lxc-ubuntu-cloud: Fix cache and lock location

[mirror_lxc.git] / templates / lxc-fedora.in

#!/bin/bash

#
# template script for generating fedora container for LXC
#

#
# lxc: linux Container library

# Authors:
# Daniel Lezcano <daniel.lezcano@free.fr>
# Ramez Hanna <rhanna@informatiq.org>
# Michael H. Warfield <mhw@WittsEnd.com>

# This library is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public
# License as published by the Free Software Foundation; either
# version 2.1 of the License, or (at your option) any later version.

# This library is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
# Lesser General Public License for more details.

# You should have received a copy of the GNU Lesser General Public
# License along with this library; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA

#Configurations
arch=$(uname -m)
cache_base=@LOCALSTATEDIR@/cache/lxc/fedora/$arch
default_path=@LXCPATH@

# Some combinations of the tunning knobs below do not exactly make sense.
# but that's ok.
#
# If the "root_password" is non-blank, use it, else set a default.
# This can be passed to the script as an environment variable and is
# set by a shell conditional assignment.  Looks weird but it is what it is.
#
# If the root password contains a ding ($) then try to expand it.
# That will pick up things like ${name} and ${RANDOM}.
# If the root password contians more than 3 consecutive X's, pass it as
# a template to mktemp and take the result.
#
# If root_display_password = yes, display the temporary root password at exit.
# If root_store_password = yes, store it in the configuration directory
# If root_prompt_password = yes, invoke "passwd" to force the user to change
# the root password after the container is created.
#
# These are conditional assignments...  The can be overridden from the
# preexisting environment variables...
#
# Make sure this is in single quotes to defer expansion to later!
# :{root_password='Root-${name}-${RANDOM}'}
: ${root_password='Root-${name}-XXXXXX'}

# Now, it doesn't make much sense to display, store, and force change
# together.  But, we gotta test, right???
: ${root_display_password='no'}
: ${root_store_password='yes'}
# Prompting for something interactive has potential for mayhem
# with users running under the API...  Don't default to "yes"
: ${root_prompt_password='no'}

# These are only going into comments in the resulting config...
lxc_network_type=veth
lxc_network_link=lxcbr0

# is this fedora?
# Alow for weird remixes like the Raspberry Pi
#
# Use the Mitre standard CPE identifier for the release ID if possible...
# This may be in /etc/os-release or /etc/system-release-cpe.  We
# should be able to use EITHER.  Give preference to /etc/os-release for now.

if [ -e /etc/os-release ]
then
# This is a shell friendly configuration file.  We can just source it.
# What we're looking for in here is the ID, VERSION_ID and the CPE_NAME
    . /etc/os-release
    echo "Host CPE ID from /etc/os-release: ${CPE_NAME}"
fi

if [ "${CPE_NAME}" = "" -a -e /etc/system-release-cpe ]
then
    CPE_NAME=$(head -n1 /etc/system-release-cpe)
    CPE_URI=$(expr ${CPE_NAME} : '\([^:]*:[^:]*\)')
    if [ "${CPE_URI}" != "cpe:/o" ]
    then
        CPE_NAME=
    else
        echo "Host CPE ID from /etc/system-release-cpe: ${CPE_NAME}"
        # Probably a better way to do this but sill remain posix
        # compatible but this works, shrug...
        # Must be nice and not introduce convenient bashisms here.
        ID=$(expr ${CPE_NAME} : '[^:]*:[^:]*:[^:]*:\([^:]*\)')
        VERSION_ID=$(expr ${CPE_NAME} : '[^:]*:[^:]*:[^:]*:[^:]*:\([^:]*\)')
    fi
fi

if [ "${CPE_NAME}" != "" -a "${ID}" = "fedora" -a "${VERSION_ID}" != "" ]
then
    fedora_host_ver=${VERSION_ID}
    is_fedora=true
elif [ -e /etc/redhat-release ]
then
    # Only if all other methods fail, try to parse the redhat-release file.
    fedora_host_ver=$( sed -e '/^Fedora /!d' -e 's/Fedora.*\srelease\s*\([0-9][0-9]*\)\s.*/\1/' < /etc/redhat-release )
    if [ "$fedora_host_ver" != "" ]
    then
        is_fedora=true
    fi
fi

# Map a few architectures to their generic Fedora repository archs.
# The two ARM archs are a bit of a guesstimate for the v5 and v6
# archs.  V6 should have hardware floating point (Rasberry Pi).
# The "arm" arch is safer (no hardware floating point).  So
# there may be cases where we "get it wrong" for some v6 other
# than RPi.
case "$arch" in
i686) arch=i386 ;;
armv3l|armv4l|armv5l) arch=arm ;;
armv6l|armv7l|armv8l) arch=armhfp ;;
esac

configure_fedora()
{

    # disable selinux in fedora
    mkdir -p $rootfs_path/selinux
    echo 0 > $rootfs_path/selinux/enforce

    # Also kill it in the /etc/selinux/config file if it's there...
    if [[ -f $rootfs_path/etc/selinux/config ]]
    then
        sed -i '/^SELINUX=/s/.*/SELINUX=disabled/' $rootfs_path/etc/selinux/config
    fi

    # Nice catch from Dwight Engen in the Oracle template.
    # Wantonly plagerized here with much appreciation.
    if [ -f $rootfs_path/usr/sbin/selinuxenabled ]; then
        mv $rootfs_path/usr/sbin/selinuxenabled $rootfs_path/usr/sbin/selinuxenabled.lxcorig
        ln -s /bin/false $rootfs_path/usr/sbin/selinuxenabled
    fi

    # This is a known problem and documented in RedHat bugzilla as relating
    # to a problem with auditing enabled.  This prevents an error in
    # the container "Cannot make/remove an entry for the specified session"
    sed -i '/^session.*pam_loginuid.so/s/^session/# session/' ${rootfs_path}/etc/pam.d/login
    sed -i '/^session.*pam_loginuid.so/s/^session/# session/' ${rootfs_path}/etc/pam.d/sshd

    if [ -f ${rootfs_path}/etc/pam.d/crond ]
    then
        sed -i '/^session.*pam_loginuid.so/s/^session/# session/' ${rootfs_path}/etc/pam.d/crond
    fi

