4 # template script for generating ubuntu container for LXC
6 # This script consolidates and extends the existing lxc ubuntu scripts
9 # Copyright © 2011 Serge Hallyn <serge.hallyn@canonical.com>
10 # Copyright © 2010 Wilhelm Meier
11 # Author: Wilhelm Meier <wilhelm.meier@fh-kl.de>
13 # This program is free software; you can redistribute it and/or modify
14 # it under the terms of the GNU General Public License version 2, as
15 # published by the Free Software Foundation.
17 # This program is distributed in the hope that it will be useful,
18 # but WITHOUT ANY WARRANTY; without even the implied warranty of
19 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
20 # GNU General Public License for more details.
22 # You should have received a copy of the GNU General Public License along
23 # with this program; if not, write to the Free Software Foundation, Inc.,
24 # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
29 if [ -r /etc
/default
/lxc
]; then
39 # configure the network using the dhcp
40 cat <<EOF > $rootfs/etc/network/interfaces
42 iface lo inet loopback
49 cat <<EOF > $rootfs/etc/hostname
53 cat <<EOF > $rootfs/etc/hosts
54 127.0.0.1 localhost $hostname
57 if [ "$release" != "precise" ] && [ "$release" != "quantal" ]; then
58 # suppress log level output for udev
59 sed -i "s/=\"err\"/=0/" $rootfs/etc
/udev
/udev.conf
61 # remove jobs for consoles 5 and 6 since we only create 4 consoles in
63 rm -f $rootfs/etc
/init
/tty
{5,6}.conf
66 if [ -z "$bindhome" ]; then
67 chroot
$rootfs useradd
--create-home -s /bin
/bash ubuntu
68 echo "ubuntu:ubuntu" | chroot
$rootfs chpasswd
74 # finish setting up the user in the container by injecting ssh key and
75 # adding sudo group membership.
76 # passed-in user is either 'ubuntu' or the user to bind in from host.
81 if [ "$release" = "precise" ] ||
[ "$release" = "quantal" ]; then
87 for group
in $groups; do
88 chroot
$rootfs groupadd
--system $group >/dev
/null
2>&1 || true
89 chroot
$rootfs adduser
${user} $group >/dev
/null
2>&1 || true
92 if [ -n "$auth_key" -a -f "$auth_key" ]; then
93 u_path
="/home/${user}/.ssh"
94 root_u_path
="$rootfs/$u_path"
96 cp $auth_key "$root_u_path/authorized_keys"
97 chroot
$rootfs chown
-R ${user}: "$u_path"
99 echo "Inserted SSH public key from $auth_key into /home/${user}/.ssh/authorized_keys"
106 # $1 => path to the rootfs
107 # $2 => architecture we want to add
108 # $3 => whether to use the multi-arch syntax or not
112 MIRROR
=${MIRROR:-http://archive.ubuntu.com/ubuntu}
113 SECURITY_MIRROR
=${SECURITY_MIRROR:-http://security.ubuntu.com/ubuntu}
118 MIRROR
=${MIRROR:-http://archive.ubuntu.com/ubuntu}
119 SECURITY_MIRROR
=${SECURITY_MIRRORMIRROR:-http://security.ubuntu.com/ubuntu}
122 MIRROR
=${MIRROR:-http://ports.ubuntu.com/ubuntu-ports}
123 SECURITY_MIRROR
=${SECURITY_MIRROR:-http://ports.ubuntu.com/ubuntu-ports}
128 MIRROR
=${MIRROR:-http://ports.ubuntu.com/ubuntu-ports}
129 SECURITY_MIRROR
=${SECURITY_MIRROR:-http://ports.ubuntu.com/ubuntu-ports}
133 cat >> "$1/etc/apt/sources.list" << EOF
134 deb [arch=$2] $MIRROR ${release} main restricted universe multiverse
135 deb [arch=$2] $MIRROR ${release}-updates main restricted universe multiverse
136 deb [arch=$2] $SECURITY_MIRROR ${release}-security main restricted universe multiverse
139 cat >> "$1/etc/apt/sources.list" << EOF
140 deb $MIRROR ${release} main restricted universe multiverse
141 deb $MIRROR ${release}-updates main restricted universe multiverse
142 deb $SECURITY_MIRROR ${release}-security main restricted universe multiverse
153 if [ $release = "lucid" ]; then
154 packages
=dialog
,apt
,apt-utils
,resolvconf
,iproute
,inetutils-ping
,vim
,dhcp3-client
,ssh,lsb-release
,gnupg
155 elif [ $release = "maverick" ]; then
156 packages
=dialog
,apt
,apt-utils
,resolvconf
,iproute
,inetutils-ping
,vim
,dhcp3-client
,ssh,lsb-release
,gnupg
,netbase
157 elif [ $release = "natty" ]; then
158 packages
=dialog
,apt
,apt-utils
,resolvconf
,iproute
,inetutils-ping
,vim
,isc-dhcp-client
,isc-dhcp-common
,ssh,lsb-release
,gnupg
,netbase
160 packages
=dialog
,apt
,apt-utils
,iproute
,inetutils-ping
,vim
,isc-dhcp-client
,isc-dhcp-common
,ssh,lsb-release
,gnupg
,netbase
,ubuntu-keyring
162 echo "installing packages: $packages"
164 # check the mini ubuntu was not already downloaded
165 mkdir
-p "$cache/partial-$arch"
166 if [ $?
