2 # vim: set ts=4 sw=4 expandtab
4 # Exit on error and treat unset variables as an error.
8 # LXC template for Sabayon OS, based of Alpine script.
12 # Geaaru <geaaru@gmail.com>
14 # This library is free software; you can redistribute it and/or
15 # modify it under the terms of the GNU Lesser General Public
16 # License as published by the Free Software Foundation; either
17 # version 2.1 of the License, or (at your option) any later version.
19 # This library is distributed in the hope that it will be useful,
20 # but WITHOUT ANY WARRANTY; without even the implied warranty of
21 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
22 # Lesser General Public License for more details.
24 # You should have received a copy of the GNU Lesser General Public
25 # License along with this library; if not, write to the Free Software
26 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
29 #=========================== Constants ============================#
31 # Make sure the usual locations are in PATH
32 export PATH
=$PATH:/usr
/sbin
:/usr
/bin
:/sbin
:/bin
34 readonly LOCAL_STATE_DIR
='@LOCALSTATEDIR@'
35 readonly LXC_TEMPLATE_CONFIG
='@LXCTEMPLATECONFIG@'
38 # Temporary static MIRROR LIST. I will get list from online path on the near future.
39 readonly MIRRORS_LIST
="
40 http://mirror.it.sabayon.org/
41 http://dl.sabayon.org/
42 http://ftp.kddilabs.jp/Linux/packages/sabayonlinux/
43 ftp://ftp.klid.dk/sabayonlinux/
44 http://ftp.fsn.hu/pub/linux/distributions/sabayon/
45 http://ftp.cc.uoc.gr/mirrors/linux/SabayonLinux/
46 http://ftp.rnl.ist.utl.pt/pub/sabayon/
47 ftp://ftp.nluug.nl/pub/os/Linux/distr/sabayonlinux/
48 http://ftp.surfnet.nl/pub/os/Linux/distr/sabayonlinux/
49 http://mirror.internode.on.net/pub/sabayon/
50 http://mirror.yandex.ru/sabayon/
51 http://sabayon.c3sl.ufpr.br/
52 http://mirror.clarkson.edu/sabayon/
53 http://na.mirror.garr.it/mirrors/sabayonlinux/"
55 #======================== Global variables ========================#
57 # Clean variables and set defaults.
71 #======================== Helper Functions ========================#
75 Template specific options can be passed to lxc-create after a '--' like this:
77 lxc-create --name=NAME [lxc-create-options] -- [template-options]
80 -a ARCH, --arch=ARCH The container architecture (e.g. x86_64, armv7); defaults
82 -d, --debug Run this script in a debug mode (set -x and wget w/o -q).
83 -m URL --mirror=URL The Sabayon mirror to use; defaults to random mirror.
84 -u, --unprivileged Tuning of rootfs for unprivileged containers.
85 -r, --release Identify release to use. Default is DAILY.
86 --mapped-gid Group Id to use on unprivileged container
87 (based of value present on file /etc/subgid).
88 --mapped-uid User Id to use on unprivileged container
89 (based of value present on file /etc/subuid)
90 --flush-owner Only for directly creation of unprivileged containers
91 through lxc-create command. Execute fuidshift command.
92 Require --mapped-gid,--mapped-uid and --unprivileged
95 Environment variables:
96 RELEASE Release version of Sabayon. Default is ${RELEASE}.
100 random_mirror_url
() {
103 if [ $arch == 'amd64' ] ; then
104 url
=$
(echo $MIRRORS_LIST |
sed -e 's/ /\n/g' |
sort -R --random-source=/dev
/urandom |
head -n 1)
106 if [ $arch == 'armv7l' ] ; then
107 # Currently armv7l tarball is not on sabayon mirrored tree.
108 url
="https://dockerbuilder.sabayon.org/"
112 [ -n "$url" ] && echo "$url"
116 local retval
=$1; shift
127 if [ "$debug" = 'yes' ]; then
130 wget
-T 10 -O - -q $@
136 x86_64 | amd64
) echo 'amd64';;
137 armv7 | armv7l
) echo 'armv7l';;
138 #arm*) echo 'armhf';;
150 mkdir
-p "$LOCAL_STATE_DIR/lock/subsys"
154 echo -n "Obtaining an exclusive lock..."