    # In addition to disabling pam_loginuid in the above config files
    # we'll also disable it by linking it to pam_permit to catch any
    # we missed or any that get installed after the container is built.
    #
    # Catch either or both 32 and 64 bit archs.
    if [ -f ${rootfs_path}/lib/security/pam_loginuid.so ]
    then
        ( cd ${rootfs_path}/lib/security/
        mv pam_loginuid.so pam_loginuid.so.disabled
        ln -s pam_permit.so pam_loginuid.so
        )
    fi

    if [ -f ${rootfs_path}/lib64/security/pam_loginuid.so ]
    then
        ( cd ${rootfs_path}/lib64/security/
        mv pam_loginuid.so pam_loginuid.so.disabled
        ln -s pam_permit.so pam_loginuid.so
        )
    fi

    # Deal with some dain bramage in the /etc/init.d/halt script.
    # Trim it and make it our own and link it in before the default
    # halt script so we can intercept it.  This also preventions package
    # updates from interferring with our interferring with it.
    #
    # There's generally not much in the halt script that useful but what's
    # in there from resetting the hardware clock down is generally very bad.
    # So we just eliminate the whole bottom half of that script in making
    # ourselves a copy.  That way a major update to the init scripts won't
    # trash what we've set up.
    #
    # This is mostly for legacy distros since any modern systemd Fedora
    # release will not have this script so we won't try to intercept it.
    if [ -f ${rootfs_path}/etc/init.d/halt ]
    then
        sed -e '/hwclock/,$d' \
            < ${rootfs_path}/etc/init.d/halt \
            > ${rootfs_path}/etc/init.d/lxc-halt

        echo '$command -f' >> ${rootfs_path}/etc/init.d/lxc-halt
        chmod 755 ${rootfs_path}/etc/init.d/lxc-halt

        # Link them into the rc directories...
        (
             cd ${rootfs_path}/etc/rc.d/rc0.d
             ln -s ../init.d/lxc-halt S00lxc-halt
             cd ${rootfs_path}/etc/rc.d/rc6.d
             ln -s ../init.d/lxc-halt S00lxc-reboot
        )
    fi

    # configure the network using the dhcp
    cat <<EOF > ${rootfs_path}/etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0
BOOTPROTO=dhcp
ONBOOT=yes
HOSTNAME=${utsname}
NM_CONTROLLED=no
TYPE=Ethernet
MTU=${MTU}
EOF

    # set the hostname
    cat <<EOF > ${rootfs_path}/etc/sysconfig/network
NETWORKING=yes
HOSTNAME=${utsname}
EOF

    # set hostname on systemd Fedora systems
    if [ $release -gt 14 ]; then
        echo "${utsname}" > ${rootfs_path}/etc/hostname
    fi

    # set minimal hosts
    cat <<EOF > $rootfs_path/etc/hosts
127.0.0.1 localhost.localdomain localhost $utsname
::1                 localhost6.localdomain6 localhost6
EOF

    # These mknod's really don't make any sense with modern releases of
    # Fedora with systemd, devtmpfs, and autodev enabled.  They are left
    # here for legacy reasons and older releases with upstart and sysv init.
    dev_path="${rootfs_path}/dev"
    rm -rf $dev_path
    mkdir -p $dev_path
    mknod -m 666 ${dev_path}/null c 1 3
    mknod -m 666 ${dev_path}/zero c 1 5
    mknod -m 666 ${dev_path}/random c 1 8
    mknod -m 666 ${dev_path}/urandom c 1 9
    mkdir -m 755 ${dev_path}/pts
    mkdir -m 1777 ${dev_path}/shm
    mknod -m 666 ${dev_path}/tty c 5 0
    mknod -m 666 ${dev_path}/tty0 c 4 0
    mknod -m 666 ${dev_path}/tty1 c 4 1
    mknod -m 666 ${dev_path}/tty2 c 4 2
    mknod -m 666 ${dev_path}/tty3 c 4 3
    mknod -m 666 ${dev_path}/tty4 c 4 4
    mknod -m 600 ${dev_path}/console c 5 1
    mknod -m 666 ${dev_path}/full c 1 7
    mknod -m 600 ${dev_path}/initctl p
    mknod -m 666 ${dev_path}/ptmx c 5 2

    if [ ${root_display_password} = "yes" ]
    then
        echo "Setting root password to '$root_password'"
    fi
    if [ ${root_store_password} = "yes" ]
    then
        touch ${config_path}/tmp_root_pass
        chmod 600 ${config_path}/tmp_root_pass
        echo ${root_password} > ${config_path}/tmp_root_pass
        echo "Storing root password in '${config_path}/tmp_root_pass'"
    fi

    echo "root:$root_password" | chroot $rootfs_path chpasswd
    # Also set this password as expired to force the user to change it!
    chroot $rootfs_path passwd -e root

    # specifying this in the initial packages doesn't always work.
    # Even though it should have...
    echo "installing fedora-release package"
    mount -o bind /dev ${rootfs_path}/dev
    mount -t proc proc ${rootfs_path}/proc
    # Always make sure /etc/resolv.conf is up to date in the target!
    cp /etc/resolv.conf ${rootfs_path}/etc/
    # Rebuild the rpm database based on the target rpm version...
    rm -f ${rootfs_path}/var/lib/rpm/__db*
    chroot ${rootfs_path} rpm --rebuilddb
    chroot ${rootfs_path} yum -y install fedora-release

    if [[ ! -e ${rootfs_path}/sbin/NetworkManager ]]
    then
        # NetworkManager has not been installed.  Use the
        # legacy chkconfig command to enable the network startup
        # scripts in the container.
        chroot ${rootfs_path} chkconfig network on
    fi

