]> git.proxmox.com Git - mirror_lxc.git/blob - templates/lxc-busybox.in
projects / mirror_lxc.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
New --bbpath option and unecessary --rootfs checks
[mirror_lxc.git] / templates / lxc-busybox.in
1 #!/bin/sh
2
3 # Client script for LXC container images.
4 #
5 # Copyright @ Daniel Lezcano <daniel.lezcano@free.fr>
6 # Copyright © 2018 Christian Brauner <christian.brauner@ubuntu.com>
7 #
8 # This library is free software; you can redistribute it and/or
9 # modify it under the terms of the GNU Lesser General Public
10 # License as published by the Free Software Foundation; either
11 # version 2.1 of the License, or (at your option) any later version.
12
13 # This library is distributed in the hope that it will be useful,
14 # but WITHOUT ANY WARRANTY; without even the implied warranty of
15 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 # Lesser General Public License for more details.
17
18 # You should have received a copy of the GNU Lesser General Public
19 # License along with this library; if not, write to the Free Software
20 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301
21 # USA
22
23 LXC_MAPPED_UID=
24 LXC_MAPPED_GID=
25
26 BUSYBOX_EXE=`which busybox`
27
28 # Make sure the usual locations are in PATH
29 export PATH=$PATH:/usr/sbin:/usr/bin:/sbin:/bin
30
31 in_userns() {
32 [ -e /proc/self/uid_map ] || { echo no; return; }
33 while read -r line; do
34 fields="$(echo "$line" | awk '{ print $1 " " $2 " " $3 }')"
35 if [ "${fields}" = "0 0 4294967295" ]; then
36 echo no;
37 return;
38 fi
39 if echo "${fields}" | grep -q " 0 1$"; then
40 echo userns-root;
41 return;
42 fi
43 done < /proc/self/uid_map
44
45 [ "$(cat /proc/self/uid_map)" = "$(cat /proc/1/uid_map)" ] && { echo userns-root; return; }
46 echo yes
47 }
48
49 USERNS="$(in_userns)"
50
51 install_busybox()
52 {
53 rootfs="${1}"
54 name="${2}"
55 res=0
56 fstree="\
57 ${rootfs}/selinux \
58 ${rootfs}/dev \
59 ${rootfs}/home \
60 ${rootfs}/root \
61 ${rootfs}/etc \
62 ${rootfs}/etc/init.d \
63 ${rootfs}/bin \
64 ${rootfs}/usr/bin \
65 ${rootfs}/sbin \
66 ${rootfs}/usr/sbin \
67 ${rootfs}/proc \
68 ${rootfs}/sys \
69 ${rootfs}/mnt \
70 ${rootfs}/tmp \
71 ${rootfs}/var/log \
72 ${rootfs}/var/run \
73 ${rootfs}/usr/share/udhcpc \
74 ${rootfs}/dev/pts \
75 ${rootfs}/dev/shm \
76 ${rootfs}/lib \
77 ${rootfs}/usr/lib \
78 ${rootfs}/lib64 \
79 ${rootfs}/usr/lib64"
80
81 # shellcheck disable=SC2086
82 mkdir -p ${fstree} || return 1
83 # shellcheck disable=SC2086
84 chmod 755 ${fstree} || return 1
85
86 # minimal devices needed for busybox
87 if [ "${USERNS}" = "yes" ]; then
88 for dev in tty console tty0 tty1 ram0 null urandom; do
89 echo "lxc.mount.entry = /dev/${dev} dev/${dev} none bind,optional,create=file 0 0" >> "${path}/config"
90 done
91 else
92 mknod -m 666 "${rootfs}/dev/tty" c 5 0 || res=1
93 mknod -m 666 "${rootfs}/dev/console" c 5 1 || res=1
94 mknod -m 666 "${rootfs}/dev/tty0" c 4 0 || res=1
95 mknod -m 666 "${rootfs}/dev/tty1" c 4 0 || res=1
96 mknod -m 666 "${rootfs}/dev/tty5" c 4 0 || res=1
97 mknod -m 600 "${rootfs}/dev/ram0" b 1 0 || res=1
98 mknod -m 666 "${rootfs}/dev/null" c 1 3 || res=1
99 mknod -m 666 "${rootfs}/dev/zero" c 1 5 || res=1
100 mknod -m 666 "${rootfs}/dev/urandom" c 1 9 || res=1
101 fi
102
103 # root user defined
