[mirror_lxc.git] / templates / lxc-oci.in

#!/bin/bash

# Create application containers from OCI images

# Copyright © 2014 Stéphane Graber <stgraber@ubuntu.com>
# Copyright © 2017 Serge Hallyn <serge@hallyn.com>
#
#  This library is free software; you can redistribute it and/or
#  modify it under the terms of the GNU Lesser General Public
#  License as published by the Free Software Foundation; either
#  version 2.1 of the License, or (at your option) any later version.

#  This library is distributed in the hope that it will be useful,
#  but WITHOUT ANY WARRANTY; without even the implied warranty of
#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
#  Lesser General Public License for more details.

#  You should have received a copy of the GNU Lesser General Public
#  License along with this library; if not, write to the Free Software
#  Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301
#  USA

set -eu

# Make sure the usual locations are in PATH
export PATH=$PATH:/usr/sbin:/usr/bin:/sbin:/bin

# Check for required binaries
for bin in skopeo umoci jq; do
  if ! which $bin >/dev/null 2>&1; then
    echo "ERROR: Missing required tool: $bin" 1>&2
    exit 1
  fi
done

LOCALSTATEDIR="@LOCALSTATEDIR@"
LXC_TEMPLATE_CONFIG="@LXCTEMPLATECONFIG@"
LXC_HOOK_DIR="@LXCHOOKDIR@"

# Some useful functions
cleanup() {
  if [ -d "${DOWNLOAD_TEMP}" ]; then
    rm -Rf "${DOWNLOAD_TEMP}"
  fi

  if [ -d "${LXC_ROOTFS}.tmp" ]; then
    rm -Rf "${LXC_ROOTFS}.tmp"
  fi
}

in_userns() {
  [ -e /proc/self/uid_map ] || { echo no; return; }
  while read -r line; do
    fields="$(echo "$line" | awk '{ print $1 " " $2 " " $3 }')"
    if [ "${fields}" = "0 0 4294967295" ]; then
      echo no;
      return;
    fi
    if echo "${fields}" | grep -q " 0 1$"; then
      echo userns-root;
      return;
    fi
  done < /proc/self/uid_map

  [ "$(cat /proc/self/uid_map)" = "$(cat /proc/1/uid_map)" ] && { echo userns-root; return; }
  echo yes
}

getconfigpath() {
  basedir="$1"
  q="$2"

  digest=$(jq -c -r --arg q "$q" '.manifests[] | if .annotations."org.opencontainers.image.ref.name" == $q then .digest else empty end' < "${basedir}/index.json")
  if [ -z "${digest}" ]; then
    echo "$q not found in index.json" >&2
    return
  fi

  # Ok we have the image config digest, now get the config from that
  # shellcheck disable=SC2039
  d=${digest:7}
  cdigest=$(jq -c -r '.config.digest' < "${basedir}/blobs/sha256/${d}")
  if [ -z "${cdigest}" ]; then
    echo "container config not found" >&2
    return
  fi

  # shellcheck disable=SC2039
  d2=${cdigest:7}
  echo "${basedir}/blobs/sha256/${d2}"
  return
}

# Get entrypoint from oci image. Use sh if unspecified
getep() {
  if [ "$#" -eq 0 ]; then
    echo "/bin/sh"
    return
  fi

  configpath="$1"

  ep=$(jq -c '.config.Entrypoint[]?'< "${configpath}" | tr '\n' ' ')
  cmd=$(jq -c '.config.Cmd[]?'< "${configpath}" | tr '\n' ' ')
  if [ -z "${ep}" ]; then
    ep="${cmd}"
    if [ -z "${ep}" ]; then
      ep="/bin/sh"
    fi
  elif [ -n "${cmd}" ]; then
    ep="${ep} ${cmd}"
  fi

  echo "${ep}"
  return
}

# get environment from oci image.
getenv() {
  if [ "$#" -eq 0 ]; then
    return
  fi

  configpath="$1"

  env=$(jq -c -r '.config.Env[]'< "${configpath}")

  echo "${env}"
  return
}

# FIXME 1: only support numerical values in the configuration file.
# FIXME 2: from the OCI image spec: "If group/gid is not specified,
# the default group and supplementary groups of the given user/uid in
# /etc/passwd from the container are applied."
getuidgid() {
  if [ "$#" -eq 0 ]; then
    echo "0 0"
    return
  fi

  configpath="$1"

  uidgid=$(jq -c -r '.config.User // "0:0"' < "${configpath}")
  # shellcheck disable=SC2039
  uidgid=(${uidgid//:/ })

  printf '%d %d' "${uidgid[0]:-0}" "${uidgid[1]:-0}" 2>/dev/null || true
  return
}