    umount ${rootfs_path}/proc
    umount ${rootfs_path}/dev

    # silence some needless startup errors
    touch ${rootfs_path}/etc/fstab

    # give us a console on /dev/console
    sed -i 's/ACTIVE_CONSOLES=.*$/ACTIVE_CONSOLES="\/dev\/console \/dev\/tty[1-4]"/' \
        ${rootfs_path}/etc/sysconfig/init

    return 0
}

configure_fedora_init()
{
    sed -i 's|.sbin.start_udev||' ${rootfs_path}/etc/rc.sysinit
    sed -i 's|.sbin.start_udev||' ${rootfs_path}/etc/rc.d/rc.sysinit
    # don't mount devpts, for pete's sake
    sed -i 's/^.*dev.pts.*$/#\0/' ${rootfs_path}/etc/rc.sysinit
    sed -i 's/^.*dev.pts.*$/#\0/' ${rootfs_path}/etc/rc.d/rc.sysinit
    chroot ${rootfs_path} chkconfig udev-post off
    chroot ${rootfs_path} chkconfig network on
}

configure_fedora_systemd()
{
    rm -f ${rootfs_path}/etc/systemd/system/default.target
    touch ${rootfs_path}/etc/fstab
    chroot ${rootfs_path} ln -s /dev/null /etc/systemd/system/udev.service
    chroot ${rootfs_path} ln -s /lib/systemd/system/multi-user.target /etc/systemd/system/default.target
    #dependency on a device unit fails it specially that we disabled udev
    # sed -i 's/After=dev-%i.device/After=/' ${rootfs_path}/lib/systemd/system/getty\@.service
    #
    # Actually, the After=dev-%i.device line does not appear in the
    # Fedora 17 or Fedora 18 systemd getty\@.service file.  It may be left
    # over from an earlier version and it's not doing any harm.  We do need
    # to disable the "ConditionalPathExists=/dev/tty0" line or no gettys are
    # started on the ttys in the container.  Lets do it in an override copy of
    # the service so it can still pass rpm verifies and not be automatically
    # updated by a new systemd version.  --  mhw  /\/\|=mhw=|\/\/

    sed -e 's/^ConditionPathExists=/# ConditionPathExists=/' \
        -e 's/After=dev-%i.device/After=/' \
        < ${rootfs_path}/lib/systemd/system/getty\@.service \
        > ${rootfs_path}/etc/systemd/system/getty\@.service
    # Setup getty service on the 4 ttys we are going to allow in the
    # default config.  Number should match lxc.tty
    ( cd ${rootfs_path}/etc/systemd/system/getty.target.wants
        for i in 1 2 3 4 ; do ln -sf ../getty\@.service getty@tty${i}.service; done )
}

### BEGIN Bootstrap Environment Code...  Michael H. Warfield /\/\|=mhw=|\/\/

# Ok...  Heads up.  If you're reading these comments, you're either a
# template owner or someone wondering how the hell I did this (or, worse,
# someone in the future trying to maintain it).  This code is slightly
# "evil coding bastard" code with one significant hack / dirty trick
# that you would probably miss just reading the code below.  I'll mark
# it out with comments.
#
# Because of what this code does, it deserves a lot of comments so people
# can understand WHY I did it this way...
#
# Ultimate Objective - Build a Fedora container on a host system which does
# not have a (complete compatible) version of rpm and/or yum.  That basically
# means damn near any distro other than Fedora and Ubuntu (which has rpm and
# yum available).  Only requirements for this function are rsync and
# squashfs available to the kernel.  If you don't have those, why are you
# even attempting to build containers?
#
# Challenge for this function - Bootstrap a Fedora install bootstrap
# run time environment which has all the pieces to run rpm and yum and
# from which we can build targets containers even where the host system
# has no support for rpm, yum, or fedora.
#
# Steps:
#       Stage 0 - Download a Fedora LiveOS squashfs core (netinst core).
#       Stage 1 - Extract filesystem from Stage 0 and update to full rpm & yum
#       Stage 2 - Use Stage 1 to build a rootfs with python, rpm, and yum.
#
#       Stage 2 becomes our bootstrap file system which can be cached
#       and then used to build other arbitrary vesions of Fedora of a
#       given architecture.  Not that this only has to run once for
#       Fedora on a given architecture since rpm and yum can build other
#       versions.  We'll arbitrarily pick Fedora 19 to build this.  This
#       will need to change as time goes on.

# Programmers Note...  A future fall back may be to download the netinst
#       iso image instead of the LiveOS squasfs image and work from that.
#       That may be more general but will introduce another substep
#       (mounting the iso) to the stage0 setup.

# This system is designed to be as autonomous as possible so all whitelists
# and controlls are self-contained.

# Initial testing - Whitelist nobody.  Build for everybody...
# Initial deployment - Whitelist Fedora.
# Long term - Whitelist Fedora, Debian, Ubuntu, CentOs, Scientific, and NST.

# List of distros which do not (should not) need a bootstrap (but we will test
# for rpm and yum none the less...  OS SHOULD be taken from CPE values but
# Debian / Ubuntu doesn't support CPE yet.

# BOOTSTRAP_WHITE_LIST=""
BOOTSTRAP_WHITE_LIST="fedora"
# BOOTSTRAP_WHITE_LIST="fedora debian ubuntu centos scientific sl nst"

BOOTSTRAP=0
BOOTSTRAP_DIR=
BOOTSTRAP_CHROOT=

fedora_get_bootstrap()
{
    echo "Bootstrap Environment testing..."