104 cat <<EOF >> "${rootfs}/etc/passwd"
105 root:x:0:0:root:/root:/bin/sh
106 EOF
107
108 cat <<EOF >> "${rootfs}/etc/group"
109 root:x:0:root
110 EOF
111
112 # mount everything
113 cat <<EOF >> "${rootfs}/etc/init.d/rcS"
114 #!/bin/sh
115 /bin/syslogd
116 /bin/mount -a
117 /bin/udhcpc
118 EOF
119
120 # executable
121 chmod 744 "${rootfs}/etc/init.d/rcS" || return 1
122
123 # launch rcS first then make a console available
124 # and propose a shell on the tty, the last one is
125 # not needed
126 cat <<EOF >> "${rootfs}/etc/inittab"
127 ::sysinit:/etc/init.d/rcS
128 tty1::respawn:/bin/getty -L tty1 115200 vt100
129 console::askfirst:/bin/sh
130 EOF
131 # writable and readable for other
132 chmod 644 "${rootfs}/etc/inittab" || return 1
133
134 # Look for the pathname of "default.script" from the help of udhcpc
135 DEF_SCRIPT=`${BUSYBOX_EXE} udhcpc -h 2>&1 | grep -- '-s,--script PROG' | cut -d'/' -f2- | cut -d')' -f1`
136 DEF_SCRIPT_DIR=`dirname /${DEF_SCRIPT}`
137 mkdir -p ${rootfs}/${DEF_SCRIPT_DIR}
138 chmod 644 ${rootfs}/${DEF_SCRIPT_DIR} || return 1
139
140 cat <<EOF >> ${rootfs}/${DEF_SCRIPT}
141 #!/bin/sh
142 case "\$1" in
143 deconfig)
144 ip addr flush dev \$interface
145 ;;
146
147 renew|bound)
148 # flush all the routes
149 if [ -n "\$router" ]; then
150 ip route del default 2> /dev/null
151 fi
152
153 # check broadcast
154 if [ -n "\$broadcast" ]; then
155 broadcast="broadcast \$broadcast"
156 fi
157
158 # add a new ip address
159 ip addr add \$ip/\$mask \$broadcast dev \$interface
160
161 if [ -n "\$router" ]; then
162 ip route add default via \$router dev \$interface
163 fi
164
165 [ -n "\$domain" ] && echo search \$domain > /etc/resolv.conf
166 for i in \$dns ; do
167 grep "nameserver \$i" /etc/resolv.conf > /dev/null 2>&1
168 if [ \$? -ne 0 ]; then
169 echo nameserver \$i >> /etc/resolv.conf
170 fi
171 done
172 ;;
173 esac
174 exit 0
175 EOF
176
177 chmod 744 ${rootfs}/${DEF_SCRIPT}
178
179 return "${res}"
180 }
181
182 configure_busybox()
183 {
184 rootfs="${1}"
185
186 # copy busybox in the rootfs
187 if ! cp "${BUSYBOX_EXE}" "${rootfs}/bin"; then
188 echo "ERROR: Failed to copy busybox binary" 1>&2
189 return 1
190 fi
191
192 # symlink busybox for the commands it supports
193 # it would be nice to just use "chroot $rootfs busybox --install -s /bin"
194 # but that only works right in a chroot with busybox >= 1.19.0
195 (
196 cd "${rootfs}/bin" || return 1
197 ./busybox --list | grep -v busybox | xargs -n1 ln -s busybox
198 )
199
200 # relink /sbin/init
201 ln "${rootfs}/bin/busybox" "${rootfs}/sbin/init"
202
203 # /etc/fstab must exist for "mount -a"
204 touch "${rootfs}/etc/fstab"
205
206 # passwd exec must be setuid
207 chmod +s "${rootfs}/bin/passwd"
208 touch "${rootfs}/etc/shadow"
209
210 return 0
211 }
212
213 copy_configuration()
214 {
215 path="${1}"
216 rootfs="${2}"
217 name="${3}"
218
219 grep -q "^lxc.rootfs.path" "${path}/config" 2>/dev/null || echo "lxc.rootfs.path = ${rootfs}" >> "${path}/config"
220 cat <<EOF >> "${path}/config"
221 lxc.signal.halt = SIGUSR1
222 lxc.signal.reboot = SIGTERM
223 lxc.uts.name = "${name}"
224 lxc.tty.max = 1
225 lxc.pty.max = 1
226 lxc.cap.drop = sys_module mac_admin mac_override sys_time
227
228 # When using LXC with apparmor, uncomment the next line to run unconfined:
229 #lxc.apparmor.profile = unconfined
230