# get cwd from oci image.
getcwd() {
  if [ "$#" -eq 0 ]; then
    echo "/"
    return
  fi

  configpath="$1"

  cwd=$(jq -c -r '.config.WorkingDir // "/"' < "${configpath}")

  echo "${cwd}"
  return
}

usage() {
  cat <<EOF
LXC container template for OCI images

Special arguments:
[ -h | --help ]: Print this help message and exit.

Required arguments:
[ -u | --url <url> ]: The OCI image URL

Optional arguments:
[ --username <username> ]: The username for the registry
[ --password <password> ]: The password for the registry

LXC internal arguments (do not pass manually!):
[ --name <name> ]: The container name
[ --path <path> ]: The path to the container
[ --rootfs <rootfs> ]: The path to the container's rootfs
[ --mapped-uid <map> ]: A uid map (user namespaces)
[ --mapped-gid <map> ]: A gid map (user namespaces)
EOF
  return 0
}

if ! options=$(getopt -o u:h -l help,url:,username:,password:,no-cache,dhcp,name:,path:,rootfs:,mapped-uid:,mapped-gid: -- "$@"); then
    usage
    exit 1
fi
eval set -- "$options"

OCI_URL=""
OCI_USERNAME=
OCI_PASSWORD=
OCI_USE_CACHE="true"
OCI_USE_DHCP="false"

LXC_MAPPED_GID=
LXC_MAPPED_UID=
LXC_NAME=
LXC_PATH=
LXC_ROOTFS=

while :; do
  case "$1" in
    -h|--help)    usage && exit 1;;
    -u|--url)     OCI_URL=$2; shift 2;;
    --username)   OCI_USERNAME=$2; shift 2;;
    --password)   OCI_PASSWORD=$2; shift 2;;
    --no-cache)   OCI_USE_CACHE="false"; shift 1;;
    --dhcp)       OCI_USE_DHCP="true"; shift 1;;
    --name)       LXC_NAME=$2; shift 2;;
    --path)       LXC_PATH=$2; shift 2;;
    --rootfs)     LXC_ROOTFS=$2; shift 2;;
    --mapped-uid) LXC_MAPPED_UID=$2; shift 2;;
    --mapped-gid) LXC_MAPPED_GID=$2; shift 2;;
    *)            break;;
  esac
done

# Check that we have all variables we need
if [ -z "$LXC_NAME" ] || [ -z "$LXC_PATH" ] || [ -z "$LXC_ROOTFS" ]; then
  echo "ERROR: Not running through LXC" 1>&2
  exit 1
fi

if [ -z "$OCI_URL" ]; then
  echo "ERROR: no OCI URL given"
  exit 1
fi

if [ -n "$OCI_PASSWORD" ] && [ -z "$OCI_USERNAME" ]; then
  echo "ERROR: password given but no username specified"
  exit 1
fi

if [ "${OCI_USE_CACHE}" = "true" ]; then
  if ! skopeo copy --help | grep -q 'dest-shared-blob-dir'; then
    echo "INFO: skopeo doesn't support blob caching"
    OCI_USE_CACHE="false"
  fi
fi

USERNS=$(in_userns)

if [ "$USERNS" = "yes" ]; then
  if [ -z "$LXC_MAPPED_UID" ] || [ "$LXC_MAPPED_UID" = "-1" ]; then
    echo "ERROR: In a user namespace without a map" 1>&2
    exit 1
  fi
fi

if [ "${OCI_USE_CACHE}" = "true" ]; then
  if [ "$USERNS" = "yes" ]; then
    DOWNLOAD_BASE="${HOME}/.cache/lxc"
  else
    DOWNLOAD_BASE="${LOCALSTATEDIR}/cache/lxc"
  fi
else
  DOWNLOAD_BASE=/tmp
fi
mkdir -p "${DOWNLOAD_BASE}"

# Trap all exit signals
trap cleanup EXIT HUP INT TERM

if ! which mktemp >/dev/null 2>&1; then
  DOWNLOAD_TEMP="${DOWNLOAD_BASE}/lxc-oci.$$"
  mkdir -p "${DOWNLOAD_TEMP}"
else
  DOWNLOAD_TEMP=$(mktemp -d -p "${DOWNLOAD_BASE}")
fi

