[mirror_lxc.git] / templates / lxc-download.in

#!/bin/sh

# Client script for LXC container images.
#
# Copyright © 2014 Stéphane Graber <stgraber@ubuntu.com>
#
#  This library is free software; you can redistribute it and/or
#  modify it under the terms of the GNU Lesser General Public
#  License as published by the Free Software Foundation; either
#  version 2.1 of the License, or (at your option) any later version.

#  This library is distributed in the hope that it will be useful,
#  but WITHOUT ANY WARRANTY; without even the implied warranty of
#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
#  Lesser General Public License for more details.

#  You should have received a copy of the GNU Lesser General Public
#  License along with this library; if not, write to the Free Software
#  Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301
#  USA

set -eu

LXC_TEMPLATE_CONFIG="@LXCTEMPLATECONFIG@"
LXC_HOOK_DIR="@LXCHOOKDIR@"
LOCALSTATEDIR="@LOCALSTATEDIR@"

# Defaults
DOWNLOAD_DIST=
DOWNLOAD_RELEASE=
DOWNLOAD_ARCH=
DOWNLOAD_VARIANT="default"
DOWNLOAD_SERVER="images.linuxcontainers.org"
DOWNLOAD_KEYID="0xBAEFF88C22F6E216"
DOWNLOAD_KEYSERVER="pool.sks-keyservers.net"
DOWNLOAD_VALIDATE="true"
DOWNLOAD_FLUSH_CACHE="false"
DOWNLOAD_MODE="system"
DOWNLOAD_USE_CACHE="false"
DOWNLOAD_URL=
DOWNLOAD_SHOW_HTTP_WARNING="true"
DOWNLOAD_SHOW_GPG_WARNING="true"
DOWNLOAD_COMPAT_LEVEL=1

LXC_NAME=
LXC_PATH=
LXC_ROOTFS=
LXC_MAPPED_UID=

# Some useful functions
cleanup() {
    if [ -d "$DOWNLOAD_TEMP" ]; then
        rm -Rf $DOWNLOAD_TEMP
    fi
}

download_file() {
    if ! wget -q https://${DOWNLOAD_SERVER}/$1 -O $2 >/dev/null 2>&1; then
        if ! wget -q http://${DOWNLOAD_SERVER}/$1 -O $2 >/dev/null 2>&1; then
            if [ "$3" = "noexit" ]; then
                return 1
            else
                echo "ERROR: Failed to download http://${DOWNLOAD_SERVER}/$1" 1>&2
                exit 1
            fi
        elif [ "$DOWNLOAD_SHOW_HTTP_WARNING" = "true" ]; then
            DOWNLOAD_SHOW_HTTP_WARNING="false"
            echo "WARNING: Failed to download the file over HTTPs." 1>&2
            echo -n "         The file was instead download over HTTP. " 1>&2
            echo "A server replay attack may be possible!" 1>&2
        fi
    fi
}

download_sig() {
    if ! download_file $1 $2 noexit; then
        if [ "$DOWNLOAD_VALIDATE" = "true" ]; then
            if [ "$3" = "normal" ]; then
                echo "ERROR: Failed to download http://${DOWNLOAD_SERVER}/$1" 1>&2
                exit 1
            else
                return 1
            fi
        else
            return 0
        fi
    fi
}

gpg_setup() {
    if [ "$DOWNLOAD_VALIDATE" = "false" ]; then
        return
    fi

    echo "Setting up the GPG keyring"

    mkdir -p "$DOWNLOAD_TEMP/gpg"
    chmod 700 "$DOWNLOAD_TEMP/gpg"
    export GNUPGHOME="$DOWNLOAD_TEMP/gpg"
    if ! gpg --keyserver $DOWNLOAD_KEYSERVER \
            --recv-keys ${DOWNLOAD_KEYID} >/dev/null 2>&1; then
        echo "ERROR: Unable to fetch GPG key from keyserver."
        exit 1
    fi
}

gpg_validate() {
    if [ "$DOWNLOAD_VALIDATE" = "false" ]; then
        if [ "$DOWNLOAD_SHOW_GPG_WARNING" = "true" ]; then
            echo "WARNING: Running without gpg validation!" 1>&2
        fi
        DOWNLOAD_SHOW_GPG_WARNING="false"
        return 0
    fi

    if ! gpg --verify $1 >/dev/zero 2>&1; then
        echo "ERROR: Invalid signature for $1" 1>&2
        exit 1
    fi
}

in_userns() {
    [ -e /proc/self/uid_map ] || { echo no; return; }
    [ "$(wc -l /proc/self/uid_map | awk '{ print $1 }')" -eq 1 ] || \
        { echo yes; return; }
    line=$(awk '{ print $1 " " $2 " " $3 }' /proc/self/uid_map)
    [ "$line" = "0 0 4294967295" ] && { echo no; return; }
    echo yes
}

