]> git.proxmox.com Git - mirror_lxc.git/blob - templates/lxc-busybox.in
projects / mirror_lxc.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
templates: Refuse to run unprivileged
[mirror_lxc.git] / templates / lxc-busybox.in
1 #!/bin/bash
2
3 #
4 # lxc: linux Container library
5
6 # Authors:
7 # Daniel Lezcano <daniel.lezcano@free.fr>
8
9 # This library is free software; you can redistribute it and/or
10 # modify it under the terms of the GNU Lesser General Public
11 # License as published by the Free Software Foundation; either
12 # version 2.1 of the License, or (at your option) any later version.
13
14 # This library is distributed in the hope that it will be useful,
15 # but WITHOUT ANY WARRANTY; without even the implied warranty of
16 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
17 # Lesser General Public License for more details.
18
19 # You should have received a copy of the GNU Lesser General Public
20 # License along with this library; if not, write to the Free Software
21 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
22
23 # Detect use under userns (unsupported)
24 for arg in $*; do
25 if [ "$arg" == "--mapped-uid" ]; then
26 echo "This template can't be used for unprivileged containers." 1>&2
27 echo "You may want to try the \"download\" template instead." 1>&2
28 exit 1
29 fi
30 done
31
32 am_in_userns() {
33 [ -e /proc/self/uid_map ] || { echo no; return; }
34 [ "$(wc -l /proc/self/uid_map | awk '{ print $1 }')" -eq 1 ] || { echo yes; return; }
35 line=$(awk '{ print $1 " " $2 " " $3 }' /proc/self/uid_map)
36 [ "$line" = "0 0 4294967295" ] && { echo no; return; }
37 echo yes
38 }
39
40 in_userns=0
41 [ $(am_in_userns) = "yes" ] && in_userns=1
42
43 install_busybox()
44 {
45 rootfs=$1
46 name=$2
47 res=0
48 tree="\
49 $rootfs/selinux \
50 $rootfs/dev \
51 $rootfs/home \
52 $rootfs/root \
53 $rootfs/etc \
54 $rootfs/etc/init.d \
55 $rootfs/bin \
56 $rootfs/usr/bin \
57 $rootfs/sbin \
58 $rootfs/usr/sbin \
59 $rootfs/proc \
60 $rootfs/sys \
61 $rootfs/mnt \
62 $rootfs/tmp \
63 $rootfs/var/log \
64 $rootfs/usr/share/udhcpc \
65 $rootfs/dev/pts \
66 $rootfs/dev/shm \
67 $rootfs/lib \
68 $rootfs/usr/lib \
69 $rootfs/lib64 \
70 $rootfs/usr/lib64"
71
72 mkdir -p $tree || return 1
73 chmod 755 $tree || return 1
74
75 pushd $rootfs/dev > /dev/null || return 1
76
77 # minimal devices needed for busybox
78 if [ $in_userns -eq 1 ]; then
79 for dev in tty console tty0 tty1 tty5 ram0 null urandom; do
80 touch $rootfs/dev/$dev
81 echo "/dev/$dev dev/$dev none bind 0 0" >> $path/fstab
82 done
83 else
84 mknod -m 666 tty c 5 0 || res=1
85 mknod -m 666 console c 5 1 || res=1
86 mknod -m 666 tty0 c 4 0 || res=1
87 mknod -m 666 tty1 c 4 0 || res=1
88 mknod -m 666 tty5 c 4 0 || res=1
89 mknod -m 600 ram0 b 1 0 || res=1
90 mknod -m 666 null c 1 3 || res=1
91 mknod -m 666 zero c 1 5 || res=1
92 mknod -m 666 urandom c 1 9 || res=1
93 fi
94
95 popd > /dev/null
96
97 # root user defined
98 cat <<EOF >> $rootfs/etc/passwd
99 root:x:0:0:root:/root:/bin/sh
100 EOF
101
102 cat <<EOF >> $rootfs/etc/group
103 root:x:0:root
104 EOF
105
106 # mount everything
107 cat <<EOF >> $rootfs/etc/init.d/rcS
108 #!/bin/sh
109 /bin/syslogd
110 /bin/mount -a