-ne 0 ]; then
167 echo "Failed to create '$cache/partial-$arch' directory"
171 # download a mini ubuntu into a cache
172 echo "Downloading ubuntu $release minimal ..."
173 if [ -n "$(which qemu-debootstrap)" ]; then
174 qemu-debootstrap
--verbose --components=main
,universe
--arch=$arch --include=$packages $release $cache/partial-
$arch $MIRROR
176 debootstrap
--verbose --components=main
,universe
--arch=$arch --include=$packages $release $cache/partial-
$arch $MIRROR
179 if [ $?
-ne 0 ]; then
180 echo "Failed to download the rootfs, aborting."
184 echo "Installing updates"
185 if [ -z "$MIRROR" ]; then
186 MIRROR
="http://archive.ubuntu.com/ubuntu"
188 cat >> "$1/partial-${arch}/etc/apt/sources.list" << EOF
189 deb $MIRROR ${release}-updates main universe
190 deb http://security.ubuntu.com/ubuntu ${release}-security main universe
192 chroot
"$1/partial-${arch}" apt-get update
193 if [ $?
-ne 0 ]; then
194 echo "Failed to update the apt cache"
197 cat > "$1/partial-${arch}"/usr
/sbin
/policy-rc.d
<< EOF
201 chmod +x
"$1/partial-${arch}"/usr
/sbin
/policy-rc.d
203 chroot
"$1/partial-${arch}" apt-get dist-upgrade
-y
206 rm -f "$1/partial-${arch}"/usr
/sbin
/policy-rc.d
207 if [ $ret -ne 0 ]; then
208 echo "Failed to upgrade the cache"
212 # Serge isn't sure whether we should avoid doing this when
213 # $release == `distro-info -d`
214 echo "Installing updates"
215 > $cache/partial-
$arch/etc
/apt
/sources.list
216 write_sourceslist
$cache/partial-
$arch/ $arch
218 chroot
"$1/partial-${arch}" apt-get update
219 if [ $?
-ne 0 ]; then
220 echo "Failed to update the apt cache"
223 cat > "$1/partial-${arch}"/usr
/sbin
/policy-rc.d
<< EOF
227 chmod +x
"$1/partial-${arch}"/usr
/sbin
/policy-rc.d
229 lxc-unshare
-s MOUNT
-- chroot
"$1/partial-${arch}" apt-get dist-upgrade
-y
231 rm -f "$1/partial-${arch}"/usr
/sbin
/policy-rc.d
233 if [ $ret -ne 0 ]; then
234 echo "Failed to upgrade the cache"
238 mv "$1/partial-$arch" "$1/rootfs-$arch"
239 echo "Download complete"
249 # make a local copy of the miniubuntu
250 echo "Copying rootfs to $rootfs ..."
252 rsync
-a $cache/rootfs-
$arch/ $rootfs/ ||
return 1
261 cache
="/var/cache/lxc/$release"
262 mkdir
-p /var
/lock
/subsys
/
265 if [ $?
-ne 0 ]; then
266 echo "Cache repository is busy."
271 if [ $flushcache -eq 1 ]; then
272 echo "Flushing cache..."
273 rm -rf "$cache/partial-$arch"
274 rm -rf "$cache/rootfs-$arch"
277 echo "Checking cache download in $cache/rootfs-$arch ... "
278 if [ ! -e "$cache/rootfs-$arch" ]; then
279 download_ubuntu
$cache $arch $release
280 if [ $?
-ne 0 ]; then
281 echo "Failed to download 'ubuntu $release base'"
286 echo "Copy $cache/rootfs-$arch to $rootfs ... "
287 copy_ubuntu
$cache $arch $rootfs
288 if [ $?