relevant_file() {
    FILE_PATH="${LXC_CACHE_PATH}/$1"
    if [ -e "${FILE_PATH}-${DOWNLOAD_MODE}" ]; then
        FILE_PATH="${FILE_PATH}-${DOWNLOAD_MODE}"
    fi
    if [ -e "$FILE_PATH.${DOWNLOAD_COMPAT_LEVEL}" ]; then
        FILE_PATH="${FILE_PATH}.${DOWNLOAD_COMPAT_LEVEL}"
    fi

    echo $FILE_PATH
}

usage() {
    cat <<EOF
LXC container image downloader

Required arguments:
[ -d | --dist <distribution> ]: The name of the distribution
[ -r | --release <release> ]: Release name/version
[ -a | --arch <architecture> ]: Architecture of the container
[ -h | --help ]: This help message

Optional arguments:
[ --variant <variant> ]: Variant of the image (default: "default")
[ --server <server> ]: Image server (default: "images.linuxcontainers.org")
[ --keyid <keyid> ]: GPG keyid (default: 0x...)
[ --keyserver <keyserver> ]: GPG keyserver to use
[ --no-validate ]: Disable GPG validation (not recommended)
[ --flush-cache ]: Flush the local copy (if present)

LXC internal arguments (do not pass manually!):
[ --name <name> ]: The container name
[ --path <path> ]: The path to the container
[ --rootfs <rootfs> ]: The path to the container's rootfs
[ --mapped-uid <map> ]: A uid/gid map (user namespaces)
EOF
    return 0
}

options=$(getopt -o d:r:a:h -l dist:,release:,arch:,help,variant:,server:,\
keyid:,no-validate,flush-cache,name:,path:,rootfs:,mapped-uid: -- "$@")

if [ $? -ne 0 ]; then
    usage
    exit 1
fi
eval set -- "$options"

while :; do
    case "$1" in
        -h|--help)          usage $0 && exit 0;;
        -d|--dist)          DOWNLOAD_DIST=$2; shift 2;;
        -r|--release)       DOWNLOAD_RELEASE=$2; shift 2;;
        -a|--arch)          DOWNLOAD_ARCH=$2; shift 2;;
        --variant)          DOWNLOAD_VARIANT=$2; shift 2;;
        --server)           DOWNLOAD_SERVER=$2; shift 2;;
        --keyid)            DOWNLOAD_KEYID=$2; shift 2;;
        --no-validate)      DOWNLOAD_VALIDATE="false"; shift 1;;
        --flush-cache)      DOWNLOAD_FLUSH_CACHE="true"; shift 1;;
        --name)             LXC_NAME=$2; shift 2;;
        --path)             LXC_PATH=$2; shift 2;;
        --rootfs)           LXC_ROOTFS=$2; shift 2;;
        --mapped-uid)       LXC_MAPPED_UID=$2; shift 2;;
        *)                  break;;
    esac
done

# Check for required binaries
for bin in tar xz wget; do
    if ! type $bin >/dev/null 2>&1; then
        echo "ERROR: Missing required tool: $bin" 1>&2
        exit 1
    fi
done

# Check for GPG
if [ "$DOWNLOAD_VALIDATE" = "true" ]; then
    if ! type gpg >/dev/null 2>&1; then
        echo "ERROR: Missing recommended tool: gpg" 1>&2
        echo "You can workaround this by using --no-validate." 1>&2
        exit 1
    fi
fi

# Check that we have all variables we need
if [ -z "$LXC_NAME" ] || [ -z "$LXC_PATH" ] || [ -z "$LXC_ROOTFS" ]; then
    echo "ERROR: Not running through LXC." 1>&2
    exit 1
fi

if [ "$(in_userns)" = "yes" ]; then
    if [ -z "$LXC_MAPPED_UID" ] || [ "$LXC_MAPPED_UID" = "-1" ]; then
        echo "ERROR: In a user namespace without a map." 1>&2
        exit 1
    fi
    DOWNLOAD_MODE="user"
fi

if [ -z "$DOWNLOAD_DIST" ] || [ -z "$DOWNLOAD_RELEASE" ] || \
   [ -z "$DOWNLOAD_ARCH" ]; then
    echo "ERROR: Missing required argument" 1>&2
    usage
    exit 1
fi