# Download the image
# shellcheck disable=SC2039
skopeo_args=("")
if [ -n "$OCI_USERNAME" ]; then
  CREDENTIALS="${OCI_USERNAME}"

  if [ -n "$OCI_PASSWORD" ]; then
    CREDENTIALS="${CREDENTIALS}:${OCI_PASSWORD}"
  fi

  # shellcheck disable=SC2039
  skopeo_args+=(--src-creds "${CREDENTIALS}")
fi

if [ "${OCI_USE_CACHE}" = "true" ]; then
  # shellcheck disable=SC2039
  # shellcheck disable=SC2068
  skopeo_args+=(--dest-shared-blob-dir "${DOWNLOAD_BASE}")
  # shellcheck disable=SC2039
  # shellcheck disable=SC2068
  skopeo copy ${skopeo_args[@]} "${OCI_URL}" "oci:${DOWNLOAD_TEMP}:latest"
  ln -s "${DOWNLOAD_BASE}/sha256" "${DOWNLOAD_TEMP}/blobs/sha256"
else
  # shellcheck disable=SC2039
  # shellcheck disable=SC2068
  skopeo copy ${skopeo_args[@]} "${OCI_URL}" "oci:${DOWNLOAD_TEMP}:latest"
fi

echo "Unpacking the rootfs"
# shellcheck disable=SC2039
umoci_args=("")
if [ -n "$LXC_MAPPED_UID" ] && [ "$LXC_MAPPED_UID" != "-1" ]; then
  # shellcheck disable=SC2039
  umoci_args+=(--rootless)
fi
# shellcheck disable=SC2039
# shellcheck disable=SC2068
umoci --log=error unpack ${umoci_args[@]} --image "${DOWNLOAD_TEMP}:latest" "${LXC_ROOTFS}.tmp"
rmdir "${LXC_ROOTFS}"
mv "${LXC_ROOTFS}.tmp/rootfs" "${LXC_ROOTFS}"

OCI_CONF_FILE=$(getconfigpath "${DOWNLOAD_TEMP}" latest)
LXC_CONF_FILE="${LXC_PATH}/config"
entrypoint=$(getep "${OCI_CONF_FILE}")
echo "lxc.execute.cmd = '${entrypoint}'" >> "${LXC_CONF_FILE}"
echo "lxc.mount.auto = proc:mixed sys:mixed cgroup:mixed" >> "${LXC_CONF_FILE}"

environment=$(getenv "${OCI_CONF_FILE}")
# shellcheck disable=SC2039
while read -r line; do
  echo "lxc.environment = ${line}" >> "${LXC_CONF_FILE}"
done <<< "${environment}"

if [ -e "${LXC_TEMPLATE_CONFIG}/common.conf" ]; then
  echo "lxc.include = ${LXC_TEMPLATE_CONFIG}/common.conf" >> "${LXC_CONF_FILE}"
fi

if [ -n "$LXC_MAPPED_UID" ] && [ "$LXC_MAPPED_UID" != "-1" ] && [ -e "${LXC_TEMPLATE_CONFIG}/userns.conf" ]; then
  echo "lxc.include = ${LXC_TEMPLATE_CONFIG}/userns.conf" >> "${LXC_CONF_FILE}"
fi

if [ -e "${LXC_TEMPLATE_CONFIG}/oci.common.conf" ]; then
  echo "lxc.include = ${LXC_TEMPLATE_CONFIG}/oci.common.conf" >> "${LXC_CONF_FILE}"
fi

if [ "${OCI_USE_DHCP}" = "true" ]; then
  echo "lxc.hook.start-host = ${LXC_HOOK_DIR}/dhclient" >> "${LXC_CONF_FILE}"
  echo "lxc.hook.stop = ${LXC_HOOK_DIR}/dhclient" >> "${LXC_CONF_FILE}"
fi

echo "lxc.uts.name = ${LXC_NAME}" >> "${LXC_CONF_FILE}"
# set the hostname
cat <<EOF > "${LXC_ROOTFS}/etc/hostname"
${LXC_NAME}
EOF

# set minimal hosts
cat <<EOF > "${LXC_ROOTFS}/etc/hosts"
127.0.0.1   localhost
127.0.1.1   ${LXC_NAME}
::1     localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
EOF