-ne 0 ]; then
289 echo "Failed to copy rootfs"
295 ) 200>/var
/lock
/subsys
/lxc
308 if [ $arch = "i386" ]; then
313 if [ $release = "precise" ] ||
[ $release = "quantal" ]; then
317 # if there is exactly one veth network entry, make sure it has an
319 nics
=`grep -e '^lxc\.network\.type[ \t]*=[ \t]*veth' $path/config | wc -l`
320 if [ $nics -eq 1 ]; then
321 grep -q "^lxc.network.hwaddr" $path/config ||
cat <<EOF >> $path/config
322 lxc.network.hwaddr = 00:16:3e:$(openssl rand -hex 3| sed 's/\(..\)/\1:/g; s/.$//')
326 cat <<EOF >> $path/config
329 lxc.devttydir =$ttydir
333 lxc.mount = $path/fstab
335 lxc.cap.drop = sys_module mac_admin mac_override
337 lxc.cgroup.devices.deny = a
338 # Allow any mknod (but not using the node)
339 lxc.cgroup.devices.allow = c *:* m
340 lxc.cgroup.devices.allow = b *:* m
342 lxc.cgroup.devices.allow = c 1:3 rwm
343 lxc.cgroup.devices.allow = c 1:5 rwm
345 lxc.cgroup.devices.allow = c 5:1 rwm
346 lxc.cgroup.devices.allow = c 5:0 rwm
347 #lxc.cgroup.devices.allow = c 4:0 rwm
348 #lxc.cgroup.devices.allow = c 4:1 rwm
350 lxc.cgroup.devices.allow = c 1:9 rwm
351 lxc.cgroup.devices.allow = c 1:8 rwm
352 lxc.cgroup.devices.allow = c 136:* rwm
353 lxc.cgroup.devices.allow = c 5:2 rwm
355 lxc.cgroup.devices.allow = c 254:0 rwm
357 lxc.cgroup.devices.allow = c 10:229 rwm
359 lxc.cgroup.devices.allow = c 10:200 rwm
361 lxc.cgroup.devices.allow = c 1:7 rwm
363 lxc.cgroup.devices.allow = c 10:228 rwm
365 lxc.cgroup.devices.allow = c 10:232 rwm
368 cat <<EOF > $path/fstab
369 proc proc proc nodev,noexec,nosuid 0 0
370 sysfs sys sysfs defaults 0 0
373 if [ $?
-ne 0 ]; then
374 echo "Failed to add configuration"
386 # provide the lxc service
387 cat <<EOF > $rootfs/etc/init/lxc.conf
388 # fake some events needed for correct startup other services
390 description "Container Upstart"
395 rm -rf /var/run/*.pid
396 rm -rf /var/run/network/*
397 /sbin/initctl emit stopped JOB=udevtrigger --no-wait
398 /sbin/initctl emit started JOB=udev --no-wait
402 # fix buggus runlevel with sshd
403 cat <<EOF > $rootfs/etc/init/ssh.conf
404 # ssh - OpenBSD Secure Shell server
406 # The OpenSSH server provides secure shell access to the system.
408 description "OpenSSH server"
411 stop on runlevel [!2345]
417 # replaces SSHD_OOM_ADJUST in /etc/default/ssh
421 test -x /usr/sbin/sshd || { stop; exit 0; }
422 test -e /etc/ssh/sshd_not_to_be_run && { stop; exit 0; }
423 test -c /dev/null || { stop; exit 0; }
425 mkdir -p -m0755 /var/run/sshd
428 # if you used to set SSHD_OPTS in /etc/default/ssh, you can change the
429 # 'exec' line here instead
433 cat <<EOF > $rootfs/etc/init/console.conf
436 # This service maintains a console on tty1 from the point the system is
437 # started until it is shut down again.
