3 # Client script for LXC container images.
5 # Copyright © 2014 Stéphane Graber <stgraber@ubuntu.com>
7 # This library is free software; you can redistribute it and/or
8 # modify it under the terms of the GNU Lesser General Public
9 # License as published by the Free Software Foundation; either
10 # version 2.1 of the License, or (at your option) any later version.
12 # This library is distributed in the hope that it will be useful,
13 # but WITHOUT ANY WARRANTY; without even the implied warranty of
14 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15 # Lesser General Public License for more details.
17 # You should have received a copy of the GNU Lesser General Public
18 # License along with this library; if not, write to the Free Software
19 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301
24 LXC_TEMPLATE_CONFIG
="@LXCTEMPLATECONFIG@"
25 LXC_HOOK_DIR
="@LXCHOOKDIR@"
26 LOCALSTATEDIR
="@LOCALSTATEDIR@"
32 DOWNLOAD_VARIANT
="default"
33 DOWNLOAD_SERVER
="images.linuxcontainers.org"
34 DOWNLOAD_KEYID
="0xBAEFF88C22F6E216"
35 DOWNLOAD_KEYSERVER
="pool.sks-keyservers.net"
36 DOWNLOAD_VALIDATE
="true"
37 DOWNLOAD_FLUSH_CACHE
="false"
38 DOWNLOAD_FORCE_CACHE
="false"
39 DOWNLOAD_MODE
="system"
40 DOWNLOAD_USE_CACHE
="false"
42 DOWNLOAD_SHOW_HTTP_WARNING
="true"
43 DOWNLOAD_SHOW_GPG_WARNING
="true"
44 DOWNLOAD_READY_GPG
="false"
45 DOWNLOAD_COMPAT_LEVEL
=1
46 DOWNLOAD_LIST_IMAGES
="false"
48 DOWNLOAD_INTERACTIVE
="false"
55 # Some useful functions
57 if [ -d "$DOWNLOAD_TEMP" ]; then
63 if ! wget
-q https
://${DOWNLOAD_SERVER}/$1 -O $2 >/dev
/null
2>&1; then
64 if ! wget
-q http
://${DOWNLOAD_SERVER}/$1 -O $2 >/dev
/null
2>&1; then
65 if [ "$3" = "noexit" ]; then
68 echo "ERROR: Failed to download http://${DOWNLOAD_SERVER}/$1" 1>&2
71 elif [ "$DOWNLOAD_SHOW_HTTP_WARNING" = "true" ]; then
72 DOWNLOAD_SHOW_HTTP_WARNING
="false"
73 echo "WARNING: Failed to download the file over HTTPs." 1>&2
74 echo -n " The file was instead download over HTTP. " 1>&2
75 echo "A server replay attack may be possible!" 1>&2
81 if ! download_file
$1 $2 noexit
; then
82 if [ "$DOWNLOAD_VALIDATE" = "true" ]; then
83 if [ "$3" = "normal" ]; then
84 echo "ERROR: Failed to download http://${DOWNLOAD_SERVER}/$1" 1>&2
96 if [ "$DOWNLOAD_VALIDATE" = "false" ]; then
100 if [ "$DOWNLOAD_READY_GPG" = "true" ]; then
104 echo "Setting up the GPG keyring"
106 mkdir
-p "$DOWNLOAD_TEMP/gpg"
107 chmod 700 "$DOWNLOAD_TEMP/gpg"
108 export GNUPGHOME
="$DOWNLOAD_TEMP/gpg"
109 if ! gpg
--keyserver $DOWNLOAD_KEYSERVER \
110 --recv-keys ${DOWNLOAD_KEYID} >/dev
/null
2>&1; then
111 echo "ERROR: Unable to fetch GPG key from keyserver."
