51 | $rootfs/etc/init.d \ | |
52 | $rootfs/bin \ | |
c94e60d1 | 53 | $rootfs/usr/bin \ |
eb960fea | 54 | $rootfs/sbin \ |
c94e60d1 | 55 | $rootfs/usr/sbin \ |
eb960fea | 56 | $rootfs/proc \ |
fefddf9f | 57 | $rootfs/sys \ |
eb960fea DL |
58 | $rootfs/mnt \ |
59 | $rootfs/tmp \ | |
60 | $rootfs/var/log \ | |
61 | $rootfs/usr/share/udhcpc \ | |
10e657e5 | 62 | $rootfs/dev/pts \ |
bf6cc736 DL |
63 | $rootfs/dev/shm \ |
64 | $rootfs/lib \ | |
65 | $rootfs/usr/lib \ | |
66 | $rootfs/lib64 \ | |
67 | $rootfs/usr/lib64" | |
eb960fea DL |
68 | |
69 | mkdir -p $tree || return 1 | |
70 | chmod 755 $tree || return 1 | |
71 | ||
72 | pushd $rootfs/dev > /dev/null || return 1 | |
73 | ||
74 | # minimal devices needed for busybox | |
9e214906 | 75 | if [ $in_userns -eq 1 ]; then |
cfe615f0 | 76 | for dev in tty console tty0 tty1 ram0 null urandom; do |
f24a52d5 | 77 | echo "lxc.mount.entry = /dev/$dev dev/$dev none bind,optional,create=file 0 0" >> $path/config |
9e214906 SH |
78 | done |
79 | else | |
fbbc1539 DE |
80 | mknod -m 666 tty c 5 0 || res=1 |
81 | mknod -m 666 console c 5 1 || res=1 | |
82 | mknod -m 666 tty0 c 4 0 || res=1 | |
83 | mknod -m 666 tty1 c 4 0 || res=1 | |
84 | mknod -m 666 tty5 c 4 0 || res=1 | |
85 | mknod -m 600 ram0 b 1 0 || res=1 | |
86 | mknod -m 666 null c 1 3 || res=1 | |
87 | mknod -m 666 zero c 1 5 || res=1 | |
88 | mknod -m 666 urandom c 1 9 || res=1 | |
9e214906 | 89 | fi |
eb960fea DL |
90 | |
91 | popd > /dev/null | |
92 | ||
93 | # root user defined | |
94 | cat <<EOF >> $rootfs/etc/passwd | |
95 | root:x:0:0:root:/root:/bin/sh | |
96 | EOF | |
97 | ||
98 | cat <<EOF >> $rootfs/etc/group | |
99 | root:x:0:root | |
100 | EOF | |
101 | ||
eb960fea DL |
102 | # mount everything |
103 | cat <<EOF >> $rootfs/etc/init.d/rcS | |
104 | #!/bin/sh | |
b09ecaf3 DL |
105 | /bin/syslogd |
106 | /bin/mount -a | |
107 | /bin/udhcpc | |
eb960fea DL |
108 | EOF |
109 | ||
110 | # executable | |
111 | chmod 744 $rootfs/etc/init.d/rcS || return 1 | |
112 | ||
eb960fea DL |
113 | # launch rcS first then make a console available |
114 | # and propose a shell on the tty, the last one is | |
115 | # not needed | |
116 | cat <<EOF >> $rootfs/etc/inittab | |
117 | ::sysinit:/etc/init.d/rcS | |
0016af97 DL |
118 | tty1::respawn:/bin/getty -L tty1 115200 vt100 |
119 | console::askfirst:/bin/sh | |
eb960fea DL |
120 | EOF |
121 | # writable and readable for other | |
122 | chmod 644 $rootfs/etc/inittab || return 1 | |
123 | ||
124 | cat <<EOF >> $rootfs/usr/share/udhcpc/default.script | |
125 | #!/bin/sh | |
eb960fea | 126 | case "\$1" in |
14d9c0f0 SG |
127 | deconfig) |
128 | ip addr flush dev \$interface | |
129 | ;; | |
130 | ||
131 | renew|bound) | |
132 | # flush all the routes | |
133 | if [ -n "\$router" ]; then | |
134 | ip route del default 2> /dev/null | |