# shellcheck disable=SC2039
uidgid=($(getuidgid "${OCI_CONF_FILE}"))
# shellcheck disable=SC2039
echo "lxc.init.uid = ${uidgid[0]}" >> "${LXC_CONF_FILE}"
# shellcheck disable=SC2039
echo "lxc.init.gid = ${uidgid[1]}" >> "${LXC_CONF_FILE}"

cwd=$(getcwd "${OCI_CONF_FILE}")
echo "lxc.init.cwd = ${cwd}" >> "${LXC_CONF_FILE}"

if [ -n "$LXC_MAPPED_UID" ] && [ "$LXC_MAPPED_UID" != "-1" ]; then
  chown "$LXC_MAPPED_UID" "$LXC_PATH/config" "$LXC_PATH/fstab" > /dev/null 2>&1 || true
fi
if [ -n "$LXC_MAPPED_GID" ] && [ "$LXC_MAPPED_GID" != "-1" ]; then
  chgrp "$LXC_MAPPED_GID" "$LXC_PATH/config" "$LXC_PATH/fstab" > /dev/null 2>&1 || true
fi

exit 0
Commit	Line	Data
0ef43a5c SH	1	#!/bin/bash
	2
	3	# Create application containers from OCI images
	4
	5	# Copyright © 2014 Stéphane Graber <stgraber@ubuntu.com>
	6	# Copyright © 2017 Serge Hallyn <serge@hallyn.com>
	7	#
	8	# This library is free software; you can redistribute it and/or
	9	# modify it under the terms of the GNU Lesser General Public
	10	# License as published by the Free Software Foundation; either
	11	# version 2.1 of the License, or (at your option) any later version.
	12
	13	# This library is distributed in the hope that it will be useful,
	14	# but WITHOUT ANY WARRANTY; without even the implied warranty of
	15	# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
	16	# Lesser General Public License for more details.
	17
	18	# You should have received a copy of the GNU Lesser General Public
	19	# License along with this library; if not, write to the Free Software
	20	# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301
	21	# USA
	22
	23	set -eu
0ef43a5c SH	24
	25	# Make sure the usual locations are in PATH
	26	export PATH=$PATH:/usr/sbin:/usr/bin:/sbin:/bin
	27
	28	# Check for required binaries
	29	for bin in skopeo umoci jq; do
4328e9e3 CB	30	if ! which $bin >/dev/null 2>&1; then
	31	echo "ERROR: Missing required tool: $bin" 1>&2
	32	exit 1
	33	fi
0ef43a5c SH	34	done
0ef43a5c SH	35
52e31c07	36	LOCALSTATEDIR="@LOCALSTATEDIR@"
d7c685c6	37	LXC_TEMPLATE_CONFIG="@LXCTEMPLATECONFIG@"
9a962dc6	38	LXC_HOOK_DIR="@LXCHOOKDIR@"
d7c685c6	39
0ef43a5c SH	40	# Some useful functions
0ef43a5c SH	41	cleanup() {
4328e9e3 CB	42	if [ -d "${DOWNLOAD_TEMP}" ]; then
	43	rm -Rf "${DOWNLOAD_TEMP}"
	44	fi
	45
	46	if [ -d "${LXC_ROOTFS}.tmp" ]; then
	47	rm -Rf "${LXC_ROOTFS}.tmp"
	48	fi
0ef43a5c SH	49	}
	50
	51	in_userns() {
4328e9e3 CB	52	[ -e /proc/self/uid_map ] \|\| { echo no; return; }
	53	while read -r line; do
	54	fields="$(echo "$line" \| awk '{ print $1 " " $2 " " $3 }')"
	55	if [ "${fields}" = "0 0 4294967295" ]; then
	56	echo no;
	57	return;
	58	fi
	59	if echo "${fields}" \| grep -q " 0 1$"; then
	60	echo userns-root;
	61	return;
	62	fi
	63	done < /proc/self/uid_map
	64