# Trap all exit signals
trap cleanup EXIT HUP INT TERM
DOWNLOAD_TEMP=$(mktemp -d)

# Setup the cache
if [ "$DOWNLOAD_MODE" = "system" ]; then
    LXC_CACHE_BASE="$LOCALSTATEDIR/cache/"
    LXC_CACHE_PATH="$LOCALSTATEDIR/cache/lxc/download/$DOWNLOAD_DIST"
    LXC_CACHE_PATH="$LXC_CACHE_PATH/$DOWNLOAD_RELEASE/$DOWNLOAD_ARCH"
else
    LXC_CACHE_BASE="$HOME/.cache/lxc/"
    LXC_CACHE_PATH="$HOME/.cache/lxc/download/$DOWNLOAD_DIST"
    LXC_CACHE_PATH="$LXC_CACHE_PATH/$DOWNLOAD_RELEASE/$DOWNLOAD_ARCH"
fi

if [ -d "$LXC_CACHE_PATH" ]; then
    if [ "$DOWNLOAD_FLUSH_CACHE" = "true" ]; then
        echo "Flushing the cache..."
        rm -Rf $LXC_CACHE_PATH
    else
        DOWNLOAD_USE_CACHE="true"
        if [ -e "$(relevant_file expiry)" ]; then
            if [ "$(cat $(relevant_file expiry))" -lt $(date +%s) ]; then
                echo "The cached copy has expired, re-downloading..."
                DOWNLOAD_USE_CACHE="false"
                rm -Rf $LXC_CACHE_PATH
            fi
        fi
    fi
fi

# Download what's needed
if [ "$DOWNLOAD_USE_CACHE" = "false" ]; then
    # Initialize GPG
    gpg_setup

    # Grab the index
    DOWNLOAD_INDEX_PATH=/meta/1.0/index-${DOWNLOAD_MODE}

    echo "Downloading the image index"
    if ! download_file ${DOWNLOAD_INDEX_PATH}.${DOWNLOAD_COMPAT_LEVEL} \
         ${DOWNLOAD_TEMP}/index noexit ||
       ! download_sig ${DOWNLOAD_INDEX_PATH}.${DOWNLOAD_COMPAT_LEVEL}.asc \
            ${DOWNLOAD_TEMP}/index.asc noexit; then
        download_file ${DOWNLOAD_INDEX_PATH} ${DOWNLOAD_TEMP}/index normal
        download_sig  ${DOWNLOAD_INDEX_PATH}.asc \
            ${DOWNLOAD_TEMP}/index.asc normal
    fi

    gpg_validate ${DOWNLOAD_TEMP}/index.asc

    # Parse it
    while read line; do
        # Basic CSV parser
        OLD_IFS=$IFS
        IFS=";"
        set -- $line
        IFS=$OLD_IFS

        if [ "$1" != "$DOWNLOAD_DIST" ] || \
           [ "$2" != "$DOWNLOAD_RELEASE" ] || \
           [ "$3" != "$DOWNLOAD_ARCH" ] || \
           [ "$4" != "$DOWNLOAD_VARIANT" ] || \
           [ -z "$6" ]; then
            continue
        fi

        DOWNLOAD_URL=$6
        break
    done < ${DOWNLOAD_TEMP}/index

    if [ -z "$DOWNLOAD_URL" ]; then
        echo "ERROR: Couldn't find a matching image." 1>&1
        exit 1
    fi

    # Download the actual files
    echo "Downloading the rootfs"
    download_file $DOWNLOAD_URL/rootfs.tar.xz \
        ${DOWNLOAD_TEMP}/rootfs.tar.xz normal
    download_sig  $DOWNLOAD_URL/rootfs.tar.xz.asc \
         ${DOWNLOAD_TEMP}/rootfs.tar.xz.asc normal
    gpg_validate ${DOWNLOAD_TEMP}/rootfs.tar.xz.asc

    echo "Downloading the metadata"
    download_file $DOWNLOAD_URL/meta.tar.xz \
        ${DOWNLOAD_TEMP}/meta.tar.xz normal
    download_sig  $DOWNLOAD_URL/meta.tar.xz.asc \
        ${DOWNLOAD_TEMP}/meta.tar.xz.asc normal
    gpg_validate ${DOWNLOAD_TEMP}/meta.tar.xz.asc

    mkdir -p $LXC_CACHE_PATH
    mv ${DOWNLOAD_TEMP}/rootfs.tar.xz $LXC_CACHE_PATH
    if ! tar Jxf ${DOWNLOAD_TEMP}/meta.tar.xz -C $LXC_CACHE_PATH; then
        echo "ERROR: Invalid rootfs tarball." 2>&1
        exit 1
    fi

    if [ -n "$LXC_MAPPED_UID" ] && [ "$LXC_MAPPED_UID" != "-1" ]; then
        chown $LXC_MAPPED_UID -Rf $LXC_CACHE_BASE >/dev/null 2>&1 || true
    fi
    echo "The image cache is now ready"
else
    echo "Using image from local cache"
fi

# Unpack the rootfs
echo "Unpacking the rootfs"
if [ "$DOWNLOAD_MODE" = "system" ]; then
    tar --numeric-owner -xpJf ${LXC_CACHE_PATH}/rootfs.tar.xz -C ${LXC_ROOTFS}
else
    tar  --anchored --exclude="./dev/*" --numeric-owner -xpJf \
        ${LXC_CACHE_PATH}/rootfs.tar.xz -C ${LXC_ROOTFS}
    mkdir -p ${LXC_ROOTFS}/dev/pts/
fi