    WHITE_LISTED=1

    # We need rpm.  No rpm - not possible to white list...
    if ! which rpm > /dev/null 2>&1
    then
        WHITE_LISTED=0
    fi

    # We need yum  No yum - not possible to white list...
    if ! which yum > /dev/null 2>&1
    then
        WHITE_LISTED=0
    fi

    if [[ ${WHITE_LISTED} != 0 ]]
    then
        for OS in ${BOOTSTRAP_WHITE_LIST}
        do
            if [[ ${ID} = ${OS} ]]
            then
                echo "
OS ${ID} is whitelisted.  Installation Bootstrap Environment not required.
"
                return 0;
            fi
        done
    fi

    echo "
Fedora Installation Bootstrap Build..."

    if ! which rsync > /dev/null 2>&1
    then
        echo "
Unable to locate rsync.  Cravely bailing out before even attempting to build
an Installation Bootstrap  Please install rsync and then rerun this process.
"

        return 255
    fi

    [[ -d ${cache_base} ]] || mkdir -p ${cache_base}

    cd ${cache_base}

    # We know we don't have a cache directory of this version or we
    # would have never reached this code to begin with.  But we may
    # have another Fedora cache directory from which we could run...
    # We'll give a preference for close matches prefering higher over
    # lower - which makes for really ugly code...

    # Is this a "bashism" that will need cleaning up????
    BOOTSTRAP_LIST="$(( $release + 1 ))/rootfs $(( $release - 1 ))/rootfs \
$(( $release + 2 ))/rootfs $(( $release - 2 ))/rootfs \
$(( $release + 3 ))/rootfs $(( $release - 3 ))/rootfs \
bootstrap"

    for bootstrap in ${BOOTSTRAP_LIST}
    do
        if [[ -d ${bootstrap} ]]
        then
            echo "
Existing Bootstrap found.  Testing..."

            mount -o bind /dev ${bootstrap}/dev
            mount -t proc proc ${bootstrap}/proc
            # Always make sure /etc/resolv.conf is up to date in the target!
            cp /etc/resolv.conf ${bootstrap}/etc/
            rm -f ${bootstrap}/var/lib/rpm/__db*
            chroot ${bootstrap} rpm --rebuilddb
            chroot ${bootstrap} yum -y update
            RC=$?
            umount ${bootstrap}/proc
            umount ${bootstrap}/dev

            if [[ 0 == ${RC} ]]
            then
                BOOTSTRAP=1
                BOOTSTRAP_DIR="${cache_base}/${bootstrap}"
                BOOTSTRAP_CHROOT="chroot ${BOOTSTRAP_DIR} "
                BOOTSTRAP_INSTALL_ROOT=/run/install

            echo "
Functional Installation Bootstrap exists and appears to be completed.
Will use existing Bootstrap:  ${BOOTSTRAP_DIR}
"
            return 0
        fi
        echo "
Installation Bootstrap in ${BOOTSTRAP_DIR} exists
but appears to be non-functional.  Skipping...  It should be removed.
"
    fi
    done

    TMP_BOOTSTRAP_DIR=$( mktemp -d --tmpdir=${cache_base} bootstrap_XXXXXX )

    cd ${TMP_BOOTSTRAP_DIR}

    mkdir squashfs stage0 stage1 bootstrap

### Stage 0 setup.
#       Download the LiveOS squashfs image
#       mount image to "squashfs"
#       mount contained LiveOS to stage0

# We're going to use the kernel.org mirror for the initial stages...
#       1 - It's generally up to date and comnplete
#       2 - It's has high bandwidth access
#       3 - It supports rsync and wildcarding (and we need both)
#       4 - Not all the mirrors carry the LiveOS images

    if [[ ! -f ../LiveOS/squashfs.img ]]
    then
        echo "
Downloading stage 0 LiveOS squashfs file system from mirrors.kernel.org...
Have a beer or a cup of coffee.  This will take a bit (~300MB).
"
        sleep 3 # let him read it...

        # Right now, we are using Fedora 19 for the inial bootstrap.
        # We could make this the "current" Fedora rev (F > 15).

        rsync -av mirrors.kernel.org::fedora/releases/19/Fedora/$arch/os/LiveOS .

        if [[ 0 == $? ]]
        then
            echo "Download of squashfs image complete."
            mv LiveOS ..
        else
            echo "
Download of squashfs image failed.
"
            return 255
        fi
    else
        echo "Using cached stage 0 LiveOS squashfs file system."
    fi

    mount -o loop ../LiveOS/squashfs.img squashfs

    if [[ $? != 0 ]]
    then
        echo "
Mount of LiveOS squashfs image failed!  You mush have squashfs support
available to mount image.  Unable to continue.  Correct and retry
process later!  LiveOS image not removed.  Process may be rerun
without penalty of downloading LiveOS again.  If LiveOS is corrupt,
remove ${cache_base}/LiveOS before rerunning to redownload.
"
        return 255
    fi

    mount -o loop squashfs/LiveOS/rootfs.img stage0

    if [[ $? != 0 ]]
    then
        echo "
Mount of LiveOS stage0 rootfs image failed!  LiveOS download may be corrupt.
Remove ${cache_base}/LiveOS to force a new download or
troubleshoot cached image and then rerun process.
"
        return 255
    fi


### Stage 1 setup.
#       Copy stage0 (which is ro) to stage1 area (rw) for modification.
#       Unmount stage0 mounts - we're done with stage 0 at this point.
#       Download our rpm and yum rpm packages.
#       Force install of rpm and yum into stage1 image (dirty hack!)

    echo "Stage 0 complete, building Stage 1 image...
This will take a couple of minutes.  Patience..."

    echo "Creating Stage 1 r/w copy of r/o Stage 0 squashfs image from LiveOS."

    rsync -aAHS stage0/. stage1/

    umount stage0
    umount squashfs

    cd stage1

    # Setup stage1 image with pieces to run installs...


    mount -o bind /dev dev
    mount -t proc proc proc
    # Always make sure /etc/resolv.conf is up to date in the target!
    cp /etc/resolv.conf etc/

    mkdir run/install

    echo "Updating Stage 1 image with full rpm and yum packages"

    # Retrieve our 2 rpm packages we need to force down the throat
    # of this LiveOS image we're camped out on.  This is the beginning
    # of the butt ugly hack.  Look close or you may missing it...

    rsync -av mirrors.kernel.org::fedora/releases/19/Fedora/$arch/os/Packages/r/rpm-[0-9]* \
        mirrors.kernel.org::fedora/releases/19/Fedora/$arch/os/Packages/y/yum-[0-9]* .