	65	[ "$(cat /proc/self/uid_map)" = "$(cat /proc/1/uid_map)" ] && { echo userns-root; return; }
	66	echo yes
0ef43a5c SH	67	}
0ef43a5c SH	68
ce59e4ca	69	getconfigpath() {
4328e9e3 CB	70	basedir="$1"
	71	q="$2"
	72
	73	digest=$(jq -c -r --arg q "$q" '.manifests[] \| if .annotations."org.opencontainers.image.ref.name" == $q then .digest else empty end' < "${basedir}/index.json")
	74	if [ -z "${digest}" ]; then
	75	echo "$q not found in index.json" >&2
	76	return
	77	fi
	78
	79	# Ok we have the image config digest, now get the config from that
	80	# shellcheck disable=SC2039
	81	d=${digest:7}
	82	cdigest=$(jq -c -r '.config.digest' < "${basedir}/blobs/sha256/${d}")
	83	if [ -z "${cdigest}" ]; then
	84	echo "container config not found" >&2
	85	return
	86	fi
	87
	88	# shellcheck disable=SC2039
	89	d2=${cdigest:7}
	90	echo "${basedir}/blobs/sha256/${d2}"
	91	return
ce59e4ca FA	92	}
ce59e4ca FA	93
4328e9e3	94	# Get entrypoint from oci image. Use sh if unspecified
ce59e4ca	95	getep() {
4328e9e3 CB	96	if [ "$#" -eq 0 ]; then
	97	echo "/bin/sh"
	98	return
	99	fi
	100
	101	configpath="$1"
	102
d99e3b2e FA	103	ep=$(jq -c '.config.Entrypoint[]?'< "${configpath}" \| tr '\n' ' ')
d99e3b2e FA	104	cmd=$(jq -c '.config.Cmd[]?'< "${configpath}" \| tr '\n' ' ')
4328e9e3 CB	105	if [ -z "${ep}" ]; then
	106	ep="${cmd}"
	107	if [ -z "${ep}" ]; then
	108	ep="/bin/sh"
	109	fi
	110	elif [ -n "${cmd}" ]; then
	111	ep="${ep} ${cmd}"
	112	fi
	113
	114	echo "${ep}"
	115	return
0ef43a5c SH	116	}
0ef43a5c SH	117
996202e7 FA	118	# get environment from oci image.
996202e7 FA	119	getenv() {
4328e9e3 CB	120	if [ "$#" -eq 0 ]; then
	121	return
	122	fi
996202e7	123
4328e9e3	124	configpath="$1"
996202e7	125
4328e9e3	126	env=$(jq -c -r '.config.Env[]'< "${configpath}")
996202e7	127
4328e9e3 CB	128	echo "${env}"
4328e9e3 CB	129	return
996202e7 FA	130	}
996202e7 FA	131
e86dcc91 FA	132	# FIXME 1: only support numerical values in the configuration file.
	133	# FIXME 2: from the OCI image spec: "If group/gid is not specified,
	134	# the default group and supplementary groups of the given user/uid in
	135	# /etc/passwd from the container are applied."
	136	getuidgid() {
4328e9e3 CB	137	if [ "$#" -eq 0 ]; then
	138	echo "0 0"
	139	return
	140	fi
e86dcc91	141
4328e9e3	142	configpath="$1"
e86dcc91	143
4328e9e3 CB	144	uidgid=$(jq -c -r '.config.User // "0:0"' < "${configpath}")
	145	# shellcheck disable=SC2039
	146	uidgid=(${uidgid//:/ })
e86dcc91	147
4328e9e3 CB	148	printf '%d %d' "${uidgid[0]:-0}" "${uidgid[1]:-0}" 2>/dev/null \|\| true
4328e9e3 CB	149	return
e86dcc91 FA	150	}
e86dcc91 FA	151
a787c332 FA	152	# get cwd from oci image.
a787c332 FA	153	getcwd() {
4328e9e3 CB	154	if [ "$#" -eq 0 ]; then
	155	echo "/"
	156	return
	157	fi
a787c332	158
4328e9e3	159	configpath="$1"
a787c332	160
