-#!/bin/sh
+#!/bin/bash
# vim: set ts=4 sw=4 expandtab
# Exit on error and treat unset variables as an error.
readonly MIRRORS_LIST="
http://mirror.it.sabayon.org/
http://dl.sabayon.org/
-http://ftp.kddilabs.jp/Linux/packages/sabayonlinux/
ftp://ftp.klid.dk/sabayonlinux/
http://ftp.fsn.hu/pub/linux/distributions/sabayon/
http://ftp.cc.uoc.gr/mirrors/linux/SabayonLinux/
http://ftp.rnl.ist.utl.pt/pub/sabayon/
ftp://ftp.nluug.nl/pub/os/Linux/distr/sabayonlinux/
-http://ftp.surfnet.nl/pub/os/Linux/distr/sabayonlinux/
http://mirror.internode.on.net/pub/sabayon/
http://mirror.yandex.ru/sabayon/
http://sabayon.c3sl.ufpr.br/
-http://mirror.umd.edu/sabayonlinux/
http://mirror.clarkson.edu/sabayon/
http://na.mirror.garr.it/mirrors/sabayonlinux/"
unprivileged=false
mapped_uid=
mapped_gid=
+flush_owner=false
#======================== Helper Functions ========================#
-d, --debug Run this script in a debug mode (set -x and wget w/o -q).
-m URL --mirror=URL The Sabayon mirror to use; defaults to random mirror.
-u, --unprivileged Tuning of rootfs for unprivileged containers.
- Are needed --mapped-gid and --mapped-uid options.
-r, --release Identify release to use. Default is DAILY.
--mapped-gid Group Id to use on unprivileged container
(based of value present on file /etc/subgid).
--mapped-uid User Id to use on unprivileged container
(based of value present on file /etc/subuid)
+ --flush-owner Only for directly creation of unprivileged containers
+ through lxc-create command. Execute fuidshift command.
+ Require --mapped-gid,--mapped-uid and --unprivileged
+ options.
Environment variables:
RELEASE Release version of Sabayon. Default is ${RELEASE}.
# Disable mount of hugepages
ln -s /dev/null dev-hugepages.mount
- # Fix TERM variable for container console
- mkdir container-getty\@0.service.d
- cat <<EOF > container-getty\@0.service.d/00gentoo.conf
-[Service]
-Environment=TERM=
-Environment=TERM=linux
-EOF
-
-
popd
pushd ${rootfs}
# Remove LVM service. Normally not needed on container system.
rm -rf ${rootfs}/etc/systemd/system/sysinit.target.wants/lvm2-lvmetad.service
+ # Comment unneeded entry on /etc/fstab
+ sed -e 's/\/dev/#\/dev/g' -i ${rootfs}/etc/fstab
+
+ # Fix this stupid error until fix is available on sabayon image
+ # /usr/lib/systemd/system-generators/gentoo-local-generator: line 4: cd: /etc/local.d: No such file or directory
+ mkdir ${rootfs}/etc/local.d/
+
+ # Fix TERM variable for container console
+ mkdir container-getty\@0.service.d
+ cat <<EOF > container-getty\@0.service.d/00gentoo.conf
+[Service]
+Environment=TERM=
+Environment=TERM=linux
+EOF
+
return 0
}
local unprivileged_options=""
if [[ $unprivileged && $unprivileged == true ]] ; then
+ if [[ $flush_owner == true ]] ; then
+ unprivileged_options="
+lxc.idmap = u 0 ${mapped_uid} 65536
+lxc.idmap = g 0 ${mapped_gid} 65536
+"
+ fi
+
unprivileged_options="
-lxc.mount.auto = proc:mixed sys:mixed cgroup:mixed
+$unprivileged_options
-# Enable tty console for lxc-console command
-lxc.tty = 1
+# Force use of cgroup v1. Currently systemd doesn't support
+# correctly cgroup v2. See: https://github.com/lxc/lxc/issues/1669
+# about discussion of default-hierarchy option.
+lxc.init.cmd = /sbin/init systemd.legacy_systemd_cgroup_controller=yes
-lxc.id_map = u 0 ${mapped_uid} 65536
-lxc.id_map = g 0 ${mapped_gid} 65536
+# Include common configuration.