115 DOWNLOAD_READY_GPG
="true"
119 if [ "$DOWNLOAD_VALIDATE" = "false" ]; then
120 if [ "$DOWNLOAD_SHOW_GPG_WARNING" = "true" ]; then
121 echo "WARNING: Running without gpg validation!" 1>&2
123 DOWNLOAD_SHOW_GPG_WARNING
="false"
127 if ! gpg
--verify $1 >/dev
/zero
2>&1; then
128 echo "ERROR: Invalid signature for $1" 1>&2
134 [ -e /proc
/self
/uid_map
] ||
{ echo no
; return; }
135 [ "$(wc -l /proc/self/uid_map | awk '{ print $1 }')" -eq 1 ] || \
136 { echo yes; return; }
137 line
=$
(awk '{ print $1 " " $2 " " $3 }' /proc
/self
/uid_map
)
138 [ "$line" = "0 0 4294967295" ] && { echo no
; return; }
143 FILE_PATH
="${LXC_CACHE_PATH}/$1"
144 if [ -e "${FILE_PATH}-${DOWNLOAD_MODE}" ]; then
145 FILE_PATH
="${FILE_PATH}-${DOWNLOAD_MODE}"
147 if [ -e "$FILE_PATH.${DOWNLOAD_COMPAT_LEVEL}" ]; then
148 FILE_PATH
="${FILE_PATH}.${DOWNLOAD_COMPAT_LEVEL}"
156 LXC container image downloader
159 [ -d | --dist <distribution> ]: The name of the distribution
160 [ -r | --release <release> ]: Release name/version
161 [ -a | --arch <architecture> ]: Architecture of the container
164 [ -h | --help ]: This help message
165 [ -l | --list ]: List all available images
166 [ --variant <variant> ]: Variant of the image (default: "default")
167 [ --server <server> ]: Image server (default: "images.linuxcontainers.org")
168 [ --keyid <keyid> ]: GPG keyid (default: 0x...)
169 [ --keyserver <keyserver> ]: GPG keyserver to use
170 [ --no-validate ]: Disable GPG validation (not recommended)
171 [ --flush-cache ]: Flush the local copy (if present)
172 [ --force-cache ]; Force the use of the local copy even if expired
174 LXC internal arguments (do not pass manually!):
175 [ --name <name> ]: The container name
176 [ --path <path> ]: The path to the container
177 [ --rootfs <rootfs> ]: The path to the container's rootfs
178 [ --mapped-uid <map> ]: A uid/gid map (user namespaces)
183 options
=$
(getopt
-o d
:r
:a
:hl
-l dist
:,release
:,arch
:,help,list
,variant
:,\
184 server
:,keyid
:,no-validate
,flush-cache
,force-cache
,name
:,path
:,\
185 rootfs
:,mapped-uid
: -- "$@")
187 if [ $?
-ne 0 ]; then
191 eval set -- "$options"
195 -h|
--help) usage
&& exit 1;;
196 -l|
--list) DOWNLOAD_LIST_IMAGES
="true"; shift 1;;
197 -d|
--dist) DOWNLOAD_DIST
=$2; shift 2;;
198 -r|
--release) DOWNLOAD_RELEASE
=$2; shift 2;;
199 -a|
--arch) DOWNLOAD_ARCH
=$2; shift 2;;
200 --variant) DOWNLOAD_VARIANT
=$2; shift 2;;
201 --server) DOWNLOAD_SERVER
=$2; shift 2;;
202 --keyid) DOWNLOAD_KEYID
=$2; shift 2;;
203 --no-validate) DOWNLOAD_VALIDATE
="false"; shift 1;;
204 --flush-cache) DOWNLOAD_FLUSH_CACHE
="true"; shift 1;;
205 --force-cache) DOWNLOAD_FORCE_CACHE
="true"; shift 1;;
206 --name) LXC_NAME
=$2; shift 2;;
207 --path) LXC_PATH
=$2; shift 2;;
208 --rootfs) LXC_ROOTFS
=$2; shift 2;;
209 --mapped-uid) LXC_MAPPED_UID
