3 # Client script for LXC container images.
5 # Copyright @ Daniel Lezcano <daniel.lezcano@free.fr>
6 # Copyright © 2018 Christian Brauner <christian.brauner@ubuntu.com>
8 # This library is free software; you can redistribute it and/or
9 # modify it under the terms of the GNU Lesser General Public
10 # License as published by the Free Software Foundation; either
11 # version 2.1 of the License, or (at your option) any later version.
13 # This library is distributed in the hope that it will be useful,
14 # but WITHOUT ANY WARRANTY; without even the implied warranty of
15 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 # Lesser General Public License for more details.
18 # You should have received a copy of the GNU Lesser General Public
19 # License along with this library; if not, write to the Free Software
20 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301
26 BUSYBOX_EXE
=`which busybox`
28 # Make sure the usual locations are in PATH
29 export PATH
=$PATH:/usr
/sbin
:/usr
/bin
:/sbin
:/bin
32 [ -e /proc
/self
/uid_map
] ||
{ echo no
; return; }
33 while read -r line
; do
34 fields
="$(echo "$line" | awk '{ print $1 " " $2 " " $3 }')"
35 if [ "${fields}" = "0 0 4294967295" ]; then
39 if echo "${fields}" |
grep -q " 0 1$"; then
43 done < /proc
/self
/uid_map
45 [ "$(cat /proc/self/uid_map)" = "$(cat /proc/1/uid_map)" ] && { echo userns-root
; return; }
62 ${rootfs}/etc/init.d \
73 ${rootfs}/usr/share/udhcpc \
81 # shellcheck disable=SC2086
82 mkdir
-p ${fstree} ||
return 1
83 # shellcheck disable=SC2086
84 chmod 755 ${fstree} ||
return 1
86 # minimal devices needed for busybox
87 if [ "${USERNS}" = "yes" ]; then
88 for dev
in tty console tty0 tty1 ram0 null urandom
; do
89 echo "lxc.mount.entry = /dev/${dev} dev/${dev} none bind,optional,create=file 0 0" >> "${path}/config"
92 mknod
-m 666 "${rootfs}/dev/tty" c
5 0 || res
=1
93 mknod
-m 666 "${rootfs}/dev/console" c
5 1 || res
=1
94 mknod
-m 666 "${rootfs}/dev/tty0" c
4 0 || res
=1
95 mknod
-m 666 "${rootfs}/dev/tty1" c
4 0 || res
=1
96 mknod
-m 666 "${rootfs}/dev/tty5" c
4 0 || res
=1
97 mknod
-m 600 "${rootfs}/dev/ram0" b
1 0 || res
=1
98 mknod
-m 666 "${rootfs}/dev/null" c
1 3 || res
=1
99 mknod
-m 666 "${rootfs}/dev/zero" c
1 5 || res
=1
100 mknod
-m 666 "${rootfs}/dev/urandom" c
1 9 || res
=1
103 # make /tmp accessible to any user (with sticky bit)
104 chmod 1777 "${rootfs}/tmp" ||
return 1
107 cat <<EOF >> "${rootfs}/etc/passwd"
108 root:x:0:0:root:/root:/bin/sh
111 cat <<EOF >> "${rootfs}/etc/group"
116 cat <<EOF >> "${rootfs}/etc/init.d/rcS"
124 chmod 744 "${rootfs}/etc/init.d/rcS" ||
return 1
126 # launch rcS first then make a console available
127 # and propose a shell on the tty, the last one is
129 cat <<EOF >> "${rootfs}/etc/inittab"
130 ::sysinit:/etc/init.d/rcS
131 tty1::respawn:/bin/getty -L tty1 115200 vt100
132 console::askfirst:/bin/sh
134 # writable and readable for other
135 chmod 644 "${rootfs}/etc/inittab" ||
return 1
137 # Look for the pathname of "default.script" from the help of udhcpc
138 DEF_SCRIPT
=`${BUSYBOX_EXE} udhcpc -h 2>&1 | grep -- '-s,--script PROG' | cut -d'/' -f2- | cut -d')' -f1`
139 DEF_SCRIPT_DIR
=`dirname /${DEF_SCRIPT}`
140 mkdir
-p ${rootfs}/${DEF_SCRIPT_DIR}
141 chmod 644 ${rootfs}/${DEF_SCRIPT_DIR} ||
return 1
143 cat <<EOF >> ${rootfs}/${DEF_SCRIPT}
147 ip addr flush dev \$interface
151 # flush all the routes
152 if [ -n "\$router" ]; then
153 ip route del default 2> /dev/null
157 if [ -n "\$broadcast" ]; then
158 broadcast="broadcast \$broadcast"
161 # add a new ip address
162 ip addr add \$ip/\$mask \$broadcast dev \$interface
164 if [ -n "\$router" ]; then
165 ip route add default via \$router dev \$interface
168 [ -n "\$domain" ] && echo search \$domain > /etc/resolv.conf
170 grep "nameserver \$i" /etc/resolv.conf > /dev/null 2>&1
171 if [ \$? -ne 0 ]; then
172 echo nameserver \$i >> /etc/resolv.conf
180 chmod 744 ${rootfs}/${DEF_SCRIPT}
189 # copy busybox in the rootfs
190 if ! cp "${BUSYBOX_EXE}" "${rootfs}/bin"; then
191 echo "ERROR: Failed to copy busybox binary" 1>&2
195 # symlink busybox for the commands it supports
196 # it would be nice to just use "chroot $rootfs busybox --install -s /bin"
197 # but that only works right in a chroot with busybox >= 1.19.0
199 cd "${rootfs}/bin" ||
return 1
200 .
