use PVE::LXC::Setup::Gentoo;
use PVE::LXC::Setup::SUSE;
use PVE::LXC::Setup::Ubuntu;
+use PVE::LXC::Setup::NixOS;
+use PVE::LXC::Setup::Unmanaged;
my $plugins = {
alpine => 'PVE::LXC::Setup::Alpine',
gentoo => 'PVE::LXC::Setup::Gentoo',
opensuse => 'PVE::LXC::Setup::SUSE',
ubuntu => 'PVE::LXC::Setup::Ubuntu',
+ nixos => 'PVE::LXC::Setup::NixOS',
+ unmanaged => 'PVE::LXC::Setup::Unmanaged',
};
# a map to allow supporting related distro flavours
return "alpine";
} elsif (-f "$rootdir/etc/gentoo-release") {
return "gentoo";
+ } elsif (-d "$rootdir/nix/store") {
+ return "nixos";
} elsif (-f "$rootdir/etc/os-release") {
die "unable to detect OS distribution\n";
} else {
my $os_release = $self->get_ct_os_release();
if ($conf->{ostype} && $conf->{ostype} eq 'unmanaged') {
- return $self;
+ $type = 'unmanaged';
} elsif (!defined($type)) {
# try to autodetect type
$type = &$autodetect_type($self, $rootdir, $os_release);
}
}
- if ($type eq 'unmanaged') {
- $conf->{ostype} = $type;
- return $self;
- }
-
my $plugin_class = $plugins->{$type} || die "no such OS type '$type'\n";
my $plugin = $plugin_class->new($conf, $rootdir, $os_release);
# Cache some host files we need access to:
$plugin->{host_resolv_conf} = PVE::INotify::read_file('resolvconf');
- $plugin->{host_localtime} = abs_path('/etc/localtime');
+ $plugin->{host_timezone} = PVE::INotify::read_file('timezone');
+
+ abs_path('/etc/localtime') =~ m|^(/.+)| or die "invalid /etc/localtime\n"; # untaint
+ $plugin->{host_localtime} = $1;
# pass on user namespace information:
- my ($id_map, $rootuid, $rootgid) = PVE::LXC::parse_id_maps($conf);
+ my ($id_map, $root_uid, $root_gid) = PVE::LXC::parse_id_maps($conf);
if (@$id_map) {
$plugin->{id_map} = $id_map;
- $plugin->{rootuid} = $rootuid;
- $plugin->{rootgid} = $rootgid;
+ $plugin->{root_uid} = $root_uid;
+ $plugin->{root_gid} = $root_gid;
+ }
+
+ # if arch is unset, we try to autodetect it
+ if (!defined($conf->{arch})) {
+ my $arch = eval { $self->protected_call(sub { $plugin->detect_architecture() }) };
+
+ if (my $err = $@) {
+ warn "Architecture detection failed: $err" if $err;
+ }
+
+ if (!defined($arch)) {
+ $arch = 'amd64';
+ print "Falling back to $arch.\nUse `pct set VMID --arch ARCH` to change.\n";
+ } else {
+ print "Detected container architecture: $arch\n";
+ }
+
+ $conf->{arch} = $arch;
}
return $self;
sub template_fixup {
my ($self) = @_;
-
- return if !$self->{plugin}; # unmanaged
-
$self->protected_call(sub { $self->{plugin}->template_fixup($self->{conf}) });
}
-
+
sub setup_network {
my ($self) = @_;
-
- return if !$self->{plugin}; # unmanaged
-
$self->protected_call(sub { $self->{plugin}->setup_network($self->{conf}) });
}
sub set_hostname {
my ($self) = @_;
-
- return if !$self->{plugin}; # unmanaged
-
$self->protected_call(sub { $self->{plugin}->set_hostname($self->{conf}) });
}
sub set_dns {
my ($self) = @_;
-
- return if !$self->{plugin}; # unmanaged
-
$self->protected_call(sub { $self->{plugin}->set_dns($self->{conf}) });
}
sub set_timezone {
my ($self) = @_;
-
- return if !$self->{plugin}; # unmanaged
-
$self->protected_call(sub { $self->{plugin}->set_timezone($self->{conf}) });
}
sub setup_init {
my ($self) = @_;
-
- return if !$self->{plugin}; # unmanaged
-
$self->protected_call(sub { $self->{plugin}->setup_init($self->{conf}) });
}
sub set_user_password {
my ($self, $user, $pw) = @_;
+ $self->protected_call(sub { $self->{plugin}->set_user_password($self->{conf}, $user, $pw) });
+}
- return if !$self->{plugin}; # unmanaged
+my sub generate_ssh_key { # create temporary key in hosts' /run, then read and unlink
+ my ($type, $comment) = @_;
- $self->protected_call(sub { $self->{plugin}->set_user_password($self->{conf}, $user, $pw) });
+ my $key_id = '';
+ my $keygen_outfunc = sub {
+ if ($_[0] =~ m/^((?:[0-9a-f]{2}:)+[0-9a-f]{2}|SHA256:[0-9a-z+\/]{43})\s+\Q$comment\E$/i) {
+ $key_id = $_[0];
+ }
+ };
+ my $file = "/run/pve/.tmp$$.$type";
+ PVE::Tools::run_command(
+ ['ssh-keygen', '-f', $file, '-t', $type, '-N', '', '-E', 'sha256', '-C', $comment],
+ outfunc => $keygen_outfunc,
+ );
+ my ($private) = (PVE::Tools::file_get_contents($file) =~ /^(.*)$/sg); # untaint
+ my ($public) = (PVE::Tools::file_get_contents("$file.pub") =~ /^(.*)$/sg); # untaint
+ unlink $file, "$file.pub";