    # And here it is...
    # The --nodeps is STUPID but F15 had a bogus dependency on RawHide?!?!
    chroot . rpm -ivh --nodeps rpm-* yum-*
    # Did you catch it?

    # The LiveOS image contains rpm (but not rpmdb) and yum (but not
    # yummain.py - What the hell good does yum do with no
    # yummain.py?!?! - Sigh...).  It contains all the supporting
    # pieces but the rpm database has not be initialized and it
    # doesn't know all the dependences (seem to) have been met.
    # So we do a "--nodeps" rpm install in the chrooted environment
    # to force the installation of the full rpm and yum packages.
    #
    # For the purists - Yes, I know the rpm database is wildly out
    # of whack now.  That's why this is a butt ugly hack / dirty trick.
    # But, this is just the stage1 image that we are going to discard as
    # soon as the stage2 image is built, so we don't care.  All we care
    # is that the stage2 image ends up with all the pieces it need to
    # run yum and rpm and that the stage2 rpm database is coherent.
    #
    # NOW we can really go to work!

### Stage 2 setup.
#       Download our Fedora Release rpm packages.
#       Install fedora-release into bootstrap to initialize fs and databases.
#       Install rpm, and yum into bootstrap image using yum

    echo "Stage 1 creation complete.  Building stage 2 Installation Bootstrap"

    mount -o bind ../bootstrap run/install
    rsync -av mirrors.kernel.org::fedora/releases/19/Fedora/$arch/os/Packages/f/fedora-release-19* .

    # The --nodeps is STUPID but F15 had a bogus dependency on RawHide?!?!
    chroot . rpm --root /run/install --nodeps -ivh fedora-release-*
    chroot . yum -y --nogpgcheck --installroot /run/install install python rpm yum

    umount run/install
    umount proc
    umount dev

#       That's it!  We should now have a viable installation BOOTSTRAP in
#       bootstrap  We'll do a yum update in that to verify and then
#       move it to the cache location before cleaning up.

    cd ../bootstrap
    mount -o bind /dev dev
    mount -t proc proc proc
    # Always make sure /etc/resolv.conf is up to date in the target!
    cp /etc/resolv.conf etc/

    chroot . yum -y update

    RC=$?

    umount proc
    umount dev

    cd ..

    if [[ ${RC} != 0 ]]
    then
        echo "
Build of Installation Bootstrap failed.  Temp directory
not removed so it can be investigated.
"
        return 255
    fi

    # We know have a working run time environment in rootfs...
    mv bootstrap ..
    cd ..
    rm -rf ${TMP_BOOTSTRAP_DIR}

    echo "
Build of Installation Bootstrap complete!  We now return you to your
normally scheduled template creation.
"

    BOOTSTRAP=1
    BOOTSTRAP_DIR="${cache_base}/bootstrap"
    BOOTSTRAP_CHROOT="chroot ${BOOTSTRAP_DIR} "
    BOOTSTRAP_INSTALL_ROOT=/run/install

    return 0
}


fedora_bootstrap_mounts()
{
    if [[ ${BOOTSTRAP} -ne 1 ]]
    then
        return 0
    fi

    BOOTSTRAP_CHROOT="chroot ${BOOTSTRAP_DIR} "

    echo "Mounting Bootstrap mount points"

    [[ -d ${BOOTSTRAP_DIR}/run/install ]] || mkdir -p ${BOOTSTRAP_DIR}/run/install

    mount -o bind ${INSTALL_ROOT} ${BOOTSTRAP_DIR}/run/install
    mount -o bind /dev ${BOOTSTRAP_DIR}/dev
    mount -t proc proc ${BOOTSTRAP_DIR}/proc
    # Always make sure /etc/resolv.conf is up to date in the target!
    cp /etc/resolv.conf ${BOOTSTRAP_DIR}/etc/
}

fedora_bootstrap_umounts()
{
    if [[ ${BOOTSTRAP} -ne 1 ]]
    then
        return 0
    fi

    umount ${BOOTSTRAP_DIR}/proc
    umount ${BOOTSTRAP_DIR}/dev
    umount ${BOOTSTRAP_DIR}/run/install
}


# This is the code to create the initial roofs for Fedora.  It may
# require a run time environment by calling the routines above...

download_fedora()
{

    # check the mini fedora was not already downloaded
    INSTALL_ROOT=$cache/partial
    mkdir -p $INSTALL_ROOT
    if [ $? -ne 0 ]; then
        echo "Failed to create '$INSTALL_ROOT' directory"
        return 1
    fi

    # download a mini fedora into a cache
    echo "Downloading fedora minimal ..."

    # These will get changed if it's decided that we need a
    # boostrap environment (can not build natively)

    BOOTSTRAP_INSTALL_ROOT=${INSTALL_ROOT}
    BOOTSTRAP_CHROOT=

    PKG_LIST="yum initscripts passwd rsyslog vim-minimal openssh-server openssh-clients dhclient chkconfig rootfiles policycoreutils fedora-release"
    MIRRORLIST_URL="http://mirrors.fedoraproject.org/mirrorlist?repo=fedora-$release&arch=$arch"

    if [[ ${release} -lt 17 ]]
    then
        # The reflects the move of db_dump and db_load from db4_utils to
        # libdb_utils in Fedora 17 and above and it's inclusion as a dep...
        # Prior to Fedora 11, we need to explicitly include it!
        PKG_LIST="${PKG_LIST} db4-utils"
    fi