# Setup the configuration
configfile=$(relevant_file config)
fstab=$(relevant_file fstab)
if [ ! -e $configfile ]; then
    echo "ERROR: meta tarball is missing the configuration file" 1>&2
    exit 1
fi

## Extract all the network config entries
sed -i -e "/lxc.network/{w ${LXC_PATH}/config-network" -e "d}" \
    ${LXC_PATH}/config

## Extract any other config entry
sed -i -e "/lxc./{w ${LXC_PATH}/config-auto" -e "d}" ${LXC_PATH}/config

## Append the defaults
echo "" >> ${LXC_PATH}/config
echo "# Distribution configuration" >> ${LXC_PATH}/config
cat $configfile >> ${LXC_PATH}/config

## Add the container-specific config
echo "" >> ${LXC_PATH}/config
echo "# Container specific configuration" >> ${LXC_PATH}/config
if [ -e "${LXC_PATH}/config-auto" ]; then
    cat ${LXC_PATH}/config-auto >> ${LXC_PATH}/config
    rm ${LXC_PATH}/config-auto
fi
if [ -e "$fstab" ]; then
    echo "lxc.mount = ${LXC_PATH}/fstab" >> ${LXC_PATH}/config
fi
echo "lxc.utsname = ${LXC_NAME}" >> ${LXC_PATH}/config

## Re-add the previously removed network config
if [ -e "${LXC_PATH}/config-network" ]; then
    echo "" >> ${LXC_PATH}/config
    echo "# Network configuration" >> ${LXC_PATH}/config
    cat ${LXC_PATH}/config-network >> ${LXC_PATH}/config
    rm ${LXC_PATH}/config-network
fi

TEMPLATE_FILES="${LXC_PATH}/config"

# Setup the fstab
if [ -e $fstab ]; then
    cp ${fstab} ${LXC_PATH}/fstab
    TEMPLATE_FILES="$TEMPLATE_FILES ${LXC_PATH}/fstab"
fi

# Look for extra templates
if [ -e "$(relevant_file templates)" ]; then
    while read line; do
        fullpath=${LXC_ROOTFS}/$line
        [ ! -e "$fullpath" ] && continue
        TEMPLATE_FILES="$TEMPLATE_FILES $fullpath"
    done < $(relevant_file templates)
fi

# Replace variables in all templates
for file in $TEMPLATE_FILES; do
    [ ! -f "$file" ] && continue

    sed -i "s#LXC_NAME#$LXC_NAME#g" $file
    sed -i "s#LXC_PATH#$LXC_PATH#g" $file
    sed -i "s#LXC_ROOTFS#$LXC_ROOTFS#g" $file
    sed -i "s#LXC_TEMPLATE_CONFIG#$LXC_TEMPLATE_CONFIG#g" $file
    sed -i "s#LXC_HOOK_DIR#$LXC_HOOK_DIR#g" $file
done

if [ -n "$LXC_MAPPED_UID" ] && [ "$LXC_MAPPED_UID" != "-1" ]; then
    chown $LXC_MAPPED_UID -f $LXC_PATH/config $LXC_PATH/fstab || true
fi

if [ -e "$(relevant_file create-message)" ]; then
    echo ""
    echo "---"
    cat "$(relevant_file create-message)"
fi