+
+ return ($key_id, $private, $public);
}
sub rewrite_ssh_host_keys {
my ($self) = @_;
- return if !$self->{plugin}; # unmanaged
-
- my $conf = $self->{conf};
my $plugin = $self->{plugin};
- my $rootdir = $self->{rootdir};
- return if ! -d "$rootdir/etc/ssh";
+ my $keynames = $plugin->ssh_host_key_types_to_generate();
- my $keynames = {
- rsa => 'ssh_host_rsa_key',
- dsa => 'ssh_host_dsa_key',
- ecdsa => 'ssh_host_ecdsa_key',
- ed25519 => 'ssh_host_ed25519_key',
- };
+ return if ! -d "$self->{rootdir}/etc/ssh" || !$keynames || !scalar(keys $keynames->%*);
- my $hostname = $conf->{hostname} || 'localhost';
+ my $hostname = $self->{conf}->{hostname} || 'localhost';
$hostname =~ s/\..*$//;
- my $ssh_comment = "root\@$hostname";
-
- my $keygen_outfunc = sub {
- my $line = shift;
- if ($line =~ m/^(?:[0-9a-f]{2}:)+[0-9a-f]{2}\s+\Q$ssh_comment\E$/i
- || $line =~ m/^SHA256:[0-9a-z+\/]{43}\s+\Q$ssh_comment\E$/i
- ) {
- print "done: $line\n"
- }
- };
- # Create temporary keys in /tmp on the host
- my $keyfiles = {};
- foreach my $keytype (keys %$keynames) {
+ my $keyfiles = [];
+ for my $keytype (keys $keynames->%*) {
my $basename = $keynames->{$keytype};
- my $file = "/tmp/$$.$basename";
print "Creating SSH host key '$basename' - this may take some time ...\n";
- PVE::Tools::run_command(
- ['ssh-keygen', '-f', $file, '-t', $keytype, '-N', '', '-E', 'sha256', '-C', $ssh_comment],
- outfunc => $keygen_outfunc,
- );
- $keyfiles->{"/etc/ssh/$basename"} = [PVE::Tools::file_get_contents($file), 0600];
- $keyfiles->{"/etc/ssh/$basename.pub"} = [PVE::Tools::file_get_contents("$file.pub"), 0644];
- unlink $file;
- unlink "$file.pub";
+ my ($id, $private, $public) = generate_ssh_key($keytype, "root\@$hostname");
+ print "done: $id\n";
+
+ push $keyfiles->@*, ["/etc/ssh/$basename", $private, 0600], ["/etc/ssh/$basename.pub", $public, 0644];
}
- # Write keys out in a protected call
- $self->protected_call(sub {
- foreach my $file (keys %$keyfiles) {
- $plugin->ct_file_set_contents($file, @{$keyfiles->{$file}});
+ $self->protected_call(sub { # write them now all to the CTs rootfs at once
+ for my $file ($keyfiles->@*) {
+ $plugin->ct_file_set_contents($file->@*);
}
});
}
-my $container_emulator_path = {
- 'amd64' => '/usr/bin/qemu-x86_64-static',
- 'arm64' => '/usr/bin/qemu-aarch64-static',
-};
-
sub pre_start_hook {
my ($self) = @_;
- return if !$self->{plugin}; # unmanaged
-
- my $host_arch = PVE::Tools::get_host_arch();
-
- # containers use different architecture names
- if ($host_arch eq 'x86_64') {
- $host_arch = 'amd64';
- } elsif ($host_arch eq 'aarch64') {
- $host_arch = 'arm64';
- } else {
- die "unsupported host architecture '$host_arch'\n";
- }
-
- my $container_arch = $self->{conf}->{arch};
-
- $container_arch = 'amd64' if $container_arch eq 'i386'; # always use 64 bit version
- $container_arch = 'arm64' if $container_arch eq 'armhf'; # always use 64 bit version
-
- my $emul;
- my $emul_data;
-
- if ($host_arch ne $container_arch) {
- if ($emul = $container_emulator_path->{$container_arch}) {
- $emul_data = PVE::Tools::file_get_contents($emul, 10*1024*1024) if -f $emul;
- }
- }
-
- my $code = sub {
- if ($emul && $emul_data) {
- $self->{plugin}->ct_file_set_contents($emul, $emul_data, 0755);
- }
- # Create /fastboot to skip run fsck
- $self->{plugin}->ct_file_set_contents('/fastboot', '');
-
- $self->{plugin}->pre_start_hook($self->{conf});
- };
- $self->protected_call($code);
+ $self->protected_call(sub { $self->{plugin}->pre_start_hook($self->{conf}) });
}
sub post_clone_hook {
sub post_create_hook {
my ($self, $root_password, $ssh_keys) = @_;
- return if !$self->{plugin}; # unmanaged
-
$self->protected_call(sub {
$self->{plugin}->post_create_hook($self->{conf}, $root_password, $ssh_keys);
});
sub unified_cgroupv2_support {
my ($self) = @_;
- $self->protected_call(sub { $self->{plugin}->unified_cgroupv2_support() });
+ return $self->{plugin}->unified_cgroupv2_support($self->get_ct_init_path());
}
# os-release(5):
return &$parse_os_release($data);
}
+# Checks whether /sbin/init is a symlink, and if it is, resolves it to the actual binary
+sub get_ct_init_path {
+ my ($self) = @_;
+
+ my $init = $self->protected_call(sub {
+ return $self->{plugin}->get_ct_init_path();
+ });
+
+ return $init;
+}
+
1;