    DOWNLOAD_OK=no

    # We're splitting the old loop into two loops plus a directory retrival.
    # First loop...  Try and retrive a mirror list with retries and a slight
    # delay between attempts...
    for trynumber in 1 2 3 4; do
        [ $trynumber != 1 ] && echo "Trying again..."
        # This code is mildly "brittle" in that it assumes a certain
        # page format and parsing HTML.  I've done worse.  :-P
        MIRROR_URLS=$(curl -s -S -f "$MIRRORLIST_URL" | sed -e '/^http:/!d' -e '2,6!d')
        if [ $? -eq 0 ] && [ -n "$MIRROR_URLS" ]
        then
            break
        fi

        echo "Failed to get a mirror on try $trynumber"
        sleep 3
     done

     # This will fall through if we didn't get any URLS above
     for MIRROR_URL in ${MIRROR_URLS}
     do
        if [ "$release" -gt "16" ]; then
            RELEASE_URL="$MIRROR_URL/Packages/f"
        else
            RELEASE_URL="$MIRROR_URL/Packages/"
        fi

        echo "Fetching rpm name from $RELEASE_URL..."
        # This code is mildly "brittle" in that it assumes a certain directory
        # page format and parsing HTML.  I've done worse.  :-P
        RELEASE_RPM=$(curl -L -f "$RELEASE_URL" | sed -e "/fedora-release-${release}-/!d" -e 's/.*<a href=\"//' -e 's/\">.*//' )
        if [ $? -ne 0  -o "${RELEASE_RPM}" = "" ]; then
            echo "Failed to identify fedora release rpm."
            continue
        fi

        echo "Fetching fedora release rpm from ${RELEASE_URL}/${RELEASE_RPM}......"
        curl -L -f "${RELEASE_URL}/${RELEASE_RPM}" > ${INSTALL_ROOT}/${RELEASE_RPM}
        if [ $? -ne 0 ]; then
            echo "Failed to download fedora release rpm ${RELEASE_RPM}."
            continue
        fi

        DOWNLOAD_OK=yes
        break
    done

    if [ $DOWNLOAD_OK != yes ]; then
        echo "Aborting"
        return 1
    fi

    mkdir -p ${INSTALL_ROOT}/var/lib/rpm

    if ! fedora_get_bootstrap
    then
        echo "Fedora Bootstrap setup failed"
        return 1
    fi

    fedora_bootstrap_mounts

    ${BOOTSTRAP_CHROOT}rpm --root ${BOOTSTRAP_INSTALL_ROOT} --initdb
    # The --nodeps is STUPID but F15 had a bogus dependency on RawHide?!?!
    ${BOOTSTRAP_CHROOT}rpm --root ${BOOTSTRAP_INSTALL_ROOT} --nodeps -ivh ${BOOTSTRAP_INSTALL_ROOT}/${RELEASE_RPM}
    ${BOOTSTRAP_CHROOT}yum --installroot ${BOOTSTRAP_INSTALL_ROOT} -y --nogpgcheck install ${PKG_LIST}

    RC=$?

    if [[ ${BOOTSTRAP} -eq 1 ]]
    then
    # Here we have a bit of a sticky problem.  We MIGHT have just installed
    # this template cache using versions of yum and rpm in the bootstrap
    # chroot that use a different database version than the target version.
    # That can be a very big problem.  Solution is to rebuild the rpmdatabase
    # with the target database now that we are done building the cache.  In the
    # vast majority of cases, this is a do-not-care with no harm done if we
    # didn't do it.  But it catches several corner cases with older unsupported
    # releases and it really doesn't cost us a lot of time for a one shot
    # install that will never be done again for this rev.
    #
    # Thanks and appreciation to Dwight Engen and the Oracle template for the
    # database rewrite hint!

        echo "Fixing up rpm databases"

        # Change to our target install directory (if we're not already
        # there) just to simplify some of the logic to follow...
        cd ${INSTALL_ROOT}

        rm -f var/lib/rpm/__db*
        # Programmers Note (warning):
        #
        # Pay careful attention to the following commands!  It
        # crosses TWO chroot boundaries linked by a bind mount!
        # In the bootstrap case, that's the bind mount of ${INSTALL_ROOT}
        # to the ${BOOTSTRAP_CHROOT}/run/install directory!  This is
        # a deliberate hack across that bind mount to do a database
        # translation between two environments, neither of which may
        # be the host environment!  It's ugly and hard to follow but,
        # if you don't understand it, don't mess with it!  The pipe
        # is in host space between the two chrooted environments!
        # This is also why we cd'ed into the INSTALL_ROOT directory
        # in advance of this loop, so everything is relative to the
        # current working directory and congruent with the same working
        # space in both chrooted environments.  The output into the new
        # db is also done in INSTALL_ROOT space but works in either host
        # space or INSTALL_ROOT space for the mv, so we don't care.  It's
        # just not obvious what's happening in the db_dump and db_load
        # commands...
        #
        for db in var/lib/rpm/* ; do
            ${BOOTSTRAP_CHROOT} db_dump ${BOOTSTRAP_INSTALL_ROOT}/$db | chroot . db_load $db.new
            mv $db.new $db
        done
        # finish up by rebuilding the database...
        # This should be redundant but we do it for completeness and
        # any corner cases I may have missed...
        mount -t proc proc proc
        mount -o bind /dev dev
        chroot . rpm --rebuilddb
        umount dev
        umount proc
    fi

    fedora_bootstrap_umounts

    if [ ${RC} -ne 0 ]; then
        echo "Failed to download the rootfs, aborting."
        return 1
    fi

    mv "$INSTALL_ROOT" "$cache/rootfs"
    echo "Download complete."