4328e9e3	161	cwd=$(jq -c -r '.config.WorkingDir // "/"' < "${configpath}")
a787c332	162
4328e9e3 CB	163	echo "${cwd}"
4328e9e3 CB	164	return
a787c332 FA	165	}
a787c332 FA	166
0ef43a5c	167	usage() {
4328e9e3	168	cat <<EOF
0ef43a5c SH	169	LXC container template for OCI images
	170
	171	Special arguments:
	172	[ -h \| --help ]: Print this help message and exit.
	173
	174	Required arguments:
	175	[ -u \| --url <url> ]: The OCI image URL
	176
797f99c6 FA	177	Optional arguments:
	178	[ --username <username> ]: The username for the registry
	179	[ --password <password> ]: The password for the registry
	180
0ef43a5c SH	181	LXC internal arguments (do not pass manually!):
	182	[ --name <name> ]: The container name
	183	[ --path <path> ]: The path to the container
	184	[ --rootfs <rootfs> ]: The path to the container's rootfs
	185	[ --mapped-uid <map> ]: A uid map (user namespaces)
	186	[ --mapped-gid <map> ]: A gid map (user namespaces)
0ef43a5c	187	EOF
4328e9e3	188	return 0
0ef43a5c SH	189	}
0ef43a5c SH	190
4328e9e3	191	if ! options=$(getopt -o u:h -l help,url:,username:,password:,no-cache,dhcp,name:,path:,rootfs:,mapped-uid:,mapped-gid: -- "$@"); then
0ef43a5c SH	192	usage
	193	exit 1
	194	fi
	195	eval set -- "$options"
	196
	197	OCI_URL=""
797f99c6 FA	198	OCI_USERNAME=
797f99c6 FA	199	OCI_PASSWORD=
52e31c07	200	OCI_USE_CACHE="true"
9a962dc6	201	OCI_USE_DHCP="false"
797f99c6	202
0ef43a5c SH	203	LXC_MAPPED_GID=
	204	LXC_MAPPED_UID=
	205	LXC_NAME=
	206	LXC_PATH=
	207	LXC_ROOTFS=
	208
	209	while :; do
4328e9e3 CB	210	case "$1" in
	211	-h\|--help) usage && exit 1;;
	212	-u\|--url) OCI_URL=$2; shift 2;;
	213	--username) OCI_USERNAME=$2; shift 2;;
	214	--password) OCI_PASSWORD=$2; shift 2;;
	215	--no-cache) OCI_USE_CACHE="false"; shift 1;;
	216	--dhcp) OCI_USE_DHCP="true"; shift 1;;
	217	--name) LXC_NAME=$2; shift 2;;
	218	--path) LXC_PATH=$2; shift 2;;
	219	--rootfs) LXC_ROOTFS=$2; shift 2;;
	220	--mapped-uid) LXC_MAPPED_UID=$2; shift 2;;
	221	--mapped-gid) LXC_MAPPED_GID=$2; shift 2;;
	222	*) break;;
	223	esac
0ef43a5c SH	224	done
	225
	226	# Check that we have all variables we need
	227	if [ -z "$LXC_NAME" ] \|\| [ -z "$LXC_PATH" ] \|\| [ -z "$LXC_ROOTFS" ]; then
4328e9e3 CB	228	echo "ERROR: Not running through LXC" 1>&2
4328e9e3 CB	229	exit 1
0ef43a5c SH	230	fi
	231
	232	if [ -z "$OCI_URL" ]; then
4328e9e3 CB	233	echo "ERROR: no OCI URL given"
4328e9e3 CB	234	exit 1
0ef43a5c SH	235	fi
0ef43a5c SH	236
797f99c6	237	if [ -n "$OCI_PASSWORD" ] && [ -z "$OCI_USERNAME" ]; then
4328e9e3 CB	238	echo "ERROR: password given but no username specified"
4328e9e3 CB	239	exit 1
797f99c6 FA	240	fi
797f99c6 FA	241
52e31c07	242	if [ "${OCI_USE_CACHE}" = "true" ]; then
4328e9e3 CB	243	if ! skopeo copy --help \| grep -q 'dest-shared-blob-dir'; then
	244	echo "INFO: skopeo doesn't support blob caching"