=$2; shift 2;;
214 # Check for required binaries
215 for bin
in tar xz wget
; do
216 if ! type $bin >/dev
/null
2>&1; then
217 echo "ERROR: Missing required tool: $bin" 1>&2
223 if [ "$DOWNLOAD_VALIDATE" = "true" ]; then
224 if ! type gpg
>/dev
/null
2>&1; then
225 echo "ERROR: Missing recommended tool: gpg" 1>&2
226 echo "You can workaround this by using --no-validate." 1>&2
231 # Check that we have all variables we need
232 if [ -z "$LXC_NAME" ] ||
[ -z "$LXC_PATH" ] ||
[ -z "$LXC_ROOTFS" ]; then
233 echo "ERROR: Not running through LXC." 1>&2
237 if [ "$(in_userns)" = "yes" ]; then
238 if [ -z "$LXC_MAPPED_UID" ] ||
[ "$LXC_MAPPED_UID" = "-1" ]; then
239 echo "ERROR: In a user namespace without a map." 1>&2
245 if [ -z "$DOWNLOAD_DIST" ] ||
[ -z "$DOWNLOAD_RELEASE" ] || \
246 [ -z "$DOWNLOAD_ARCH" ]; then
247 DOWNLOAD_INTERACTIVE
="true"
250 # Trap all exit signals
251 trap cleanup EXIT HUP INT TERM
252 DOWNLOAD_TEMP
=$
(mktemp
-d)
255 if [ "$DOWNLOAD_LIST_IMAGES" = "true" ] || \
256 [ "$DOWNLOAD_INTERACTIVE" = "true" ]; then
261 DOWNLOAD_INDEX_PATH
=/meta
/1.0/index-
${DOWNLOAD_MODE}
263 echo "Downloading the image index"
264 if ! download_file
${DOWNLOAD_INDEX_PATH}.
${DOWNLOAD_COMPAT_LEVEL} \
265 ${DOWNLOAD_TEMP}/index noexit ||
266 ! download_sig
${DOWNLOAD_INDEX_PATH}.
${DOWNLOAD_COMPAT_LEVEL}.asc \
267 ${DOWNLOAD_TEMP}/index.asc noexit
; then
268 download_file
${DOWNLOAD_INDEX_PATH} ${DOWNLOAD_TEMP}/index normal
269 download_sig
${DOWNLOAD_INDEX_PATH}.asc \
270 ${DOWNLOAD_TEMP}/index.asc normal
273 gpg_validate
${DOWNLOAD_TEMP}/index.asc
278 echo "DIST\tRELEASE\tARCH\tVARIANT\tBUILD"
287 [ -n "$DOWNLOAD_DIST" ] && [ "$1" != "$DOWNLOAD_DIST" ] && continue
288 [ -n "$DOWNLOAD_RELEASE" ] && [ "$2" != "$DOWNLOAD_RELEASE" ] && continue
289 [ -n "$DOWNLOAD_ARCH" ] && [ "$3" != "$DOWNLOAD_ARCH" ] && continue
290 [ -n "$DOWNLOAD_VARIANT" ] && [ "$4" != "$DOWNLOAD_VARIANT" ] && continue
291 [ -z "$5" ] ||
[ -z "$6" ] && continue
293 echo "$1\t$2\t$3\t$4\t$5"
294 done < ${DOWNLOAD_TEMP}/index
297 if [ "$DOWNLOAD_LIST_IMAGES" = "true" ]; then
304 if [ -z "$DOWNLOAD_DIST" ]; then
305 echo -n "Distribution: "
309 if [ -z "$DOWNLOAD_RELEASE" ]; then
311 read DOWNLOAD_RELEASE
314 if [ -z "$DOWNLOAD_ARCH" ]; then
315 echo -n "Architecture: "
323 if [ "$DOWNLOAD_MODE" = "system" ]; then
324 LXC_CACHE_BASE
="$LOCALSTATEDIR/cache/"
325 LXC_CACHE_PATH
="$LOCALSTATEDIR/cache/lxc/download/$DOWNLOAD_DIST"
326 LXC_CACHE_PATH
="$LXC_CACHE_PATH/$DOWNLOAD_RELEASE/$DOWNLOAD_ARCH"
328 LXC_CACHE_BASE
="$HOME/.cache/lxc/"
329 LXC_CACHE_PATH
="$HOME/.cache/lxc/download/$DOWNLOAD_DIST"
330 LXC_CACHE_PATH
="$LXC_CACHE_PATH/$DOWNLOAD_RELEASE/$DOWNLOAD_ARCH"
333 if [ -d "$LXC_CACHE_PATH" ]; then
334 if [ "$DOWNLOAD_FLUSH_CACHE" = "true" ]; then
335 echo "Flushing the cache..."