135 | fi | |
136 | ||
137 | # check broadcast | |
138 | if [ -n "\$broadcast" ]; then | |
139 | broadcast="broadcast \$broadcast" | |
140 | fi | |
141 | ||
142 | # add a new ip address | |
143 | ip addr add \$ip/\$mask \$broadcast dev \$interface | |
144 | ||
145 | if [ -n "\$router" ]; then | |
146 | ip route add default via \$router dev \$interface | |
147 | fi | |
148 | ||
149 | [ -n "\$domain" ] && echo search \$domain > /etc/resolv.conf | |
150 | for i in \$dns ; do | |
151 | echo nameserver \$i >> /etc/resolv.conf | |
152 | done | |
153 | ;; | |
eb960fea DL |
154 | esac |
155 | exit 0 | |
156 | EOF | |
157 | ||
158 | chmod 744 $rootfs/usr/share/udhcpc/default.script | |
159 | ||
160 | return $res | |
161 | } | |
162 | ||
163 | configure_busybox() | |
164 | { | |
165 | rootfs=$1 | |
166 | ||
169bf5e0 | 167 | which busybox >/dev/null 2>&1 |
7674618c | 168 | |
eb960fea | 169 | if [ $? -ne 0 ]; then |
14d9c0f0 SG |
170 | echo "busybox executable is not accessible" |
171 | return 1 | |
eb960fea DL |
172 | fi |
173 | ||
50dbb820 | 174 | file -L $(which busybox) | grep -q "statically linked" |
32b37181 | 175 | if [ $? -ne 0 ]; then |
14d9c0f0 SG |
176 | echo "warning : busybox is not statically linked." |
177 | echo "warning : The template script may not correctly" | |
178 | echo "warning : setup the container environment." | |
32b37181 DL |
179 | fi |
180 | ||
eb960fea DL |
181 | # copy busybox in the rootfs |
182 | cp $(which busybox) $rootfs/bin | |
183 | if [ $? -ne 0 ]; then | |
14d9c0f0 SG |
184 | echo "failed to copy busybox in the rootfs" |
185 | return 1 | |
eb960fea DL |
186 | fi |
187 | ||
6902a6c6 DE |
188 | # symlink busybox for the commands it supports |
189 | # it would be nice to just use "chroot $rootfs busybox --install -s /bin" | |
190 | # but that only works right in a chroot with busybox >= 1.19.0 | |
191 | pushd $rootfs/bin > /dev/null || return 1 | |
192 | ./busybox --help | grep 'Currently defined functions:' -A300 | \ | |
193 | grep -v 'Currently defined functions:' | tr , '\n' | \ | |
194 | xargs -n1 ln -s busybox | |
195 | popd > /dev/null | |
eb960fea DL |
196 | |
197 | # relink /sbin/init | |
198 | ln $rootfs/bin/busybox $rootfs/sbin/init | |
199 | ||
200 | # passwd exec must be setuid | |
201 | chmod +s $rootfs/bin/passwd | |
32b37181 | 202 | touch $rootfs/etc/shadow |
19d618b1 | 203 | |
ce4c4ca4 BP |
204 | # setting passwd for root |
205 | CHPASSWD_FILE=$rootfs/root/chpasswd.sh | |
206 | ||
207 | cat <<EOF >$CHPASSWD_FILE | |
208 | echo "setting root password to \"root\"" | |
209 | ||
7a409fd5 | 210 | mount -n --bind /lib $rootfs/lib |
ce4c4ca4 BP |
211 | if [ \$? -ne 0 ]; then |
212 | echo "Failed bind-mounting /lib at $rootfs/lib" | |
213 | exit 1 | |
214 | fi | |
215 | ||