    return 0
}

copy_fedora()
{

    # make a local copy of the minifedora
    echo -n "Copying rootfs to $rootfs_path ..."
    #cp -a $cache/rootfs-$arch $rootfs_path || return 1
    # i prefer rsync (no reason really)
    mkdir -p $rootfs_path
    rsync -Ha $cache/rootfs/ $rootfs_path/
    echo
    return 0
}

update_fedora()
{
    mount -o bind /dev ${cache}/rootfs/dev
    mount -t proc proc ${cache}/rootfs/proc
    # Always make sure /etc/resolv.conf is up to date in the target!
    cp /etc/resolv.conf ${cache}/rootfs/etc/
    chroot ${cache}/rootfs yum -y update
    umount ${cache}/rootfs/proc
    umount  ${cache}/rootfs/dev
}

install_fedora()
{
    mkdir -p @LOCALSTATEDIR@/lock/subsys/
    (
        flock -x 200
        if [ $? -ne 0 ]; then
            echo "Cache repository is busy."
            return 1
        fi

        echo "Checking cache download in $cache/rootfs ... "
        if [ ! -e "$cache/rootfs" ]; then
            download_fedora
            if [ $? -ne 0 ]; then
                echo "Failed to download 'fedora base'"
                return 1
            fi
        else
            echo "Cache found. Updating..."
            update_fedora
            if [ $? -ne 0 ]; then
                echo "Failed to update 'fedora base', continuing with last known good cache"
            else
                echo "Update finished"
            fi
        fi

        echo "Copy $cache/rootfs to $rootfs_path ... "
        copy_fedora
        if [ $? -ne 0 ]; then
            echo "Failed to copy rootfs"
            return 1
        fi

        return 0
    ) 200>@LOCALSTATEDIR@/lock/subsys/lxc-fedora

    return $?
}

# Generate a random hardware (MAC) address composed of FE followed by
# 5 random bytes...
create_hwaddr()
{
    echo $(dd if=/dev/urandom bs=8 count=1 2>/dev/null | md5sum |
        sed -e 's/\(..\)\(..\)\(..\)\(..\)\(..\).*/fe:\1:\2:\3:\4:\5/')
}

copy_configuration()
{
    mkdir -p $config_path

    grep -q "^lxc.rootfs" $config_path/config 2>/dev/null || echo "
lxc.rootfs = $rootfs_path
" >> $config_path/config

    # The following code is to create static MAC addresses for each
    # interface in the container.  This code will work for multiple
    # interfaces in the default config.  It will also strip any
    # hwaddr stanzas out of the default config since we can not share
    # MAC addresses between containers.
    mv $config_path/config $config_path/config.def
    while read LINE
    do
        # This should catch variable expansions from the default config...
        if expr "${LINE}" : '.*\$' > /dev/null 2>&1
        then
                LINE=$(eval "echo \"${LINE}\"")
        fi

        # There is a tab and a space in the regex bracket below!
        # Seems that \s doesn't work in brackets.
        KEY=$(expr "${LINE}" : '\s*\([^	 ]*\)\s*=')

        if [[ "${KEY}" != "lxc.network.hwaddr" ]]
        then
            echo "${LINE}" >> $config_path/config

            if [[ "${KEY}" == "lxc.network.link" ]]
            then
                echo "lxc.network.hwaddr = $(create_hwaddr)" >> $config_path/config
            fi
        fi
    done < $config_path/config.def

    rm -f $config_path/config.def

    cat <<EOF >> $config_path/config
lxc.utsname = $utsname
lxc.tty = 4
lxc.pts = 1024
lxc.mount = $config_path/fstab
lxc.cap.drop = sys_module mac_admin mac_override sys_time

lxc.autodev = $auto_dev

# When using LXC with apparmor, uncomment the next line to run unconfined:
#lxc.aa_profile = unconfined

# example simple networking setup, uncomment to enable
#lxc.network.type = $lxc_network_type
#lxc.network.flags = up
#lxc.network.link = $lxc_network_link
#lxc.network.name = eth0
# Additional example for veth network type
#    static MAC address,
#lxc.network.hwaddr = 00:16:3e:77:52:20
#    persistent veth device name on host side
#        Note: This may potentially collide with other containers of same name!
#lxc.network.veth.pair = v-$name-e0

#cgroups
lxc.cgroup.devices.deny = a
# /dev/null and zero
lxc.cgroup.devices.allow = c 1:3 rwm
lxc.cgroup.devices.allow = c 1:5 rwm
# consoles
lxc.cgroup.devices.allow = c 5:1 rwm
lxc.cgroup.devices.allow = c 5:0 rwm
# /dev/{,u}random
lxc.cgroup.devices.allow = c 1:9 rwm
lxc.cgroup.devices.allow = c 1:8 rwm
lxc.cgroup.devices.allow = c 136:* rwm
lxc.cgroup.devices.allow = c 5:2 rwm
# rtc
lxc.cgroup.devices.allow = c 254:0 rm
EOF

    cat <<EOF > $config_path/fstab
proc            proc         proc    nodev,noexec,nosuid 0 0
sysfs           sys          sysfs defaults  0 0
EOF

    if [ $? -ne 0 ]; then
        echo "Failed to add configuration"
        return 1
    fi

    return 0
}

clean()
{

    if [ ! -e $cache ]; then
        exit 0
    fi

    # lock, so we won't purge while someone is creating a repository
    (
        flock -x 200
        if [ $? != 0 ]; then
            echo "Cache repository is busy."
            exit 1
        fi

        echo -n "Purging the download cache for Fedora-$release..."
        rm --preserve-root --one-file-system -rf $cache && echo "Done." || exit 1
        exit 0
    ) 200>@LOCALSTATEDIR@/lock/subsys/lxc-fedora
}

usage()
{
    cat <<EOF
usage:
    $1 -n|--name=<container_name>
        [-p|--path=<path>] [-c|--clean] [-R|--release=<Fedora_release>] [--fqdn=<network name of container>] [-A|--arch=<arch of the container>]
        [-h|--help]
Mandatory args:
  -n,--name         container name, used to as an identifier for that container from now on
Optional args:
  -p,--path         path to where the container will be created, defaults to @LXCPATH@. The container config will go under @LXCPATH@ in that case
  --rootfs          path for actual rootfs.
  -c,--clean        clean the cache
  -R,--release      Fedora release for the new container. if the host is Fedora, then it will default to the host's release.
     --fqdn         fully qualified domain name (FQDN) for DNS and system naming
  -A,--arch         NOT USED YET. Define what arch the container will be [i686,x86_64]
  -h,--help         print this help
EOF
    return 0
}

options=$(getopt -o hp:n:cR: -l help,path:,rootfs:,name:,clean,release:,fqdn: -- "$@")
if [ $? -ne 0 ]; then
    usage $(basename $0)
    exit 1
fi
eval set -- "$options"