155 if ! flock
-x 9; then
163 } 9> "$LOCAL_STATE_DIR/lock/subsys/lxc-sabayon-$lock_name"
171 # Example of amd64 tarball url
172 # http://mirror.yandex.ru/sabayon/iso/daily/Sabayon_Linux_DAILY_amd64_tarball.tar.gz
174 if [ $arch == 'amd64' ] ; then
176 if [ $release = 'DAILY' ] ; then
177 url
="${MIRROR_URL}iso/daily/Sabayon_Linux_DAILY_amd64_tarball.tar.gz"
179 url
="${MIRROR_URL}iso/monthly/Sabayon_Linux_${release}_amd64_tarball.tar.gz"
182 # https://dockerbuilder.sabayon.org/Sabayon_Linux_16_armv7l.tar.bz2
183 if [ $arch == 'armv7l' ] ; then
185 # Currently $arch tarball is not on sabayon mirrored tree.
186 url
="${MIRROR_URL}Sabayon_Linux_16_armv7l.tar.bz2"
195 #=========================== Configure ===========================#
197 unprivileged_rootfs
() {
199 pushd ${rootfs}/etc
/systemd
/system
201 # Disable systemd-journald-audit.socket because it seems that doesn't
202 # start correctly on unprivileged container
203 ln -s /dev
/null systemd-journald-audit.socket
205 # Disable systemd-remount-fs.service because on unprivileged container
206 # systemd can't remount filesystem
207 ln -s /dev
/null systemd-remount-fs.service
209 # Remove mount of FUSE Control File system
210 ln -s /dev
/null sys-fs-fuse-connections.mount
212 # Change execution of service systemd-sysctl to avoid errors.
213 mkdir systemd-sysctl.service.d
214 cat <<EOF > systemd-sysctl.service.d/00gentoo.conf
217 ExecStart=/usr/lib/systemd/systemd-sysctl --prefix=/etc/sysctl.d/
220 # Disable mount of hugepages
221 ln -s /dev
/null dev-hugepages.mount
227 # Disable sabayon-anti-fork-bomb limits (already apply to lxc container manager)
228 sed -i -e 's/^*/#*/g' .
/etc
/security
/limits.d
/00-sabayon-anti-fork-bomb.conf ||
return 1
229 sed -i -e 's/^root/#root/g' .
/etc
/security
/limits.d
/00-sabayon-anti-fork-bomb.conf ||
return 1
236 unprivileged_shift_owner
() {
238 # I use /usr/bin/fuidshift from LXD project.
240 einfo
"Executing: fuidshift ${rootfs} u:0:${mapped_uid}:65536 g:0:${mapped_gid}:65536 ..."
242 fuidshift
${rootfs} u:0:${mapped_uid}:65536 g:0:${mapped_gid}:65536 ||
243 die
1 "Error on change owners of ${rootfs} directory"
247 # Fix permission of container directory
253 systemd_container_tuning
() {
255 # To avoid error on start systemd-tmpfiles-setup service
256 # it is needed clean journal directory
257 rm -rf ${rootfs}/var
/log
/journal
/
259 # Remove LVM service. Normally not needed on container system.
260 rm -rf ${rootfs}/etc
/systemd
/system
/sysinit.target.wants
/lvm2-lvmetad.service
262 # Comment unneeded entry on /etc/fstab
263 sed -e 's/\/dev/#\/dev/g' -i ${rootfs}/etc
/fstab
265 # Fix this stupid error until fix is available on sabayon image
266 # /usr/lib/systemd/system-generators/gentoo-local-generator: line 4: cd: /etc/local.d: No such file or directory
267 mkdir
${rootfs}/etc
/local.d
/
269 # Fix TERM variable for container console
270 mkdir container-getty\@
0.service.d
271 cat <<EOF > container-getty\@0.service.d/00gentoo.conf
274 Environment=TERM=linux
280 configure_container
() {
284 local privileged_options
=""
285 local unprivileged_options
=""
287 if [[ $unprivileged && $unprivileged == true
]] ; then
288 if [[ $flush_owner == true
]] ; then
289 unprivileged_options
="
290 lxc.id_map = u 0 ${mapped_uid} 65536
291 lxc.id_map = g 0 ${mapped_gid} 65536
295 unprivileged_options
="
296 $unprivileged_options
298 # Include common configuration.
