4 # lxc: linux Container library
7 # Daniel Lezcano <daniel.lezcano@free.fr>
9 # This library is free software; you can redistribute it and/or
10 # modify it under the terms of the GNU Lesser General Public
11 # License as published by the Free Software Foundation; either
12 # version 2.1 of the License, or (at your option) any later version.
14 # This library is distributed in the hope that it will be useful,
15 # but WITHOUT ANY WARRANTY; without even the implied warranty of
16 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
17 # Lesser General Public License for more details.
19 # You should have received a copy of the GNU Lesser General Public
20 # License along with this library; if not, write to the Free Software
21 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
23 # Detect use under userns (unsupported)
25 if [ "$arg" == "--mapped-uid" ]; then
26 echo "This template can't be used for unprivileged containers." 1>&2
27 echo "You may want to try the \"download\" template instead." 1>&2
33 [ -e /proc
/self
/uid_map
] ||
{ echo no
; return; }
34 [ "$(wc -l /proc/self/uid_map | awk '{ print $1 }')" -eq 1 ] ||
{ echo yes; return; }
35 line
=$
(awk '{ print $1 " " $2 " " $3 }' /proc
/self
/uid_map
)
36 [ "$line" = "0 0 4294967295" ] && { echo no
; return; }
41 [ $
(am_in_userns
) = "yes" ] && in_userns
=1
64 $rootfs/usr/share/udhcpc \
72 mkdir
-p $tree ||
return 1
73 chmod 755 $tree ||
return 1
75 pushd $rootfs/dev
> /dev
/null ||
return 1
77 # minimal devices needed for busybox
78 if [ $in_userns -eq 1 ]; then
79 for dev
in tty console tty0 tty1 tty5 ram0 null urandom
; do
80 touch $rootfs/dev
/$dev
81 echo "/dev/$dev dev/$dev none bind 0 0" >> $path/fstab
84 mknod
-m 666 tty c
5 0 || res
=1
85 mknod
-m 666 console c
5 1 || res
=1
86 mknod
-m 666 tty0 c
4 0 || res
=1
87 mknod
-m 666 tty1 c
4 0 || res
=1
88 mknod
-m 666 tty5 c
4 0 || res
=1
89 mknod
-m 600 ram0 b
1 0 || res
=1
90 mknod
-m 666 null c
1 3 || res
=1
91 mknod
-m 666 zero c
1 5 || res
=1
92 mknod
-m 666 urandom c
1 9 || res
=1
98 cat <<EOF >> $rootfs/etc/passwd
99 root:x:0:0:root:/root:/bin/sh
102 cat <<EOF >> $rootfs/etc/group
107 cat <<EOF >> $rootfs/etc/init.d/rcS
115 chmod 744 $rootfs/etc
/init.d
/rcS ||
return 1
118 cat <<EOF >> $rootfs/etc/fstab
119 shm /dev/shm tmpfs defaults 0 0
122 # writable and readable for other
123 chmod 644 $rootfs/etc
/fstab ||
return 1
125 # launch rcS first then make a console available
126 # and propose a shell on the tty, the last one is
128 cat <<EOF >> $rootfs/etc/inittab
129 ::sysinit:/etc/init.d/rcS
130 tty1::respawn:/bin/getty -L tty1 115200 vt100
131 console::askfirst:/bin/sh
133 # writable and readable for other
134 chmod 644 $rootfs/etc
/inittab ||
return 1
136 cat <<EOF >> $rootfs/usr/share/udhcpc/default.script
140 ip addr flush dev \$interface
144 # flush all the routes
145 if [ -n "\$router" ]; then
146 ip route del default 2> /dev/null
150 if [ -n "\$broadcast" ]; then
151 broadcast="broadcast \$broadcast"
154 # add a new ip address
155 ip addr add \$ip/\$mask \$broadcast dev \$interface
157 if [ -n "\$router" ]; then
158 ip route add default via \$router dev \$interface
161 [ -n "\$domain" ] && echo search \$domain > /etc/resolv.conf
163 echo nameserver \$i >> /etc/resolv.conf
170 chmod 744 $rootfs/usr
/share
/udhcpc
/default.
script
179 which busybox
>/dev
/null
2>&1
181 if [ $?
-ne 0 ]; then
182 echo "busybox executable is not accessible"
186 file $
(which busybox
) |
grep -q "statically linked"
187 if [ $?
-ne 0 ]; then
188 echo "warning : busybox is not statically linked."
189 echo "warning : The template script may not correctly"
190 echo "warning : setup the container environment."
193 # copy busybox in the rootfs
194 cp $
(which busybox
) $rootfs/bin
195 if [ $?