while true
do
    case "$1" in
        -h|--help)      usage $0 && exit 0;;
        -p|--path)      path=$2; shift 2;;
        --rootfs)       rootfs=$2; shift 2;;
        -n|--name)      name=$2; shift 2;;
        -c|--clean)     clean=$2; shift 2;;
        -R|--release)   release=$2; shift 2;;
        --fqdn)         utsname=$2; shift 2;;
        --)             shift 1; break ;;
        *)              break ;;
    esac
done

if [ ! -z "$clean" -a -z "$path" ]; then
    clean || exit 1
    exit 0
fi

# Let's do something better for the initial root password.
# It's not perfect but it will defeat common scanning brute force
# attacks in the case where ssh is exposed.  It will also be set to
# expired, forcing the user to change it at first login.
if [ "${root_password}" = "" ]
then
    root_password=Root-${name}-${RANDOM}
else
    # If it's got a ding in it, try and expand it!
    if [ $(expr "${root_password}" : '.*$.') != 0 ]
    then
        root_password=$(eval echo "${root_password}")
    fi

    # If it has more than 3 consequtive X's in it, feed it
    # through mktemp as a template.
    if [ $(expr "${root_password}" : '.*XXXX') != 0 ]
    then
        root_password=$(mktemp -u ${root_password})
    fi
fi

if [ -z "${utsname}" ]; then
    utsname=${name}
fi

# This follows a standard "resolver" convention that an FQDN must have
# at least two dots or it is considered a local relative host name.
# If it doesn't, append the dns domain name of the host system.
#
# This changes one significant behavior when running
# "lxc_create -n Container_Name" without using the
# --fqdn option.
#
# Old behavior:
#    utsname and hostname = Container_Name
# New behavior:
#    utsname and hostname = Container_Name.Domain_Name

if [ $(expr "$utsname" : '.*\..*\.') = 0 ]; then
    if [[ "$(dnsdomainname)" != "" && "$(dnsdomainname)" != "localdomain" ]]; then
        utsname=${utsname}.$(dnsdomainname)
    fi
fi

needed_pkgs=""

type curl >/dev/null 2>&1
if [ $? -ne 0 ]; then
    needed_pkgs="curl $needed_pkgs"
fi

if [ -n "$needed_pkgs" ]; then
    echo "Missing commands: $needed_pkgs"
    echo "Please install these using \"sudo yum install $needed_pkgs\""
    exit 1
fi

if [ -z "$path" ]; then
    path=$default_path/$name
fi

if [ -z "$release" ]; then
    if [ "$is_fedora" -a "$fedora_host_ver" ]; then
        release=$fedora_host_ver
    else
        echo "This is not a fedora host and release missing, defaulting to 19. use -R|--release to specify release"
        release=19
    fi
fi

# Fedora 15 and above run systemd.  We need autodev enabled to keep
# systemd from causing problems.
if [ $release -gt 14 ]; then
    auto_dev="1"
else
    auto_dev="0"
fi

if [ "$(id -u)" != "0" ]; then
    echo "This script should be run as 'root'"
    exit 1
fi


if [ -z "$rootfs_path" ]; then
    rootfs_path=$path/rootfs
    # check for 'lxc.rootfs' passed in through default config by lxc-create
    if grep -q '^lxc.rootfs' $path/config 2>/dev/null ; then
        rootfs_path=$(awk -F= '/^lxc.rootfs =/{ print $2 }' $path/config)
    fi
fi
config_path=$default_path/$name
cache=$cache_base/$release

revert()
{
    echo "Interrupted, so cleaning up"
    lxc-destroy -n $name
    # maybe was interrupted before copy config
    rm -rf $path
    rm -rf $default_path/$name
    echo "exiting..."
    exit 1
}

trap revert SIGHUP SIGINT SIGTERM

copy_configuration
if [ $? -ne 0 ]; then
    echo "failed write configuration file"
    exit 1
fi

install_fedora
if [ $? -ne 0 ]; then
    echo "failed to install fedora"
    exit 1
fi

configure_fedora
if [ $? -ne 0 ]; then
    echo "failed to configure fedora for a container"
    exit 1
fi

# If the systemd configuration directory exists - set it up for what we need.
if [ -d ${rootfs_path}/etc/systemd/system ]
then
    configure_fedora_systemd
fi

# This configuration (rc.sysinit) is not inconsistent with the systemd stuff
# above and may actually coexist on some upgraded systems.  Let's just make
# sure that, if it exists, we update this file, even if it's not used...
if [ -f ${rootfs_path}/etc/rc.sysinit ]
then
    configure_fedora_init
fi

if [ ! -z $clean ]; then
    clean || exit 1
    exit 0
fi
echo "
Container rootfs and config have been created.
Edit the config file to check/enable networking setup.
"

if [[ -d ${cache_base}/bootstrap ]]
then
    echo "You have successfully built a Fedora container and cache.  This cache may
be used to create future containers of various revisions.  The directory
${cache_base}/bootstrap contains a bootstrap
which may no longer needed and can be removed.
"
fi

if [[ -e ${cache_base}/LiveOS ]]
then
    echo "A LiveOS directory exists at ${cache_base}/LiveOS.
This is only used in the creation of the bootstrap run-time-environment
and may be removed.
"
fi

if [ ${root_display_password} = "yes" ]
then
    echo "The temporary password for root is: '$root_password'

You may want to note that password down before starting the container.
"
fi

if [ ${root_store_password} = "yes" ]
then
    echo "The temporary root password is stored in:

        '${config_path}/tmp_root_pass'
"
fi

if [ ${root_prompt_password} = "yes" ]
then
    echo "Invoking the passwd command in the container to set the root password.

        chroot ${rootfs_path} passwd
"
    chroot ${rootfs_path} passwd
else
    echo "
The root password is set up as "expired" and will require it to be changed
at first login, which you should do as soon as possible.  If you lose the
root password or wish to change it without starting the container, you
can change it from the host by running the following command (which will
also reset the expired flag):

        chroot ${rootfs_path} passwd
"
fi