111 /bin/udhcpc
112 EOF
113
114 # executable
115 chmod 744 $rootfs/etc/init.d/rcS || return 1
116
117 # mount points
118 cat <<EOF >> $rootfs/etc/fstab
119 shm /dev/shm tmpfs defaults 0 0
120 EOF
121
122 # writable and readable for other
123 chmod 644 $rootfs/etc/fstab || return 1
124
125 # launch rcS first then make a console available
126 # and propose a shell on the tty, the last one is
127 # not needed
128 cat <<EOF >> $rootfs/etc/inittab
129 ::sysinit:/etc/init.d/rcS
130 tty1::respawn:/bin/getty -L tty1 115200 vt100
131 console::askfirst:/bin/sh
132 EOF
133 # writable and readable for other
134 chmod 644 $rootfs/etc/inittab || return 1
135
136 cat <<EOF >> $rootfs/usr/share/udhcpc/default.script
137 #!/bin/sh
138 case "\$1" in
139 deconfig)
140 ip addr flush dev \$interface
141 ;;
142
143 renew|bound)
144 # flush all the routes
145 if [ -n "\$router" ]; then
146 ip route del default 2> /dev/null
147 fi
148
149 # check broadcast
150 if [ -n "\$broadcast" ]; then
151 broadcast="broadcast \$broadcast"
152 fi
153
154 # add a new ip address
155 ip addr add \$ip/\$mask \$broadcast dev \$interface
156
157 if [ -n "\$router" ]; then
158 ip route add default via \$router dev \$interface
159 fi
160
161 [ -n "\$domain" ] && echo search \$domain > /etc/resolv.conf
162 for i in \$dns ; do
163 echo nameserver \$i >> /etc/resolv.conf
164 done
165 ;;
166 esac
167 exit 0
168 EOF
169
170 chmod 744 $rootfs/usr/share/udhcpc/default.script
171
172 return $res
173 }
174
175 configure_busybox()
176 {
177 rootfs=$1
178
179 which busybox >/dev/null 2>&1
180
181 if [ $? -ne 0 ]; then
182 echo "busybox executable is not accessible"
183 return 1
184 fi
185
186 file $(which busybox) | grep -q "statically linked"
187 if [ $? -ne 0 ]; then
188 echo "warning : busybox is not statically linked."
189 echo "warning : The template script may not correctly"
190 echo "warning : setup the container environment."
191 fi
192
193 # copy busybox in the rootfs
194 cp $(which busybox) $rootfs/bin
195 if [ $? -ne 0 ]; then
196 echo "failed to copy busybox in the rootfs"
197 return 1
198 fi
199
200 # symlink busybox for the commands it supports
201 # it would be nice to just use "chroot $rootfs busybox --install -s /bin"
202 # but that only works right in a chroot with busybox >= 1.19.0
203 pushd $rootfs/bin > /dev/null || return 1
204 ./busybox --help | grep 'Currently defined functions:' -A300 | \
205 grep -v 'Currently defined functions:' | tr , '\n' | \
206 xargs -n1 ln -s busybox
207 popd > /dev/null
208
209 # relink /sbin/init
210 ln $rootfs/bin/busybox $rootfs/sbin/init
211
212 # passwd exec must be setuid
213 chmod +s $rootfs/bin/passwd
214 touch $rootfs/etc/shadow
215
216 # setting passwd for root
217 CHPASSWD_FILE=$rootfs/root/chpasswd.sh
218
219 cat <<EOF >$CHPASSWD_FILE
220 echo "setting root password to \"root\""
221
222 mount -n --bind /lib $rootfs/lib
223 if [ \$? -ne 0 ]; then
224 echo "Failed bind-mounting /lib at $rootfs/lib"
225 exit 1
226 fi
227
228 chroot $rootfs chpasswd <<EOFF 2>/dev/null
229 root:root
230 EOFF
231
232
233 if [ \$? -ne 0 ]; then
234 echo "Failed to change root password"
235 exit 1
236 fi
237
238 umount $rootfs/lib
239
240 EOF
241