-ne 0 ]; then
196 echo "failed to copy busybox in the rootfs"
200 # symlink busybox for the commands it supports
201 # it would be nice to just use "chroot $rootfs busybox --install -s /bin"
202 # but that only works right in a chroot with busybox >= 1.19.0
203 pushd $rootfs/bin
> /dev
/null ||
return 1
204 .
/busybox
--help |
grep 'Currently defined functions:' -A300 | \
205 grep -v 'Currently defined functions:' |
tr , '\n' | \
206 xargs -n1 ln -s busybox
210 ln $rootfs/bin
/busybox
$rootfs/sbin
/init
212 # passwd exec must be setuid
213 chmod +s
$rootfs/bin
/passwd
214 touch $rootfs/etc
/shadow
216 # setting passwd for root
217 CHPASSWD_FILE
=$rootfs/root
/chpasswd.sh
219 cat <<EOF >$CHPASSWD_FILE
220 echo "setting root password to \"root\""
222 mount -n --bind /lib $rootfs/lib
223 if [ \$? -ne 0 ]; then
224 echo "Failed bind-mounting /lib at $rootfs/lib"
228 chroot $rootfs chpasswd <<EOFF 2>/dev/null
233 if [ \$? -ne 0 ]; then
234 echo "Failed to change root password"
242 lxc-unshare
-s MOUNT
-- /bin
/sh
< $CHPASSWD_FILE
245 # add ssh functionality if dropbear package available on host
246 which dropbear
>/dev
/null
2>&1
247 if [ $?
-eq 0 ]; then
248 # copy dropbear binary
249 cp $
(which dropbear
) $rootfs/usr
/sbin
250 if [ $?
-ne 0 ]; then
251 echo "Failed to copy dropbear in the rootfs"
255 # make symlinks to various ssh utilities
257 $rootfs/usr/bin/dbclient \
258 $rootfs/usr/bin/scp \
259 $rootfs/usr/bin/ssh \
260 $rootfs/usr/sbin/dropbearkey \
261 $rootfs/usr/sbin/dropbearconvert \
263 echo $utils |
xargs -n1 ln -s /usr
/sbin
/dropbear
265 # add necessary config files
266 mkdir
$rootfs/etc
/dropbear
267 dropbearkey
-t rsa
-f $rootfs/etc
/dropbear
/dropbear_rsa_host_key
> /dev
/null
2>&1
268 dropbearkey
-t dss
-f $rootfs/etc
/dropbear
/dropbear_dss_host_key
> /dev
/null
2>&1
270 echo "'dropbear' ssh utility installed"
282 grep -q "^lxc.rootfs" $path/config
2>/dev
/null ||
echo "lxc.rootfs = $rootfs" >> $path/config
283 cat <<EOF >> $path/config
284 lxc.haltsignal = SIGUSR1
288 lxc.cap.drop = sys_module mac_admin mac_override sys_time
290 # When using LXC with apparmor, uncomment the next line to run unconfined:
291 #lxc.aa_profile = unconfined
300 for dir
in $libdirs; do
301 if [ -d "/$dir" ] && [ -d "$rootfs/$dir" ]; then
302 echo "lxc.mount.entry = /$dir $dir none ro,bind 0 0" >> $path/config
305 echo "lxc.mount.entry = /sys/kernel/security sys/kernel/security none ro,bind,optional 0 0" >>$path/config
306 echo "lxc.mount.auto = proc:mixed sys" >>$path/config
312 $1 -h|--help -p|--path=<path>
317 options
=$
(getopt
-o hp
:n
: -l help,rootfs
:,path
:,name
: -- "$@")
318 if [ $?
-ne 0 ]; then
322 eval set -- "$options"
327 -h|
--help) usage
$0 && exit 0;;
328 -p|
--path) path
=$2; shift 2;;
329 --rootfs) rootfs
=$2; shift 2;;
330 -n|
--name) name
=$2; shift 2;;
331 --) shift 1; break ;;
336 if [ "$(id -u)" != "0" ]; then
337 echo "This script should be run as 'root'"
341 if [ -z "$path" ]; then
342 echo "'path' parameter is required"
347 config
="$path/config"
348 if [ -z "$rootfs" ]; then
349 if grep -q '^lxc.rootfs' $config 2>/dev
/null
; then
350 rootfs
=$
(awk -F= '/^lxc.rootfs =/{ print $2 }' $config)
356 install_busybox
$rootfs $name
357 if [ $?
-ne 0 ]; then
358 echo "failed to install busybox's rootfs"
362 configure_busybox
$rootfs
363 if [ $?
-ne 0 ]; then
364 echo "failed to configure busybox template"
368 copy_configuration
$path $rootfs $name
369 if [ $?
-ne 0 ]; then
370 echo "failed to write configuration file"