4 # lxc: linux Container library
7 # Daniel Lezcano <daniel.lezcano@free.fr>
9 # This library is free software; you can redistribute it and/or
10 # modify it under the terms of the GNU Lesser General Public
11 # License as published by the Free Software Foundation; either
12 # version 2.1 of the License, or (at your option) any later version.
14 # This library is distributed in the hope that it will be useful,
15 # but WITHOUT ANY WARRANTY; without even the implied warranty of
16 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
17 # Lesser General Public License for more details.
19 # You should have received a copy of the GNU Lesser General Public
20 # License along with this library; if not, write to the Free Software
21 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
26 # Make sure the usual locations are in PATH
27 export PATH
=$PATH:/usr
/sbin
:/usr
/bin
:/sbin
:/bin
30 [ -e /proc
/self
/uid_map
] ||
{ echo no
; return; }
31 [ "$(wc -l /proc/self/uid_map | awk '{ print $1 }')" -eq 1 ] ||
{ echo yes; return; }
32 line
=$
(awk '{ print $1 " " $2 " " $3 }' /proc
/self
/uid_map
)
33 [ "$line" = "0 0 4294967295" ] && { echo no
; return; }
38 [ $
(am_in_userns
) = "yes" ] && in_userns
=1
61 $rootfs/usr/share/udhcpc \
69 mkdir
-p $tree ||
return 1
70 chmod 755 $tree ||
return 1
72 pushd $rootfs/dev
> /dev
/null ||
return 1
74 # minimal devices needed for busybox
75 if [ $in_userns -eq 1 ]; then
76 for dev
in tty console tty0 tty1 ram0 null urandom
; do
77 echo "/dev/$dev dev/$dev none bind,optional,create=file 0 0" >> $path/fstab
80 mknod
-m 666 tty c
5 0 || res
=1
81 mknod
-m 666 console c
5 1 || res
=1
82 mknod
-m 666 tty0 c
4 0 || res
=1
83 mknod
-m 666 tty1 c
4 0 || res
=1
84 mknod
-m 666 tty5 c
4 0 || res
=1
85 mknod
-m 600 ram0 b
1 0 || res
=1
86 mknod
-m 666 null c
1 3 || res
=1
87 mknod
-m 666 zero c
1 5 || res
=1
88 mknod
-m 666 urandom c
1 9 || res
=1
94 cat <<EOF >> $rootfs/etc/passwd
95 root:x:0:0:root:/root:/bin/sh
98 cat <<EOF >> $rootfs/etc/group
103 cat <<EOF >> $rootfs/etc/init.d/rcS
111 chmod 744 $rootfs/etc
/init.d
/rcS ||
return 1
114 cat <<EOF >> $rootfs/etc/fstab
115 shm /dev/shm tmpfs defaults 0 0
118 # writable and readable for other
119 chmod 644 $rootfs/etc
/fstab ||
return 1
121 # launch rcS first then make a console available
122 # and propose a shell on the tty, the last one is
124 cat <<EOF >> $rootfs/etc/inittab
125 ::sysinit:/etc/init.d/rcS
126 tty1::respawn:/bin/getty -L tty1 115200 vt100
127 console::askfirst:/bin/sh
129 # writable and readable for other
130 chmod 644 $rootfs/etc
/inittab ||
return 1
132 cat <<EOF >> $rootfs/usr/share/udhcpc/default.script
136 ip addr flush dev \$interface
140 # flush all the routes
141 if [ -n "\$router" ]; then
142 ip route del default 2> /dev/null
146 if [ -n "\$broadcast" ]; then
147 broadcast="broadcast \$broadcast"
150 # add a new ip address
151 ip addr add \$ip/\$mask \$broadcast dev \$interface
153 if [ -n "\$router" ]; then
154 ip route add default via \$router dev \$interface
157 [ -n "\$domain" ] && echo search \$domain > /etc/resolv.conf
159 echo nameserver \$i >> /etc/resolv.conf
166 chmod 744 $rootfs/usr
/share
/udhcpc
/default.
script
175 which busybox
>/dev
/null
2>&1
177 if [ $?
-ne 0 ]; then
178 echo "busybox executable is not accessible"
182 file -L $
(which busybox
) |
grep -q "statically linked"
183 if [ $?
-ne 0 ]; then
184 echo "warning : busybox is not statically linked."
185 echo "warning : The template script may not correctly"
186 echo "warning : setup the container environment."
189 # copy busybox in the rootfs
190 cp $
(which busybox
) $rootfs/bin
191 if [ $?
-ne 0 ]; then
192 echo "failed to copy busybox in the rootfs"
196 # symlink busybox for the commands it supports
197 # it would be nice to just use "chroot $rootfs busybox --install -s /bin"
198 # but that only works right in a chroot with busybox >= 1.19.0
199 pushd $rootfs/bin
> /dev
/null ||
return 1
200 .