336 rm -Rf $LXC_CACHE_PATH
337 elif [ "$DOWNLOAD_FORCE_CACHE" = "true" ]; then
338 DOWNLOAD_USE_CACHE
="true"
340 DOWNLOAD_USE_CACHE
="true"
341 if [ -e "$(relevant_file expiry)" ]; then
342 if [ "$(cat $(relevant_file expiry))" -lt $
(date +%s
) ]; then
343 echo "The cached copy has expired, re-downloading..."
344 DOWNLOAD_USE_CACHE
="false"
350 # Download what's needed
351 if [ "$DOWNLOAD_USE_CACHE" = "false" ]; then
356 DOWNLOAD_INDEX_PATH
=/meta
/1.0/index-
${DOWNLOAD_MODE}
358 echo "Downloading the image index"
359 if ! download_file
${DOWNLOAD_INDEX_PATH}.
${DOWNLOAD_COMPAT_LEVEL} \
360 ${DOWNLOAD_TEMP}/index noexit ||
361 ! download_sig
${DOWNLOAD_INDEX_PATH}.
${DOWNLOAD_COMPAT_LEVEL}.asc \
362 ${DOWNLOAD_TEMP}/index.asc noexit
; then
363 download_file
${DOWNLOAD_INDEX_PATH} ${DOWNLOAD_TEMP}/index normal
364 download_sig
${DOWNLOAD_INDEX_PATH}.asc \
365 ${DOWNLOAD_TEMP}/index.asc normal
368 gpg_validate
${DOWNLOAD_TEMP}/index.asc
378 if [ "$1" != "$DOWNLOAD_DIST" ] || \
379 [ "$2" != "$DOWNLOAD_RELEASE" ] || \
380 [ "$3" != "$DOWNLOAD_ARCH" ] || \
381 [ "$4" != "$DOWNLOAD_VARIANT" ] || \
389 done < ${DOWNLOAD_TEMP}/index
391 if [ -z "$DOWNLOAD_URL" ]; then
392 echo "ERROR: Couldn't find a matching image." 1>&1
396 if [ -d "$LXC_CACHE_PATH" ] && [ -f "$LXC_CACHE_PATH/build_id" ] && \
397 [ "$(cat $LXC_CACHE_PATH/build_id)" = "$DOWNLOAD_BUILD" ]; then
398 echo "The cache is already up to date."
399 echo "Using image from local cache"
401 # Download the actual files
402 echo "Downloading the rootfs"
403 download_file
$DOWNLOAD_URL/rootfs.
tar.xz \
404 ${DOWNLOAD_TEMP}/rootfs.
tar.xz normal
405 download_sig
$DOWNLOAD_URL/rootfs.
tar.xz.asc \
406 ${DOWNLOAD_TEMP}/rootfs.
tar.xz.asc normal
407 gpg_validate
${DOWNLOAD_TEMP}/rootfs.
tar.xz.asc
409 echo "Downloading the metadata"
410 download_file
$DOWNLOAD_URL/meta.
tar.xz \
411 ${DOWNLOAD_TEMP}/meta.
tar.xz normal
412 download_sig
$DOWNLOAD_URL/meta.
tar.xz.asc \
413 ${DOWNLOAD_TEMP}/meta.
tar.xz.asc normal
414 gpg_validate
${DOWNLOAD_TEMP}/meta.
tar.xz.asc
416 if [ -d $LXC_CACHE_PATH ]; then
417 rm -Rf $LXC_CACHE_PATH
419 mkdir
-p $LXC_CACHE_PATH
420 mv ${DOWNLOAD_TEMP}/rootfs.
tar.xz
$LXC_CACHE_PATH
421 if ! tar Jxf
${DOWNLOAD_TEMP}/meta.