216 | chroot $rootfs chpasswd <<EOFF 2>/dev/null | |
217 | root:root | |
218 | EOFF | |
219 | ||
220 | ||
221 | if [ \$? -ne 0 ]; then | |
222 | echo "Failed to change root password" | |
223 | exit 1 | |
224 | fi | |
225 | ||
226 | umount $rootfs/lib | |
227 | ||
228 | EOF | |
229 | ||
230 | lxc-unshare -s MOUNT -- /bin/sh < $CHPASSWD_FILE | |
231 | rm $CHPASSWD_FILE | |
c94e60d1 PBB |
232 | |
233 | # add ssh functionality if dropbear package available on host | |
169bf5e0 | 234 | which dropbear >/dev/null 2>&1 |
c94e60d1 PBB |
235 | if [ $? -eq 0 ]; then |
236 | # copy dropbear binary | |
237 | cp $(which dropbear) $rootfs/usr/sbin | |
238 | if [ $? -ne 0 ]; then | |
239 | echo "Failed to copy dropbear in the rootfs" | |
240 | return 1 | |
241 | fi | |
242 | ||
243 | # make symlinks to various ssh utilities | |
244 | utils="\ | |
245 | $rootfs/usr/bin/dbclient \ | |
246 | $rootfs/usr/bin/scp \ | |
247 | $rootfs/usr/bin/ssh \ | |
248 | $rootfs/usr/sbin/dropbearkey \ | |
249 | $rootfs/usr/sbin/dropbearconvert \ | |
250 | " | |
251 | echo $utils | xargs -n1 ln -s /usr/sbin/dropbear | |
252 | ||
253 | # add necessary config files | |
254 | mkdir $rootfs/etc/dropbear | |
17abf278 ER |
255 | dropbearkey -t rsa -f $rootfs/etc/dropbear/dropbear_rsa_host_key > /dev/null 2>&1 |
256 | dropbearkey -t dss -f $rootfs/etc/dropbear/dropbear_dss_host_key > /dev/null 2>&1 | |
c94e60d1 PBB |
257 | |
258 | echo "'dropbear' ssh utility installed" | |
259 | fi | |
260 | ||
eb960fea DL |
261 | return 0 |
262 | } | |
263 | ||
264 | copy_configuration() | |
265 | { | |
266 | path=$1 | |
267 | rootfs=$2 | |
268 | name=$3 | |
269 | ||
1881820a | 270 | grep -q "^lxc.rootfs" $path/config 2>/dev/null || echo "lxc.rootfs = $rootfs" >> $path/config |
eb960fea | 271 | cat <<EOF >> $path/config |
f0f1d8c0 | 272 | lxc.haltsignal = SIGUSR1 |
22fb28a9 | 273 | lxc.rebootsignal = SIGTERM |
eb960fea DL |
274 | lxc.utsname = $name |
275 | lxc.tty = 1 | |
32b37181 | 276 | lxc.pts = 1 |
eee3ba81 | 277 | lxc.cap.drop = sys_module mac_admin mac_override sys_time |
69d66f1e SG |
278 | |
279 | # When using LXC with apparmor, uncomment the next line to run unconfined: | |
280 | #lxc.aa_profile = unconfined | |
f24a52d5 SG |
281 | |
282 | lxc.mount.auto = cgroup:mixed proc:mixed sys:mixed | |
283 | lxc.mount.entry = shm /dev/shm tmpfs defaults 0 0 | |
1881820a SH |
284 | EOF |
285 | ||
6bc424b5 | 286 | libdirs="\ |
5d01f616 SG |
287 | lib \ |
288 | usr/lib \ | |
289 | lib64 \ | |
290 | usr/lib64" | |
6bc424b5 SY |
291 | |
292 | for dir in $libdirs; do | |
5d01f616 | 293 | if [ -d "/$dir" ] && [ -d "$rootfs/$dir" ]; then |
eba7df9e | 294 | echo "lxc.mount.entry = /$dir $dir none ro,bind 0 0" >> $path/config |
6bc424b5 SY |
295 | fi |
296 | done | |
7f1dea04 | 297 | echo "lxc.mount.entry = /sys/kernel/security sys/kernel/security none ro,bind,optional 0 0" >>$path/config |