231 lxc.mount.auto = cgroup:mixed proc:mixed sys:mixed
232 lxc.mount.entry = shm /dev/shm tmpfs defaults 0 0
233 EOF
234
235 libdirs="\
236 lib \
237 usr/lib \
238 lib64 \
239 usr/lib64"
240
241 for dir in ${libdirs}; do
242 if [ -d "/${dir}" ] && [ -d "${rootfs}/${dir}" ]; then
243 echo "lxc.mount.entry = /${dir} ${dir} none ro,bind 0 0" >> "${path}/config"
244 fi
245 done
246 echo "lxc.mount.entry = /sys/kernel/security sys/kernel/security none ro,bind,optional 0 0" >> "${path}/config"
247 }
248
249 remap_userns()
250 {
251 path="${1}"
252
253 if [ -n "$LXC_MAPPED_UID" ] && [ "$LXC_MAPPED_UID" != "-1" ]; then
254 chown "${LXC_MAPPED_UID}" "${path}/config" > /dev/null 2>&1
255 chown -R root "${path}/rootfs" > /dev/null 2>&1
256 fi
257
258 if [ -n "$LXC_MAPPED_GID" ] && [ "$LXC_MAPPED_GID" != "-1" ]; then
259 chgrp "${LXC_MAPPED_GID}" "${path}/config" > /dev/null 2>&1
260 chgrp -R root "${path}/rootfs" > /dev/null 2>&1
261 fi
262 }
263
264 usage() {
265 cat <<EOF
266 LXC busybox image builder
267
268 Special arguments:
269
270 [ -h | --help ]: Print this help message and exit.
271
272 LXC internal arguments:
273
274 [ --name <name> ]: The container name
275 [ --path <path> ]: The path to the container
276 [ --rootfs <rootfs> ]: The path to the container's rootfs (default: config or <path>/rootfs)
277 [ --mapped-uid <map> ]: A uid map (user namespaces)
278 [ --mapped-gid <map> ]: A gid map (user namespaces)
279
280 BUSYBOX template specific arguments:
281
282 [ --bbpath <path> ]: busybox pathname (default: ${BUSYBOX_EXE})
283
284 EOF
285 return 0
286 }
287
288 if ! options=$(getopt -o hp:n: -l help,rootfs:,path:,name:,mapped-uid:,mapped-gid:,bbpath: -- "$@"); then
289 usage
290 exit 1
291 fi
292 eval set -- "$options"
293
294 while true
295 do
296 case "$1" in
297 -h|--help) usage && exit 0;;
298 -n|--name) name=$2; shift 2;;
299 -p|--path) path=$2; shift 2;;
300 --rootfs) rootfs=$2; shift 2;;
301 --mapped-uid) LXC_MAPPED_UID=$2; shift 2;;
302 --mapped-gid) LXC_MAPPED_GID=$2; shift 2;;
303 --bbpath) BUSYBOX_EXE=$2; shift 2;;
304 --) shift 1; break ;;
305 *) break ;;
306 esac
307 done
308
309 # Check that we have all variables we need
310 if [ -z "${name}" ] || [ -z "${path}" ]; then
311 echo "ERROR: Please pass the name and path for the container" 1>&2
312 exit 1
313 fi
314
315 # Make sure busybox is present
316 if [ -z "${BUSYBOX_EXE}" ]; then
317 echo "ERROR: Please pass a pathname for busybox binary" 1>&2
318 exit 1
319 fi
320 if [ ! -x "${BUSYBOX_EXE}" ]; then
321 echo "ERROR: Failed to find busybox binary (${BUSYBOX_EXE})" 1>&2
322 exit 1
323 fi
324
325 # detect rootfs
326 config="$path/config"
327 if [ -z "$rootfs" ]; then
328 if grep -q '^lxc.rootfs.path' "${config}" 2> /dev/null ; then
329 rootfs=$(awk -F= '/^lxc.rootfs.path =/{ print $2 }' "${config}")
330 else
331 rootfs="${path}/rootfs"
332 fi
333 fi
334
335 if ! install_busybox "${rootfs}" "${name}"; then
336 echo "ERROR: Failed to install rootfs" 1>&2
337 exit 1
338 fi
339
340 if ! configure_busybox "${rootfs}"; then
341 echo "ERROR: Failed to configure busybox" 1>&2
342 exit 1
343 fi
344
345 if ! copy_configuration "${path}" "${rootfs}" "${name}"; then
346 echo "ERROR: Failed to write config file" 1>&2
347 exit 1
348 fi
349
350 if ! remap_userns "${path}"; then
351 echo "ERROR: Failed to change idmappings" 1>&2
352 exit 1
353 fi
LXC mirror