tar.xz
-C $LXC_CACHE_PATH; then
422 echo "ERROR: Invalid rootfs tarball." 2>&1
426 echo $DOWNLOAD_BUILD > $LXC_CACHE_PATH/build_id
428 if [ -n "$LXC_MAPPED_UID" ] && [ "$LXC_MAPPED_UID" != "-1" ]; then
429 chown
-R $LXC_MAPPED_UID $LXC_CACHE_BASE >/dev
/null
2>&1 || true
431 echo "The image cache is now ready"
434 echo "Using image from local cache"
438 echo "Unpacking the rootfs"
441 excludelist
=$
(relevant_file excludes
)
442 if [ -f "${excludelist}" ]; then
444 EXCLUDES
="$EXCLUDES --exclude=$line"
448 tar --anchored ${EXCLUDES} --numeric-owner -xpJf \
449 ${LXC_CACHE_PATH}/rootfs.
tar.xz
-C ${LXC_ROOTFS}
451 mkdir
-p ${LXC_ROOTFS}/dev
/pts
/
453 # Setup the configuration
454 configfile
=$
(relevant_file config
)
455 fstab
=$
(relevant_file fstab
)
456 if [ ! -e $configfile ]; then
457 echo "ERROR: meta tarball is missing the configuration file" 1>&2
461 ## Extract all the network config entries
462 sed -i -e "/lxc.network/{w ${LXC_PATH}/config-network" -e "d}" \
465 ## Extract any other config entry
466 sed -i -e "/lxc./{w ${LXC_PATH}/config-auto" -e "d}" ${LXC_PATH}/config
468 ## Append the defaults
469 echo "" >> ${LXC_PATH}/config
470 echo "# Distribution configuration" >> ${LXC_PATH}/config
471 cat $configfile >> ${LXC_PATH}/config
473 ## Add the container-specific config
474 echo "" >> ${LXC_PATH}/config
475 echo "# Container specific configuration" >> ${LXC_PATH}/config
476 if [ -e "${LXC_PATH}/config-auto" ]; then
477 cat ${LXC_PATH}/config-auto
>> ${LXC_PATH}/config
478 rm ${LXC_PATH}/config-auto
480 if [ -e "$fstab" ]; then
481 echo "lxc.mount = ${LXC_PATH}/fstab" >> ${LXC_PATH}/config
483 echo "lxc.utsname = ${LXC_NAME}" >> ${LXC_PATH}/config
485 ## Re-add the previously removed network config
486 if [ -e "${LXC_PATH}/config-network" ]; then
487 echo "" >> ${LXC_PATH}/config
488 echo "# Network configuration" >> ${LXC_PATH}/config
489 cat ${LXC_PATH}/config-network
>> ${LXC_PATH}/config
490 rm ${LXC_PATH}/config-network
493 TEMPLATE_FILES
="${LXC_PATH}/config"
496 if [ -e $fstab ]; then
497 cp ${fstab} ${LXC_PATH}/fstab
498 TEMPLATE_FILES
="$TEMPLATE_FILES ${LXC_PATH}/fstab"
501 # Look for extra templates
502 if [ -e "$(relevant_file templates)" ]; then
504 fullpath
=${LXC_ROOTFS}/$line
505 [ ! -e "$fullpath" ] && continue
506 TEMPLATE_FILES
="$TEMPLATE_FILES $fullpath"
507 done < $
(relevant_file templates
)
510 # Replace variables in all templates
511 for file in $TEMPLATE_FILES; do
512 [ ! -f "$file" ] && continue
514 sed -i "s#LXC_NAME#$LXC_NAME#g" $file
515 sed -i "s#LXC_PATH#$LXC_PATH#g" $file
516 sed -i "s#LXC_ROOTFS#$LXC_ROOTFS#g" $file
517 sed -i "s#LXC_TEMPLATE_CONFIG#$LXC_TEMPLATE_CONFIG#g" $file
518 sed -i "s#LXC_HOOK_DIR#$LXC_HOOK_DIR#g" $file
521 if [ -n "$LXC_MAPPED_UID" ] && [ "$LXC_MAPPED_UID" != "-1" ]; then
522 chown
$LXC_MAPPED_UID $LXC_PATH/config
$LXC_PATH/fstab
>/dev
/null
2>&1 || true
525 if [ -e "$(relevant_file create-message)" ]; then
528 cat "$(relevant_file create-message)"