439 start on stopped rc RUNLEVEL=[2345]
440 stop on runlevel [!2345]
443 exec /sbin/getty -8 38400 /dev/console
446 cat <<EOF > $rootfs/lib/init/fstab
447 # /lib/init/fstab: cleared out for bare-bones lxc
450 # reconfigure some services
451 if [ -z "$LANG" ]; then
452 chroot
$rootfs locale-gen en_US.UTF-8
453 chroot
$rootfs update-locale LANG
=en_US.UTF-8
455 chroot
$rootfs locale-gen
$LANG
456 chroot
$rootfs update-locale LANG
=$LANG
459 # remove pointless services in a container
460 chroot
$rootfs /usr
/sbin
/update-rc.d
-f ondemand remove
462 chroot
$rootfs /bin
/bash
-c 'cd /etc/init; for f in $(ls u*.conf); do mv $f $f.orig; done'
463 chroot
$rootfs /bin
/bash
-c 'cd /etc/init; for f in $(ls tty[2-9].conf); do mv $f $f.orig; done'
464 chroot
$rootfs /bin
/bash
-c 'cd /etc/init; for f in $(ls plymouth*.conf); do mv $f $f.orig; done'
465 chroot
$rootfs /bin
/bash
-c 'cd /etc/init; for f in $(ls hwclock*.conf); do mv $f $f.orig; done'
466 chroot
$rootfs /bin
/bash
-c 'cd /etc/init; for f in $(ls module*.conf); do mv $f $f.orig; done'
468 # if this isn't lucid, then we need to twiddle the network upstart bits :(
469 if [ $release != "lucid" ]; then
470 sed -i 's/^.*emission handled.*$/echo Emitting lo/' $rootfs/etc
/network
/if-up.d
/upstart
480 if [ $trim_container -eq 1 ]; then
481 trim
$rootfs $release
482 elif [ $release = "lucid" -o $release = "maverick" -o $release = "natty" \
483 -o $release = "oneiric" ]; then
484 # for lucid and maverick, if not trimming, then add the ubuntu-virt
485 # ppa and install lxcguest
486 if [ $release = "lucid" -o $release = "maverick" ]; then
487 chroot
$rootfs apt-get
install --force-yes -y python-software-properties
488 chroot
$rootfs add-apt-repository ppa
:ubuntu-virt
/ppa
490 cresolvonf
="${rootfs}/etc/resolv.conf"
491 mv $cresolvonf ${cresolvonf}.lxcbak
492 cat /etc
/resolv.conf
> ${cresolvonf}
493 chroot
$rootfs apt-get update
494 chroot
$rootfs apt-get
install --force-yes -y lxcguest
496 mv ${cresolvonf}.lxcbak
${cresolvonf}
499 # If the container isn't running a native architecture, setup multiarch
500 if [ -x "$(ls -1 ${rootfs}/usr/bin/qemu-*-static 2>/dev/null)" ]; then
501 mkdir
-p ${rootfs}/etc
/dpkg
/dpkg.cfg.d
502 echo "foreign-architecture ${hostarch}" > ${rootfs}/etc
/dpkg
/dpkg.cfg.d
/lxc-multiarch
504 # Save existing value of MIRROR and SECURITY_MIRROR
505 DEFAULT_MIRROR
=$MIRROR
506 DEFAULT_SECURITY_MIRROR
=$SECURITY_MIRROR
508 # Write a new sources.list containing both native and multiarch entries
509 > ${rootfs}/etc
/apt
/sources.list
510 write_sourceslist
$rootfs $arch "native"
512 MIRROR
=$DEFAULT_MIRROR
513 SECURITY_MIRROR
=$DEFAULT_SECURITY_MIRROR
514 write_sourceslist
$rootfs $hostarch "multiarch"
516 # Finally update the lists and install upstart using the host architecture
517 chroot
$rootfs apt-get update
518 chroot
$rootfs apt-get
install --force-yes -y --no-install-recommends upstart
:${hostarch} mountall
:amd64 iproute
:amd64 isc-dhcp-client
:amd64
521 # rmdir /dev/shm in precise and quantal containers.
522 # I'm afraid of doing rm -rf $rootfs/dev/shm, in case it did
523 # get bind mounted to the host's /run/shm. So try to rmdir
524 # it, and in case that fails move it out of the way.
525 if [ $release = "precise" ] ||
[ $release = "quantal" ]; then
526 [ -d "$rootfs/dev/shm" ] && rmdir $rootfs/dev
/shm
527 [ -e "$rootfs/dev/shm" ] && mv $rootfs/dev
/shm
$rootfs/dev
/shm.bak
528 ln -s /run
/shm
$rootfs/dev
/shm
537 # copy /etc/passwd, /etc/shadow, and /etc/group entries into container
538 pwd=`getent passwd $user` ||
{ echo "Failed to copy password entry for $user"; false
; }
539 echo $pwd >> $rootfs/etc
/passwd
541 # make sure user's shell exists in the container
542 shell
=`echo $pwd | cut -d: -f 7`
543 if [ ! -x $rootfs/$shell ]; then
544 echo "shell $shell for user $user was not found in the container."