exit 0
Commit	Line	Data
71d3a659 SG	1	#!/bin/sh
	2
	3	# Client script for LXC container images.
	4	#
	5	# Copyright © 2014 Stéphane Graber <stgraber@ubuntu.com>
	6	#
	7	# This library is free software; you can redistribute it and/or
	8	# modify it under the terms of the GNU Lesser General Public
	9	# License as published by the Free Software Foundation; either
	10	# version 2.1 of the License, or (at your option) any later version.
	11
	12	# This library is distributed in the hope that it will be useful,
	13	# but WITHOUT ANY WARRANTY; without even the implied warranty of
	14	# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
	15	# Lesser General Public License for more details.
	16
	17	# You should have received a copy of the GNU Lesser General Public
	18	# License along with this library; if not, write to the Free Software
	19	# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301
	20	# USA
	21
	22	set -eu
	23
	24	LXC_TEMPLATE_CONFIG="@LXCTEMPLATECONFIG@"
	25	LXC_HOOK_DIR="@LXCHOOKDIR@"
	26	LOCALSTATEDIR="@LOCALSTATEDIR@"
	27
	28	# Defaults
	29	DOWNLOAD_DIST=
	30	DOWNLOAD_RELEASE=
	31	DOWNLOAD_ARCH=
	32	DOWNLOAD_VARIANT="default"
	33	DOWNLOAD_SERVER="images.linuxcontainers.org"
	34	DOWNLOAD_KEYID="0xBAEFF88C22F6E216"
	35	DOWNLOAD_KEYSERVER="pool.sks-keyservers.net"
	36	DOWNLOAD_VALIDATE="true"
	37	DOWNLOAD_FLUSH_CACHE="false"
	38	DOWNLOAD_MODE="system"
	39	DOWNLOAD_USE_CACHE="false"
	40	DOWNLOAD_URL=
	41	DOWNLOAD_SHOW_HTTP_WARNING="true"
	42	DOWNLOAD_SHOW_GPG_WARNING="true"
	43	DOWNLOAD_COMPAT_LEVEL=1
	44
	45	LXC_NAME=
	46	LXC_PATH=
	47	LXC_ROOTFS=
	48	LXC_MAPPED_UID=
	49
	50	# Some useful functions
	51	cleanup() {
	52	if [ -d "$DOWNLOAD_TEMP" ]; then
	53	rm -Rf $DOWNLOAD_TEMP
	54	fi
	55	}
	56
	57	download_file() {
	58	if ! wget -q https://${DOWNLOAD_SERVER}/$1 -O $2 >/dev/null 2>&1; then
	59	if ! wget -q http://${DOWNLOAD_SERVER}/$1 -O $2 >/dev/null 2>&1; then
	60	if [ "$3" = "noexit" ]; then
	61	return 1
	62	else
fad96766	63	echo "ERROR: Failed to download http://${DOWNLOAD_SERVER}/$1" 1>&2
71d3a659 SG	64	exit 1
	65	fi
	66	elif [ "$DOWNLOAD_SHOW_HTTP_WARNING" = "true" ]; then
	67	DOWNLOAD_SHOW_HTTP_WARNING="false"
	68	echo "WARNING: Failed to download the file over HTTPs." 1>&2
	69	echo -n " The file was instead download over HTTP. " 1>&2
	70	echo "A server replay attack may be possible!" 1>&2
	71	fi
	72	fi
	73	}
	74
fad96766	75	download_sig() {
33aa351a SG	76	if ! download_file $1 $2 noexit; then
	77	if [ "$DOWNLOAD_VALIDATE" = "true" ]; then
	78	if [ "$3" = "normal" ]; then
	79	echo "ERROR: Failed to download http://${DOWNLOAD_SERVER}/$1" 1>&2
	80	exit 1
	81	else
	82	return 1
	83	fi
	84	else
	85	return 0
	86	fi
fad96766 DE	87	fi
	88	}
	89
71d3a659 SG	90	gpg_setup() {
	91	if [ "$DOWNLOAD_VALIDATE" = "false" ]; then
	92	return
	93	fi
	94
	95	echo "Setting up the GPG keyring"
	96
	97	mkdir -p "$DOWNLOAD_TEMP/gpg"
	98	chmod 700 "$DOWNLOAD_TEMP/gpg"
	99	export GNUPGHOME="$DOWNLOAD_TEMP/gpg"
	100	if ! gpg --keyserver $DOWNLOAD_KEYSERVER \
	101	--recv-keys ${DOWNLOAD_KEYID} >/dev/null 2>&1; then
	102	echo "ERROR: Unable to fetch GPG key from keyserver."
	103	exit 1
	104	fi
	105	}
	106
	107	gpg_validate() {
	108	if [ "$DOWNLOAD_VALIDATE" = "false" ]; then
	109	if [ "$DOWNLOAD_SHOW_GPG_WARNING" = "true" ]; then
	110	echo "WARNING: Running without gpg validation!" 1>&2
	111	fi
	112	DOWNLOAD_SHOW_GPG_WARNING="false"