	245	OCI_USE_CACHE="false"
	246	fi
52e31c07 FA	247	fi
52e31c07 FA	248
0ef43a5c SH	249	USERNS=$(in_userns)
0ef43a5c SH	250
52e31c07	251	if [ "$USERNS" = "yes" ]; then
4328e9e3 CB	252	if [ -z "$LXC_MAPPED_UID" ] \|\| [ "$LXC_MAPPED_UID" = "-1" ]; then
	253	echo "ERROR: In a user namespace without a map" 1>&2
	254	exit 1
	255	fi
52e31c07 FA	256	fi
	257
	258	if [ "${OCI_USE_CACHE}" = "true" ]; then
4328e9e3 CB	259	if [ "$USERNS" = "yes" ]; then
	260	DOWNLOAD_BASE="${HOME}/.cache/lxc"
	261	else
	262	DOWNLOAD_BASE="${LOCALSTATEDIR}/cache/lxc"
	263	fi
52e31c07	264	else
4328e9e3	265	DOWNLOAD_BASE=/tmp
0ef43a5c	266	fi
8c7536ec	267	mkdir -p "${DOWNLOAD_BASE}"
0ef43a5c SH	268
	269	# Trap all exit signals
	270	trap cleanup EXIT HUP INT TERM
	271
4328e9e3 CB	272	if ! which mktemp >/dev/null 2>&1; then
	273	DOWNLOAD_TEMP="${DOWNLOAD_BASE}/lxc-oci.$$"
	274	mkdir -p "${DOWNLOAD_TEMP}"
0ef43a5c	275	else
4328e9e3	276	DOWNLOAD_TEMP=$(mktemp -d -p "${DOWNLOAD_BASE}")
0ef43a5c SH	277	fi
0ef43a5c SH	278
52e31c07	279	# Download the image
4328e9e3	280	# shellcheck disable=SC2039
797f99c6 FA	281	skopeo_args=("")
797f99c6 FA	282	if [ -n "$OCI_USERNAME" ]; then
4328e9e3 CB	283	CREDENTIALS="${OCI_USERNAME}"
	284
	285	if [ -n "$OCI_PASSWORD" ]; then
	286	CREDENTIALS="${CREDENTIALS}:${OCI_PASSWORD}"
	287	fi
	288
	289	# shellcheck disable=SC2039
	290	skopeo_args+=(--src-creds "${CREDENTIALS}")
797f99c6	291	fi
4328e9e3	292
52e31c07	293	if [ "${OCI_USE_CACHE}" = "true" ]; then
4328e9e3 CB	294	# shellcheck disable=SC2039
	295	# shellcheck disable=SC2068
	296	skopeo_args+=(--dest-shared-blob-dir "${DOWNLOAD_BASE}")
	297	# shellcheck disable=SC2039
	298	# shellcheck disable=SC2068
	299	skopeo copy ${skopeo_args[@]} "${OCI_URL}" "oci:${DOWNLOAD_TEMP}:latest"
	300	ln -s "${DOWNLOAD_BASE}/sha256" "${DOWNLOAD_TEMP}/blobs/sha256"
52e31c07	301	else
4328e9e3 CB	302	# shellcheck disable=SC2039
	303	# shellcheck disable=SC2068
	304	skopeo copy ${skopeo_args[@]} "${OCI_URL}" "oci:${DOWNLOAD_TEMP}:latest"
52e31c07	305	fi
0ef43a5c	306
0ef43a5c	307	echo "Unpacking the rootfs"
4328e9e3	308	# shellcheck disable=SC2039
51c80577 FA	309	umoci_args=("")
51c80577 FA	310	if [ -n "$LXC_MAPPED_UID" ] && [ "$LXC_MAPPED_UID" != "-1" ]; then
4328e9e3 CB	311	# shellcheck disable=SC2039
4328e9e3 CB	312	umoci_args+=(--rootless)
51c80577	313	fi
4328e9e3 CB	314	# shellcheck disable=SC2039
4328e9e3 CB	315	# shellcheck disable=SC2068
845ba283	316	umoci --log=error unpack ${umoci_args[@]} --image "${DOWNLOAD_TEMP}:latest" "${LXC_ROOTFS}.tmp"
0ef43a5c SH	317	rmdir "${LXC_ROOTFS}"
0ef43a5c SH	318	mv "${LXC_ROOTFS}.tmp/rootfs" "${LXC_ROOTFS}"
0ef43a5c	319
4328e9e3	320	OCI_CONF_FILE=$(getconfigpath "${DOWNLOAD_TEMP}" latest)
0ef43a5c	321	LXC_CONF_FILE="${LXC_PATH}/config"
4328e9e3	322	entrypoint=$(getep "${OCI_CONF_FILE}")