299 lxc.include = $LXC_TEMPLATE_CONFIG/sabayon.userns.conf
304 ## Allow any mknod (but not reading/writing the node)
305 lxc.cgroup.devices.allow = b *:* m
306 lxc.cgroup.devices.allow = c *:* m
309 lxc.cgroup.devices.allow = c 136:* rwm
311 lxc.cgroup.devices.allow = c 5:0 rwm
313 lxc.cgroup.devices.allow = c 5:1 rwm
315 lxc.cgroup.devices.allow = c 5:2 rwm
317 lxc.cgroup.devices.allow = c 10:229 rwm
322 cat <<-EOF >> "$config"
323 # Specify container architecture.
327 lxc.utsname = $hostname
329 # Include common configuration.
330 lxc.include = $LXC_TEMPLATE_CONFIG/sabayon.common.conf
332 $unprivileged_options
338 #============================= Main ==============================#
342 # Parse command options.
343 local short_options
="a:dm:n:p:r:hu"
344 local long_options
="arch:,debug,mirror:,name:,path:,release:,rootfs:,mapped-uid:,mapped-gid:,flush-owner,help"
346 options
=$
(getopt
-u -q -a -o "$short_options" -l "$long_options" -- "$@")
348 eval set -- "$options"
350 # Process command options.
351 while [ $# -gt 0 ]; do
402 einfo
"Unknown option: $1"
410 if [ "$(id -u)" != "0" ]; then
411 die
1 "This script must be run as 'root'"
415 [ -n "$name" ] || die
1 'Missing required option --name'
416 [ -n "$path" ] || die
1 'Missing required option --path'
418 if [ -z "$rootfs" ] && [ -f "$path/config" ]; then
419 rootfs
="$(sed -nE 's/^lxc.rootfs\s*=\s*(.*)$/\1/p' "$path/config
")"
421 if [ -z "$rootfs" ]; then
422 rootfs
="$path/rootfs"
425 [ -z "$path" ] && die
1 "'path' parameter is required."
427 arch
=$
(parse_arch
"$arch") \
428 || die
1 "Unsupported architecture: $arch"
430 [[ $unprivileged == true
&& $flush_owner == true
&&-z "$mapped_uid" ]] && \
431 die
1 'Missing required option --mapped-uid with --unprivileged option'
433 [[ $unprivileged == true
&& $flush_owner == true
&& -z "$mapped_gid" ]] && \
434 die
1 'Missing required option --mapped-gid with --unprivileged option'
436 [[ $flush_owner == true
&& $unprivileged == false
]] && \
437 die
1 'flush-owner require --unprivileged option'
446 # Set global variables.
447 RELEASE
="${RELEASE:-"DAILY"}"
448 ARCH
="${ARCH:-`uname -m`}"
449 OS
="${OS:-"sabayon"}"
451 einfo
"Processing command line arguments: $@"
453 # Parse command line options
457 MIRROR_URL
="${mirror_url:-$(random_mirror_url)}"
459 einfo
"Use arch = $arch, mirror_url = $MIRROR_URL, path = $path, name = $name, release = $release, unprivileged = $unprivileged, rootfs = $rootfs, mapped_uid = $mapped_uid, mapped_gid = $mapped_gid, flush_owner = $flush_owner"
461 [ "$debug" = 'yes' ] && set -x
463 # Download sabayon tarball
464 tarball
=$
(create_url
)
465 einfo
"Fetching tarball $tarball..."
467 # TODO: use only a compression mode
468 if [ $arch == 'amd64' ] ; then
469 fetch
"${tarball}" |
tar -xpz -C "${rootfs}"
471 if [ $arch == 'armv7l' ] ; then
472 fetch
"${tarball}" |
tar -xpj -C "${rootfs}"
476 einfo
"Tarball ${tarball} Extracted."
478 systemd_container_tuning
480 # Fix container for unprivileged mode.
481 if [[ $unprivileged == true
]] ; then
483 if [[ $flush_owner == true
]] ; then
484 unprivileged_shift_owner
492 einfo
"Prepare creation of sabayon container with params: $@ ($#)"
495 run_exclusively
'main' 10 main
"$@"
496 configure_container
"$path/config" "$name" "$arch"
498 einfo
"Container's rootfs and config have been created"
500 Edit the config file $path/config to check/enable networking setup.
501 The installed system is preconfigured for a loopback and single network
502 interface configured via DHCP.
504 To start the container, run "lxc-start -n $name".
505 The root password is not set; to enter the container run "lxc-attach -n $name".
507 Note: From kenel >= 4.6 for use unprivileged containers it is needed this mount on host:
509 mkdir /sys/fs/cgroup/systemd
510 mount -t cgroup -o none,name=systemd systemd /sys/fs/cgroup/systemd