	113	return 0
	114	fi
	115
	116	if ! gpg --verify $1 >/dev/zero 2>&1; then
	117	echo "ERROR: Invalid signature for $1" 1>&2
	118	exit 1
	119	fi
	120	}
	121
	122	in_userns() {
	123	[ -e /proc/self/uid_map ] \|\| { echo no; return; }
	124	[ "$(wc -l /proc/self/uid_map \| awk '{ print $1 }')" -eq 1 ] \|\| \
	125	{ echo yes; return; }
	126	line=$(awk '{ print $1 " " $2 " " $3 }' /proc/self/uid_map)
	127	[ "$line" = "0 0 4294967295" ] && { echo no; return; }
	128	echo yes
	129	}
	130
	131	relevant_file() {
	132	FILE_PATH="${LXC_CACHE_PATH}/$1"
	133	if [ -e "${FILE_PATH}-${DOWNLOAD_MODE}" ]; then
	134	FILE_PATH="${FILE_PATH}-${DOWNLOAD_MODE}"
	135	fi
	136	if [ -e "$FILE_PATH.${DOWNLOAD_COMPAT_LEVEL}" ]; then
	137	FILE_PATH="${FILE_PATH}.${DOWNLOAD_COMPAT_LEVEL}"
	138	fi
	139
	140	echo $FILE_PATH
	141	}
	142
	143	usage() {
	144	cat <<EOF
	145	LXC container image downloader
	146
	147	Required arguments:
	148	[ -d \| --dist <distribution> ]: The name of the distribution
	149	[ -r \| --release <release> ]: Release name/version
	150	[ -a \| --arch <architecture> ]: Architecture of the container
	151	[ -h \| --help ]: This help message
	152
	153	Optional arguments:
154	[ --variant <variant> ]: Variant of the image (default: "default")
155	[ --server <server> ]: Image server (default: "images.linuxcontainers.org")
156	[ --keyid <keyid> ]: GPG keyid (default: 0x...)
157	[ --keyserver <keyserver> ]: GPG keyserver to use
158	[ --no-validate ]: Disable GPG validation (not recommended)
159	[ --flush-cache ]: Flush the local copy (if present)
160
161	LXC internal arguments (do not pass manually!):
162	[ --name <name> ]: The container name
163	[ --path <path> ]: The path to the container
164	[ --rootfs <rootfs> ]: The path to the container's rootfs
165	[ --mapped-uid <map> ]: A uid/gid map (user namespaces)
166	EOF
167	return 0
168	}
169
170	options=$(getopt -o d:r:a:h -l dist:,release:,arch:,help,variant:,server:,\
171	keyid:,no-validate,flush-cache,name:,path:,rootfs:,mapped-uid: -- "$@")
172
173	if [ $? -ne 0 ]; then
174	usage
175	exit 1
176	fi
177	eval set -- "$options"
178
179	while :; do
180	case "$1" in
181	-h\|--help) usage $0 && exit 0;;
182	-d\|--dist) DOWNLOAD_DIST=$2; shift 2;;
183	-r\|--release) DOWNLOAD_RELEASE=$2; shift 2;;
184	-a\|--arch) DOWNLOAD_ARCH=$2; shift 2;;
185	--variant) DOWNLOAD_VARIANT=$2; shift 2;;
186	--server) DOWNLOAD_SERVER=$2; shift 2;;
187	--keyid) DOWNLOAD_KEYID=$2; shift 2;;
188	--no-validate) DOWNLOAD_VALIDATE="false"; shift 1;;
189	--flush-cache) DOWNLOAD_FLUSH_CACHE="true"; shift 1;;
190	--name) LXC_NAME=$2; shift 2;;
191	--path) LXC_PATH=$2; shift 2;;
192	--rootfs) LXC_ROOTFS=$2; shift 2;;
193	--mapped-uid) LXC_MAPPED_UID=$2; shift 2;;
194	*) break;;
195	esac
196	done
197
198	# Check for required binaries
199	for bin in tar xz wget; do
200	if ! type $bin >/dev/null 2>&1; then
201	echo "ERROR: Missing required tool: $bin" 1>&2
202	exit 1
203	fi
204	done
205
206	# Check for GPG
207	if [ "$DOWNLOAD_VALIDATE" = "true" ]; then
208	if ! type gpg >/dev/null 2>&1; then
209	echo "ERROR: Missing recommended tool: gpg" 1>&2
210	echo "You can workaround this by using --no-validate." 1>&2
211	exit 1
212	fi
213	fi
214
215	# Check that we have all variables we need
216	if [ -z "$LXC_NAME" ] \|\| [ -z "$LXC_PATH" ] \|\| [ -z "$LXC_ROOTFS" ]; then
217	echo "ERROR: Not running through LXC." 1>&2
218	exit 1
219	fi
220