/busybox
--list |
grep -v busybox |
xargs -n1 ln -s busybox
204 ln "${rootfs}/bin/busybox" "${rootfs}/sbin/init"
206 # /etc/fstab must exist for "mount -a"
207 touch "${rootfs}/etc/fstab"
209 # passwd exec must be setuid
210 chmod +s
"${rootfs}/bin/passwd"
211 touch "${rootfs}/etc/shadow"
222 grep -q "^lxc.rootfs.path" "${path}/config" 2>/dev/null || echo "lxc.rootfs.path = ${rootfs}" >> "${path}/config"
223 cat <<EOF >> "${path}/config"
224 lxc.signal.halt = SIGUSR1
225 lxc.signal.reboot = SIGTERM
226 lxc.uts.name = "${name}"
229 lxc.cap.drop = sys_module mac_admin mac_override sys_time
231 # When using LXC with apparmor, uncomment the next line to run unconfined:
232 #lxc.apparmor.profile = unconfined
234 lxc.mount.auto = cgroup:mixed proc:mixed sys:mixed
235 lxc.mount.entry = shm /dev/shm tmpfs defaults 0 0
244 for dir
in ${libdirs}; do
245 if [ -d "/${dir}" ] && [ -d "${rootfs}/${dir}" ]; then
246 echo "lxc.mount.entry = /${dir} ${dir} none ro,bind 0 0" >> "${path}/config"
249 echo "lxc.mount.entry = /sys/kernel/security sys/kernel/security none ro,bind,optional 0 0" >> "${path}/config"
256 if [ -n "$LXC_MAPPED_UID" ] && [ "$LXC_MAPPED_UID" != "-1" ]; then
257 chown
"${LXC_MAPPED_UID}" "${path}/config" > /dev
/null
2>&1
258 chown
-R root
"${path}/rootfs" > /dev
/null
2>&1
261 if [ -n "$LXC_MAPPED_GID" ] && [ "$LXC_MAPPED_GID" != "-1" ]; then
262 chgrp
"${LXC_MAPPED_GID}" "${path}/config" > /dev
/null
2>&1
263 chgrp
-R root
"${path}/rootfs" > /dev
/null
2>&1
269 LXC busybox image builder
273 [ -h | --help ]: Print this help message and exit.
275 LXC internal arguments:
277 [ --name <name> ]: The container name
278 [ --path <path> ]: The path to the container
279 [ --rootfs <rootfs> ]: The path to the container's rootfs (default: config or <path>/rootfs)
280 [ --mapped-uid <map> ]: A uid map (user namespaces)
281 [ --mapped-gid <map> ]: A gid map (user namespaces)
283 BUSYBOX template specific arguments:
285 [ --busybox-path <path> ]: busybox pathname (default: ${BUSYBOX_EXE})
291 if ! options
=$
(getopt
-o hp
:n
: -l help,rootfs
:,path
:,name
:,mapped-uid
:,mapped-gid
:,busybox-path
: -- "$@"); then
295 eval set -- "$options"
300 -h|
--help) usage
&& exit 0;;
301 -n|
--name) name
=$2; shift 2;;
302 -p|
--path) path
=$2; shift 2;;
303 --rootfs) rootfs
=$2; shift 2;;
304 --mapped-uid) LXC_MAPPED_UID
=$2; shift 2;;
305 --mapped-gid) LXC_MAPPED_GID
=$2; shift 2;;
306 --busybox-path) BUSYBOX_EXE
=$2; shift 2;;
307 --) shift 1; break ;;
312 # Check that we have all variables we need
313 if [ -z "${name}" ] ||
[ -z "${path}" ]; then
314 echo "ERROR: Please pass the name and path for the container" 1>&2
318 # Make sure busybox is present
319 if [ -z "${BUSYBOX_EXE}" ]; then
320 echo "ERROR: Please pass a pathname for busybox binary" 1>&2
323 if [ ! -x "${BUSYBOX_EXE}" ]; then
324 echo "ERROR: Failed to find busybox binary (${BUSYBOX_EXE})" 1>&2
329 config
="$path/config"
330 if [ -z "$rootfs" ]; then
331 if grep -q '^lxc.rootfs.path' "${config}" 2> /dev
/null
; then
332 rootfs
=$
(awk -F= '/^lxc.rootfs.path =/{ print $2 }' "${config}")
334 rootfs
="${path}/rootfs"
338 if ! install_busybox
"${rootfs}" "${name}"; then
339 echo "ERROR: Failed to install rootfs" 1>&2
343 if ! configure_busybox
"${rootfs}"; then
344 echo "ERROR: Failed to configure busybox" 1>&2
348 if ! copy_configuration
"${path}" "${rootfs}" "${name}"; then
349 echo "ERROR: Failed to write config file" 1>&2
353 if ! remap_userns
"${path}"; then
354 echo "ERROR: Failed to change idmappings" 1>&2