3dca1af0	323	echo "lxc.execute.cmd = '${entrypoint}'" >> "${LXC_CONF_FILE}"
0ef43a5c SH	324	echo "lxc.mount.auto = proc:mixed sys:mixed cgroup:mixed" >> "${LXC_CONF_FILE}"
0ef43a5c SH	325
4328e9e3 CB	326	environment=$(getenv "${OCI_CONF_FILE}")
4328e9e3 CB	327	# shellcheck disable=SC2039
996202e7	328	while read -r line; do
4328e9e3	329	echo "lxc.environment = ${line}" >> "${LXC_CONF_FILE}"
996202e7 FA	330	done <<< "${environment}"
996202e7 FA	331
d7c685c6	332	if [ -e "${LXC_TEMPLATE_CONFIG}/common.conf" ]; then
4328e9e3	333	echo "lxc.include = ${LXC_TEMPLATE_CONFIG}/common.conf" >> "${LXC_CONF_FILE}"
d7c685c6 FA	334	fi
	335
	336	if [ -n "$LXC_MAPPED_UID" ] && [ "$LXC_MAPPED_UID" != "-1" ] && [ -e "${LXC_TEMPLATE_CONFIG}/userns.conf" ]; then
4328e9e3	337	echo "lxc.include = ${LXC_TEMPLATE_CONFIG}/userns.conf" >> "${LXC_CONF_FILE}"
d7c685c6 FA	338	fi
d7c685c6 FA	339
1689c7cf	340	if [ -e "${LXC_TEMPLATE_CONFIG}/oci.common.conf" ]; then
4328e9e3	341	echo "lxc.include = ${LXC_TEMPLATE_CONFIG}/oci.common.conf" >> "${LXC_CONF_FILE}"
1689c7cf JC	342	fi
1689c7cf JC	343
9a962dc6	344	if [ "${OCI_USE_DHCP}" = "true" ]; then
4328e9e3 CB	345	echo "lxc.hook.start-host = ${LXC_HOOK_DIR}/dhclient" >> "${LXC_CONF_FILE}"
4328e9e3 CB	346	echo "lxc.hook.stop = ${LXC_HOOK_DIR}/dhclient" >> "${LXC_CONF_FILE}"
9a962dc6 JC	347	fi
9a962dc6 JC	348
bc2c91ae FA	349	echo "lxc.uts.name = ${LXC_NAME}" >> "${LXC_CONF_FILE}"
bc2c91ae FA	350	# set the hostname
4328e9e3	351	cat <<EOF > "${LXC_ROOTFS}/etc/hostname"
bc2c91ae FA	352	${LXC_NAME}
bc2c91ae FA	353	EOF
0ef43a5c	354
b5236550	355	# set minimal hosts
4328e9e3	356	cat <<EOF > "${LXC_ROOTFS}/etc/hosts"
b5236550 FA	357	127.0.0.1 localhost
b5236550 FA	358	127.0.1.1 ${LXC_NAME}
8f54d926 FA	359	::1 localhost ip6-localhost ip6-loopback
	360	fe00::0 ip6-localnet
	361	ff00::0 ip6-mcastprefix
	362	ff02::1 ip6-allnodes
	363	ff02::2 ip6-allrouters
b5236550 FA	364	EOF
b5236550 FA	365
4328e9e3 CB	366	# shellcheck disable=SC2039
	367	uidgid=($(getuidgid "${OCI_CONF_FILE}"))
	368	# shellcheck disable=SC2039
e86dcc91	369	echo "lxc.init.uid = ${uidgid[0]}" >> "${LXC_CONF_FILE}"
4328e9e3	370	# shellcheck disable=SC2039
e86dcc91 FA	371	echo "lxc.init.gid = ${uidgid[1]}" >> "${LXC_CONF_FILE}"
e86dcc91 FA	372
4328e9e3	373	cwd=$(getcwd "${OCI_CONF_FILE}")
a787c332 FA	374	echo "lxc.init.cwd = ${cwd}" >> "${LXC_CONF_FILE}"
a787c332 FA	375
0ef43a5c	376	if [ -n "$LXC_MAPPED_UID" ] && [ "$LXC_MAPPED_UID" != "-1" ]; then
4328e9e3	377	chown "$LXC_MAPPED_UID" "$LXC_PATH/config" "$LXC_PATH/fstab" > /dev/null 2>&1 \|\| true
0ef43a5c SH	378	fi
0ef43a5c SH	379	if [ -n "$LXC_MAPPED_GID" ] && [ "$LXC_MAPPED_GID" != "-1" ]; then
4328e9e3	380	chgrp "$LXC_MAPPED_GID" "$LXC_PATH/config" "$LXC_PATH/fstab" > /dev/null 2>&1 \|\| true
0ef43a5c SH	381	fi
	382
	383	exit 0