221	if [ "$(in_userns)" = "yes" ]; then
222	if [ -z "$LXC_MAPPED_UID" ] \|\| [ "$LXC_MAPPED_UID" = "-1" ]; then
223	echo "ERROR: In a user namespace without a map." 1>&2
224	exit 1
225	fi
226	DOWNLOAD_MODE="user"
227	fi
228
229	if [ -z "$DOWNLOAD_DIST" ] \|\| [ -z "$DOWNLOAD_RELEASE" ] \|\| \
230	[ -z "$DOWNLOAD_ARCH" ]; then
231	echo "ERROR: Missing required argument" 1>&2
232	usage
233	exit 1
234	fi
235
236	# Trap all exit signals
237	trap cleanup EXIT HUP INT TERM
238	DOWNLOAD_TEMP=$(mktemp -d)
239
240	# Setup the cache
241	if [ "$DOWNLOAD_MODE" = "system" ]; then
242	LXC_CACHE_BASE="$LOCALSTATEDIR/cache/"
243	LXC_CACHE_PATH="$LOCALSTATEDIR/cache/lxc/download/$DOWNLOAD_DIST"
244	LXC_CACHE_PATH="$LXC_CACHE_PATH/$DOWNLOAD_RELEASE/$DOWNLOAD_ARCH"
245	else
246	LXC_CACHE_BASE="$HOME/.cache/lxc/"
247	LXC_CACHE_PATH="$HOME/.cache/lxc/download/$DOWNLOAD_DIST"
248	LXC_CACHE_PATH="$LXC_CACHE_PATH/$DOWNLOAD_RELEASE/$DOWNLOAD_ARCH"
249	fi
250
251	if [ -d "$LXC_CACHE_PATH" ]; then
252	if [ "$DOWNLOAD_FLUSH_CACHE" = "true" ]; then
253	echo "Flushing the cache..."
254	rm -Rf $LXC_CACHE_PATH
255	else
256	DOWNLOAD_USE_CACHE="true"
257	if [ -e "$(relevant_file expiry)" ]; then
258	if [ "$(cat $(relevant_file expiry))" -lt $(date +%s) ]; then
259	echo "The cached copy has expired, re-downloading..."
260	DOWNLOAD_USE_CACHE="false"
261	rm -Rf $LXC_CACHE_PATH
262	fi
263	fi
264	fi
265	fi
266
267	# Download what's needed
268	if [ "$DOWNLOAD_USE_CACHE" = "false" ]; then
269	# Initialize GPG
270	gpg_setup
271
272	# Grab the index
273	DOWNLOAD_INDEX_PATH=/meta/1.0/index-${DOWNLOAD_MODE}
274
275	echo "Downloading the image index"
276	if ! download_file ${DOWNLOAD_INDEX_PATH}.${DOWNLOAD_COMPAT_LEVEL} \
277	${DOWNLOAD_TEMP}/index noexit \|\|
33aa351a	278	! download_sig ${DOWNLOAD_INDEX_PATH}.${DOWNLOAD_COMPAT_LEVEL}.asc \
71d3a659 SG	279	${DOWNLOAD_TEMP}/index.asc noexit; then
71d3a659 SG	280	download_file ${DOWNLOAD_INDEX_PATH} ${DOWNLOAD_TEMP}/index normal
fad96766	281	download_sig ${DOWNLOAD_INDEX_PATH}.asc \
33aa351a	282	${DOWNLOAD_TEMP}/index.asc normal
71d3a659 SG	283	fi
	284
	285	gpg_validate ${DOWNLOAD_TEMP}/index.asc
	286
	287	# Parse it
	288	while read line; do
	289	# Basic CSV parser
	290	OLD_IFS=$IFS
	291	IFS=";"
	292	set -- $line
	293	IFS=$OLD_IFS
	294
	295	if [ "$1" != "$DOWNLOAD_DIST" ] \|\| \
	296	[ "$2" != "$DOWNLOAD_RELEASE" ] \|\| \
	297	[ "$3" != "$DOWNLOAD_ARCH" ] \|\| \
	298	[ "$4" != "$DOWNLOAD_VARIANT" ] \|\| \
	299	[ -z "$6" ]; then
	300	continue
	301	fi
	302
	303	DOWNLOAD_URL=$6
	304	break
	305	done < ${DOWNLOAD_TEMP}/index
	306
	307	if [ -z "$DOWNLOAD_URL" ]; then
	308	echo "ERROR: Couldn't find a matching image." 1>&1
	309	exit 1
	310	fi
	311
	312	# Download the actual files
	313	echo "Downloading the rootfs"
	314	download_file $DOWNLOAD_URL/rootfs.tar.xz \
	315	${DOWNLOAD_TEMP}/rootfs.tar.xz normal
fad96766	316	download_sig $DOWNLOAD_URL/rootfs.tar.xz.asc \
71d3a659 SG	317	${DOWNLOAD_TEMP}/rootfs.tar.xz.asc normal
	318	gpg_validate ${DOWNLOAD_TEMP}/rootfs.tar.xz.asc
	319
	320	echo "Downloading the metadata"
	321	download_file $DOWNLOAD_URL/meta.tar.xz \
	322	${DOWNLOAD_TEMP}/meta.tar.xz normal
fad96766	323	download_sig $DOWNLOAD_URL/meta.tar.xz.asc \
71d3a659 SG	324	${DOWNLOAD_TEMP}/meta.tar.xz.asc normal
	325	gpg_validate ${DOWNLOAD_TEMP}/meta.tar.xz.asc
	326
	327	mkdir -p $LXC_CACHE_PATH
	328	mv ${DOWNLOAD_TEMP}/rootfs.tar.xz $LXC_CACHE_PATH