545 pkg
=`dpkg -S $(readlink -m $shell) | cut -d ':' -f1`
546 echo "Installing $pkg"
547 chroot
$rootfs apt-get
--force-yes -y install $pkg
550 shad
=`getent shadow $user`
551 echo "$shad" >> $rootfs/etc
/shadow
553 # bind-mount the user's path into the container's /home
554 h
=`getent passwd $user | cut -d: -f 6`
556 # use relative path in container
558 while [ ${h2:0:1} = "/" ]; do
561 echo "$h $h2 none bind 0 0" >> $path/fstab
563 # Make sure the group exists in container
564 grp
=`echo $pwd | cut -d: -f 4` # group number for $user
565 grpe
=`getent group $grp` ||
return 0 # if host doesn't define grp, ignore in container
566 chroot
$rootfs getent group
"$grpe" ||
echo "$grpe" >> $rootfs/etc
/group
572 $1 -h|--help [-a|--arch] [-b|--bindhome <user>] [--trim] [-d|--debug]
573 [-F | --flush-cache] [-r|--release <release>] [ -S | --auth-key <keyfile>]
574 release: lucid | maverick | natty | oneiric | precise | quantal
575 trim: make a minimal (faster, but not upgrade-safe) container
576 bindhome: bind <user>'s home into the container
577 The ubuntu user will not be created, and <user> will have
579 arch: amd64 or i386: defaults to host arch
580 auth-key: SSH Public key file to inject into container
585 options
=$
(getopt
-o a
:b
:hp
:r
:xn
:FS
:d
-l arch
:,bindhome
:,help,path
:,release
:,trim
,name
:,flush-cache
,auth-key
:,debug
-- "$@")
586 if [ $?
-ne 0 ]; then
590 eval set -- "$options"
593 if [ -f /etc
/lsb-release
]; then
595 case "$DISTRIB_CODENAME" in
596 lucid|maverick|natty|oneiric|precise|quantal
)
597 release
=$DISTRIB_CODENAME
605 # Code taken from debootstrap
606 if [ -x /usr
/bin
/dpkg
] && /usr
/bin
/dpkg
--print-architecture >/dev
/null
2>&1; then
607 arch
=`/usr/bin/dpkg --print-architecture`
608 elif type udpkg
>/dev
/null
2>&1 && udpkg
--print-architecture >/dev
/null
2>&1; then
609 arch
=`/usr/bin/udpkg --print-architecture`
612 if [ "$arch" = "i686" ]; then
614 elif [ "$arch" = "x86_64" ]; then
616 elif [ "$arch" = "armv7l" ]; then
628 -h|
--help) usage
$0 && exit 0;;
629 -p|
--path) path
=$2; shift 2;;
630 -n|
--name) name
=$2; shift 2;;
631 -F|
--flush-cache) flushcache
=1; shift 1;;
632 -r|
--release) release
=$2; shift 2;;
633 -b|
--bindhome) bindhome
=$2; shift 2;;
634 -a|
--arch) arch
=$2; shift 2;;
635 -x|
--trim) trim_container
=1; shift 1;;
636 -S|
--auth-key) auth_key
=$2; shift 2;;
637 -d|
--debug) debug
=1; shift 1;;
638 --) shift 1; break ;;
643 if [ $debug -eq 1 ]; then
647 if [ -n "$bindhome" ]; then
648 pwd=`getent passwd $bindhome`
649 if [ $?
-ne 0 ]; then
650 echo "Error: no password entry found for $bindhome"
656 if [ "$arch" == "i686" ]; then
660 if [ $hostarch = "i386" -a $arch = "amd64" ]; then
661 echo "can't create amd64 container on i386"
666 if [ $?
-ne 0 ]; then
667 echo "'debootstrap' command is missing"
671 if [ -z "$path" ]; then
672 echo "'path' parameter is required"
676 if [ "$(id -u)" != "0" ]; then
677 echo "This script should be run as 'root'"
683 install_ubuntu
$rootfs $release $flushcache
684 if [ $?
-ne 0 ]; then
685 echo "failed to install ubuntu $release"
689 configure_ubuntu
$rootfs $name $release
690 if [ $?
-ne 0 ]; then
691 echo "failed to configure ubuntu $release for a container"
695 copy_configuration
$path $rootfs $name $arch $release
696 if [ $?
-ne 0 ]; then
697 echo "failed write configuration file"
701 post_process
$rootfs $release $trim_container
703 if [ -n "$bindhome" ]; then
704 do_bindhome
$rootfs $bindhome
705 finalize_user
$bindhome
712 echo "# The default user is 'ubuntu' with password 'ubuntu'!"
713 echo "# Use the 'sudo' command to run tasks as root in the container."