/busybox
--help |
grep 'Currently defined functions:' -A300 | \
201 grep -v 'Currently defined functions:' |
tr , '\n' | \
202 xargs -n1 ln -s busybox
206 ln $rootfs/bin
/busybox
$rootfs/sbin
/init
208 # passwd exec must be setuid
209 chmod +s
$rootfs/bin
/passwd
210 touch $rootfs/etc
/shadow
212 # setting passwd for root
213 CHPASSWD_FILE
=$rootfs/root
/chpasswd.sh
215 cat <<EOF >$CHPASSWD_FILE
216 echo "setting root password to \"root\""
218 mount -n --bind /lib $rootfs/lib
219 if [ \$? -ne 0 ]; then
220 echo "Failed bind-mounting /lib at $rootfs/lib"
224 chroot $rootfs chpasswd <<EOFF 2>/dev/null
229 if [ \$? -ne 0 ]; then
230 echo "Failed to change root password"
238 lxc-unshare
-s MOUNT
-- /bin
/sh
< $CHPASSWD_FILE
241 # add ssh functionality if dropbear package available on host
242 which dropbear
>/dev
/null
2>&1
243 if [ $?
-eq 0 ]; then
244 # copy dropbear binary
245 cp $
(which dropbear
) $rootfs/usr
/sbin
246 if [ $?
-ne 0 ]; then
247 echo "Failed to copy dropbear in the rootfs"
251 # make symlinks to various ssh utilities
253 $rootfs/usr/bin/dbclient \
254 $rootfs/usr/bin/scp \
255 $rootfs/usr/bin/ssh \
256 $rootfs/usr/sbin/dropbearkey \
257 $rootfs/usr/sbin/dropbearconvert \
259 echo $utils |
xargs -n1 ln -s /usr
/sbin
/dropbear
261 # add necessary config files
262 mkdir
$rootfs/etc
/dropbear
263 dropbearkey
-t rsa
-f $rootfs/etc
/dropbear
/dropbear_rsa_host_key
> /dev
/null
2>&1
264 dropbearkey
-t dss
-f $rootfs/etc
/dropbear
/dropbear_dss_host_key
> /dev
/null
2>&1
266 echo "'dropbear' ssh utility installed"
278 grep -q "^lxc.rootfs" $path/config
2>/dev
/null ||
echo "lxc.rootfs = $rootfs" >> $path/config
279 cat <<EOF >> $path/config
280 lxc.haltsignal = SIGUSR1
284 lxc.cap.drop = sys_module mac_admin mac_override sys_time
286 # When using LXC with apparmor, uncomment the next line to run unconfined:
287 #lxc.aa_profile = unconfined
296 for dir
in $libdirs; do
297 if [ -d "/$dir" ] && [ -d "$rootfs/$dir" ]; then
298 echo "lxc.mount.entry = /$dir $dir none ro,bind 0 0" >> $path/config
301 echo "lxc.mount.entry = /sys/kernel/security sys/kernel/security none ro,bind,optional 0 0" >>$path/config
302 echo "lxc.mount.auto = proc:mixed sys" >>$path/config
304 if [ -f "$path/fstab" ]; then
305 echo "lxc.mount = $path/fstab" >>$path/config
313 if [ -n "$LXC_MAPPED_UID" ] && [ "$LXC_MAPPED_UID" != "-1" ]; then
314 chown
$LXC_MAPPED_UID $path/config
$path/fstab
>/dev
/null
2>&1
315 chown
-R root
$path/rootfs
>/dev
/null
2>&1
318 if [ -n "$LXC_MAPPED_GID" ] && [ "$LXC_MAPPED_GID" != "-1" ]; then
319 chgrp
$LXC_MAPPED_GID $path/config
$path/fstab
>/dev
/null
2>&1
320 chgrp
-R root
$path/rootfs
>/dev
/null
2>&1
327 $1 -h|--help -p|--path=<path>
332 options
=$
(getopt
-o hp
:n
: -l help,rootfs
:,path
:,name
:,mapped-uid
:,mapped-gid
: -- "$@")
333 if [ $?
-ne 0 ]; then
337 eval set -- "$options"
342 -h|
--help) usage
$0 && exit 0;;
343 -p|
--path) path
=$2; shift 2;;
344 --rootfs) rootfs
=$2; shift 2;;
345 -n|
--name) name
=$2; shift 2;;
346 --mapped-uid) LXC_MAPPED_UID
=$2; shift 2;;
347 --mapped-gid) LXC_MAPPED_GID
=$2; shift 2;;
348 --) shift 1; break ;;
353 if [ "$(id -u)" != "0" ]; then
354 echo "This script should be run as 'root'"
358 if [ -z "$path" ]; then
359 echo "'path' parameter is required"
364 config
="$path/config"
365 if [ -z "$rootfs" ]; then
366 if grep -q '^lxc.rootfs' $config 2>/dev
/null
; then
367 rootfs
=$
(awk -F= '/^lxc.rootfs =/{ print $2 }' $config)
373 install_busybox
$rootfs $name
374 if [ $?
-ne 0 ]; then
375 echo "failed to install busybox's rootfs"
379 configure_busybox
$rootfs
380 if [ $?
-ne 0 ]; then
381 echo "failed to configure busybox template"
385 copy_configuration
$path $rootfs $name
386 if [ $?
-ne 0 ]; then
387 echo "failed to write configuration file"
392 if [ $?
-ne 0 ]; then
393 echo "failed to remap files to user"