	329	if ! tar Jxf ${DOWNLOAD_TEMP}/meta.tar.xz -C $LXC_CACHE_PATH; then
	330	echo "ERROR: Invalid rootfs tarball." 2>&1
	331	exit 1
	332	fi
	333
	334	if [ -n "$LXC_MAPPED_UID" ] && [ "$LXC_MAPPED_UID" != "-1" ]; then
	335	chown $LXC_MAPPED_UID -Rf $LXC_CACHE_BASE >/dev/null 2>&1 \|\| true
	336	fi
	337	echo "The image cache is now ready"
	338	else
	339	echo "Using image from local cache"
	340	fi
	341
	342	# Unpack the rootfs
	343	echo "Unpacking the rootfs"
	344	if [ "$DOWNLOAD_MODE" = "system" ]; then
	345	tar --numeric-owner -xpJf ${LXC_CACHE_PATH}/rootfs.tar.xz -C ${LXC_ROOTFS}
	346	else
	347	tar --anchored --exclude="./dev/*" --numeric-owner -xpJf \
	348	${LXC_CACHE_PATH}/rootfs.tar.xz -C ${LXC_ROOTFS}
	349	mkdir -p ${LXC_ROOTFS}/dev/pts/
	350	fi
	351
	352	# Setup the configuration
	353	configfile=$(relevant_file config)
	354	fstab=$(relevant_file fstab)
	355	if [ ! -e $configfile ]; then
	356	echo "ERROR: meta tarball is missing the configuration file" 1>&2
	357	exit 1
	358	fi
	359
	360	## Extract all the network config entries
	361	sed -i -e "/lxc.network/{w ${LXC_PATH}/config-network" -e "d}" \
	362	${LXC_PATH}/config
	363
	364	## Extract any other config entry
	365	sed -i -e "/lxc./{w ${LXC_PATH}/config-auto" -e "d}" ${LXC_PATH}/config
	366
	367	## Append the defaults
	368	echo "" >> ${LXC_PATH}/config
	369	echo "# Distribution configuration" >> ${LXC_PATH}/config
	370	cat $configfile >> ${LXC_PATH}/config
	371
	372	## Add the container-specific config
	373	echo "" >> ${LXC_PATH}/config
	374	echo "# Container specific configuration" >> ${LXC_PATH}/config
	375	if [ -e "${LXC_PATH}/config-auto" ]; then
	376	cat ${LXC_PATH}/config-auto >> ${LXC_PATH}/config
	377	rm ${LXC_PATH}/config-auto
	378	fi
	379	if [ -e "$fstab" ]; then
	380	echo "lxc.mount = ${LXC_PATH}/fstab" >> ${LXC_PATH}/config
	381	fi
	382	echo "lxc.utsname = ${LXC_NAME}" >> ${LXC_PATH}/config
	383
	384	## Re-add the previously removed network config
	385	if [ -e "${LXC_PATH}/config-network" ]; then
	386	echo "" >> ${LXC_PATH}/config
	387	echo "# Network configuration" >> ${LXC_PATH}/config
388	cat ${LXC_PATH}/config-network >> ${LXC_PATH}/config
389	rm ${LXC_PATH}/config-network
390	fi
391
392	TEMPLATE_FILES="${LXC_PATH}/config"
393
394	# Setup the fstab
395	if [ -e $fstab ]; then
396	cp ${fstab} ${LXC_PATH}/fstab
397	TEMPLATE_FILES="$TEMPLATE_FILES ${LXC_PATH}/fstab"
398	fi
399
400	# Look for extra templates
401	if [ -e "$(relevant_file templates)" ]; then
402	while read line; do
403	fullpath=${LXC_ROOTFS}/$line
404	[ ! -e "$fullpath" ] && continue
405	TEMPLATE_FILES="$TEMPLATE_FILES $fullpath"
406	done < $(relevant_file templates)
407	fi
408
409	# Replace variables in all templates
410	for file in $TEMPLATE_FILES; do
fad96766	411	[ ! -f "$file" ] && continue
71d3a659 SG	412
	413	sed -i "s#LXC_NAME#$LXC_NAME#g" $file
	414	sed -i "s#LXC_PATH#$LXC_PATH#g" $file
	415	sed -i "s#LXC_ROOTFS#$LXC_ROOTFS#g" $file
	416	sed -i "s#LXC_TEMPLATE_CONFIG#$LXC_TEMPLATE_CONFIG#g" $file
	417	sed -i "s#LXC_HOOK_DIR#$LXC_HOOK_DIR#g" $file
	418	done
	419
	420	if [ -n "$LXC_MAPPED_UID" ] && [ "$LXC_MAPPED_UID" != "-1" ]; then
	421	chown $LXC_MAPPED_UID -f $LXC_PATH/config $LXC_PATH/fstab \|\| true
	422	fi
	423
	424	if [ -e "$(relevant_file create-message)" ]; then
	425	echo ""
	426	echo "---"
	427	cat "$(relevant_file create-message)"
	428	fi
	429
	430	exit 0