+lxc.include = $LXC_TEMPLATE_CONFIG/sabayon.userns.conf
"
else
privileged_options="
-lxc.mount.auto = proc:mixed sys:mixed cgroup:mixed
-lxc.cgroup.devices.deny = a
+## Allow any mknod (but not reading/writing the node)
lxc.cgroup.devices.allow = b *:* m
lxc.cgroup.devices.allow = c *:* m
+
+### /dev/pts/*
lxc.cgroup.devices.allow = c 136:* rwm
-lxc.cgroup.devices.allow = c 1:3 rwm
-lxc.cgroup.devices.allow = c 1:5 rwm
-lxc.cgroup.devices.allow = c 1:7 rwm
-lxc.cgroup.devices.allow = c 1:8 rwm
-lxc.cgroup.devices.allow = c 1:9 rwm
+### /dev/tty
lxc.cgroup.devices.allow = c 5:0 rwm
+### /dev/console
lxc.cgroup.devices.allow = c 5:1 rwm
+### /dev/ptmx
lxc.cgroup.devices.allow = c 5:2 rwm
+### fuse
lxc.cgroup.devices.allow = c 10:229 rwm
+
"
fi
lxc.arch = $arch
# Set hostname.
-lxc.utsname = $hostname
-
-# If something doesn't work, try to comment this out.
-# Dropping sys_admin disables container root from doing a lot of things
-# that could be bad like re-mounting lxc fstab entries rw for example,
-# but also disables some useful things like being able to nfs mount, and
-# things that are already namespaced with ns_capable() kernel checks, like
-# hostname(1).
-lxc.cap.drop = sys_time sys_module sys_rawio mac_admin mac_override
-#lxc.cap.drop = sys_admin
+lxc.uts.name = $hostname
-lxc.autodev = 1
-lxc.pts = 1024
+# Include common configuration.
+lxc.include = $LXC_TEMPLATE_CONFIG/sabayon.common.conf
$unprivileged_options
$privileged_options
-
-# Customize lxc options through common directory
-lxc.include = /usr/share/lxc/config/common.conf.d/
-
EOF
}
# Parse command options.
local short_options="a:dm:n:p:r:hu"
- local long_options="arch:,debug,mirror:,name:,path:,release:,rootfs:,mapped-uid:,mapped-gid:,help"
+ local long_options="arch:,debug,mirror:,name:,path:,release:,rootfs:,mapped-uid:,mapped-gid:,flush-owner,help"
options=$(getopt -u -q -a -o "$short_options" -l "$long_options" -- "$@")
mapped_gid=$2
shift
;;
+ --flush-owner)
+ flush_owner=true
+ ;;
--)
break
;;
arch=$(parse_arch "$arch") \
|| die 1 "Unsupported architecture: $arch"
- [[ $unprivileged && $unprivileged == true && -z "$mapped_uid" ]] && \
+ [[ $unprivileged == true && $flush_owner == true &&-z "$mapped_uid" ]] && \
die 1 'Missing required option --mapped-uid with --unprivileged option'
- [[ $unprivileged && $unprivileged == true && -z "$mapped_gid" ]] && \
+ [[ $unprivileged == true && $flush_owner == true && -z "$mapped_gid" ]] && \
die 1 'Missing required option --mapped-gid with --unprivileged option'
+ [[ $flush_owner == true && $unprivileged == false ]] && \
+ die 1 'flush-owner require --unprivileged option'
+
return 0
}
DEBUG="$debug"
MIRROR_URL="${mirror_url:-$(random_mirror_url)}"
- einfo "Use arch = $arch, mirror_url = $MIRROR_URL, path = $path, name = $name, release = $release, unprivileged = $unprivileged, rootfs = $rootfs, mapped_uid = $mapped_uid, mapped_gid = $mapped_gid"
+ einfo "Use arch = $arch, mirror_url = $MIRROR_URL, path = $path, name = $name, release = $release, unprivileged = $unprivileged, rootfs = $rootfs, mapped_uid = $mapped_uid, mapped_gid = $mapped_gid, flush_owner = $flush_owner"
[ "$debug" = 'yes' ] && set -x
systemd_container_tuning
# Fix container for unprivileged mode.
- if [[ $unprivileged && $unprivileged == true ]] ; then
+ if [[ $unprivileged == true ]] ; then
unprivileged_rootfs
- unprivileged_shift_owner
+ if [[ $flush_owner == true ]] ; then
+ unprivileged_shift_owner
+ fi
fi
return 0
projects / mirror_lxc.git / blobdiff