242 lxc-unshare -s MOUNT -- /bin/sh < $CHPASSWD_FILE
243 rm $CHPASSWD_FILE
244
245 # add ssh functionality if dropbear package available on host
246 which dropbear >/dev/null 2>&1
247 if [ $? -eq 0 ]; then
248 # copy dropbear binary
249 cp $(which dropbear) $rootfs/usr/sbin
250 if [ $? -ne 0 ]; then
251 echo "Failed to copy dropbear in the rootfs"
252 return 1
253 fi
254
255 # make symlinks to various ssh utilities
256 utils="\
257 $rootfs/usr/bin/dbclient \
258 $rootfs/usr/bin/scp \
259 $rootfs/usr/bin/ssh \
260 $rootfs/usr/sbin/dropbearkey \
261 $rootfs/usr/sbin/dropbearconvert \
262 "
263 echo $utils | xargs -n1 ln -s /usr/sbin/dropbear
264
265 # add necessary config files
266 mkdir $rootfs/etc/dropbear
267 dropbearkey -t rsa -f $rootfs/etc/dropbear/dropbear_rsa_host_key > /dev/null 2>&1
268 dropbearkey -t dss -f $rootfs/etc/dropbear/dropbear_dss_host_key > /dev/null 2>&1
269
270 echo "'dropbear' ssh utility installed"
271 fi
272
273 return 0
274 }
275
276 copy_configuration()
277 {
278 path=$1
279 rootfs=$2
280 name=$3
281
282 grep -q "^lxc.rootfs" $path/config 2>/dev/null || echo "lxc.rootfs = $rootfs" >> $path/config
283 cat <<EOF >> $path/config
284 lxc.haltsignal = SIGUSR1
285 lxc.utsname = $name
286 lxc.tty = 1
287 lxc.pts = 1
288 lxc.cap.drop = sys_module mac_admin mac_override sys_time
289
290 # When using LXC with apparmor, uncomment the next line to run unconfined:
291 #lxc.aa_profile = unconfined
292 EOF
293
294 libdirs="\
295 lib \
296 usr/lib \
297 lib64 \
298 usr/lib64"
299
300 for dir in $libdirs; do
301 if [ -d "/$dir" ] && [ -d "$rootfs/$dir" ]; then
302 echo "lxc.mount.entry = /$dir $dir none ro,bind 0 0" >> $path/config
303 fi
304 done
305 echo "lxc.mount.entry = /sys/kernel/security sys/kernel/security none ro,bind,optional 0 0" >>$path/config
306 echo "lxc.mount.auto = proc:mixed sys" >>$path/config
307 }
308
309 usage()
310 {
311 cat <<EOF
312 $1 -h|--help -p|--path=<path>
313 EOF
314 return 0
315 }
316
317 options=$(getopt -o hp:n: -l help,rootfs:,path:,name: -- "$@")
318 if [ $? -ne 0 ]; then
319 usage $(basename $0)
320 exit 1
321 fi
322 eval set -- "$options"
323
324 while true
325 do
326 case "$1" in
327 -h|--help) usage $0 && exit 0;;
328 -p|--path) path=$2; shift 2;;
329 --rootfs) rootfs=$2; shift 2;;
330 -n|--name) name=$2; shift 2;;
331 --) shift 1; break ;;
332 *) break ;;
333 esac
334 done
335
336 if [ "$(id -u)" != "0" ]; then
337 echo "This script should be run as 'root'"
338 exit 1
339 fi
340
341 if [ -z "$path" ]; then
342 echo "'path' parameter is required"
343 exit 1
344 fi
345
346 # detect rootfs
347 config="$path/config"
348 if [ -z "$rootfs" ]; then
349 if grep -q '^lxc.rootfs' $config 2>/dev/null ; then
350 rootfs=$(awk -F= '/^lxc.rootfs =/{ print $2 }' $config)
351 else
352 rootfs=$path/rootfs
353 fi
354 fi
355
356 install_busybox $rootfs $name
357 if [ $? -ne 0 ]; then
358 echo "failed to install busybox's rootfs"
359 exit 1
360 fi
361
362 configure_busybox $rootfs
363 if [ $? -ne 0 ]; then
364 echo "failed to configure busybox template"
365 exit 1
366 fi
367
368 copy_configuration $path $rootfs $name
369 if [ $? -ne 0 ]; then
370 echo "failed to write configuration file"
371 exit 1
372 fi
LXC mirror