eb960fea DL |
298 | } |
299 | ||
a542dd3c BP |
300 | remap_userns() |
301 | { | |
302 | path=$1 | |
303 | ||
304 | if [ -n "$LXC_MAPPED_UID" ] && [ "$LXC_MAPPED_UID" != "-1" ]; then | |
f24a52d5 | 305 | chown $LXC_MAPPED_UID $path/config >/dev/null 2>&1 |
a542dd3c BP |
306 | chown -R root $path/rootfs >/dev/null 2>&1 |
307 | fi | |
308 | ||
309 | if [ -n "$LXC_MAPPED_GID" ] && [ "$LXC_MAPPED_GID" != "-1" ]; then | |
f24a52d5 | 310 | chgrp $LXC_MAPPED_GID $path/config >/dev/null 2>&1 |
a542dd3c BP |
311 | chgrp -R root $path/rootfs >/dev/null 2>&1 |
312 | fi | |
313 | } | |
314 | ||
eb960fea DL |
315 | usage() |
316 | { | |
317 | cat <<EOF | |
318 | $1 -h|--help -p|--path=<path> | |
319 | EOF | |
320 | return 0 | |
321 | } | |
322 | ||
a542dd3c | 323 | options=$(getopt -o hp:n: -l help,rootfs:,path:,name:,mapped-uid:,mapped-gid: -- "$@") |
eb960fea | 324 | if [ $? -ne 0 ]; then |
14d9c0f0 SG |
325 | usage $(basename $0) |
326 | exit 1 | |
eb960fea DL |
327 | fi |
328 | eval set -- "$options" | |
329 | ||
330 | while true | |
331 | do | |
332 | case "$1" in | |
333 | -h|--help) usage $0 && exit 0;; | |
334 | -p|--path) path=$2; shift 2;; | |
1897e3bc | 335 | --rootfs) rootfs=$2; shift 2;; |
14d9c0f0 | 336 | -n|--name) name=$2; shift 2;; |
a542dd3c BP |
337 | --mapped-uid) LXC_MAPPED_UID=$2; shift 2;; |
338 | --mapped-gid) LXC_MAPPED_GID=$2; shift 2;; | |
eb960fea DL |
339 | --) shift 1; break ;; |
340 | *) break ;; | |
341 | esac | |
342 | done | |
343 | ||
344 | if [ "$(id -u)" != "0" ]; then | |
345 | echo "This script should be run as 'root'" | |
346 | exit 1 | |
347 | fi | |
348 | ||
349 | if [ -z "$path" ]; then | |
350 | echo "'path' parameter is required" | |
351 | exit 1 | |
352 | fi | |
353 | ||
1881820a SH |
354 | # detect rootfs |
355 | config="$path/config" | |
1897e3bc SH |
356 | if [ -z "$rootfs" ]; then |
357 | if grep -q '^lxc.rootfs' $config 2>/dev/null ; then | |
853d58fd | 358 | rootfs=$(awk -F= '/^lxc.rootfs =/{ print $2 }' $config) |
1897e3bc SH |
359 | else |
360 | rootfs=$path/rootfs | |
361 | fi | |
1881820a | 362 | fi |
eb960fea DL |
363 | |
364 | install_busybox $rootfs $name | |
365 | if [ $? -ne 0 ]; then | |
366 | echo "failed to install busybox's rootfs" | |
367 | exit 1 | |
368 | fi | |
369 | ||
370 | configure_busybox $rootfs | |
371 | if [ $? -ne 0 ]; then | |
372 | echo "failed to configure busybox template" | |
373 | exit 1 | |
374 | fi | |
375 | ||
376 | copy_configuration $path $rootfs $name | |
377 | if [ $? -ne 0 ]; then | |
378 | echo "failed to write configuration file" | |
379 | exit 1 | |
380 | fi | |
a542dd3c BP |
381 | |
382 | remap_userns $path | |
383 | if [ $? -ne 0 ]; then | |
384 | echo "failed to remap files to user" | |
385 | exit 1 | |
386 | fi |