3 # Client script for LXC container images.
5 # Copyright @ Daniel Lezcano <daniel.lezcano@free.fr>
6 # Copyright © 2018 Christian Brauner <christian.brauner@ubuntu.com>
8 # This library is free software; you can redistribute it and/or
9 # modify it under the terms of the GNU Lesser General Public
10 # License as published by the Free Software Foundation; either
11 # version 2.1 of the License, or (at your option) any later version.
13 # This library is distributed in the hope that it will be useful,
14 # but WITHOUT ANY WARRANTY; without even the implied warranty of
15 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 # Lesser General Public License for more details.
18 # You should have received a copy of the GNU Lesser General Public
19 # License along with this library; if not, write to the Free Software
20 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301
26 BUSYBOX_EXE
=`which busybox`
28 # Make sure the usual locations are in PATH
29 export PATH
=$PATH:/usr
/sbin
:/usr
/bin
:/sbin
:/bin
32 [ -e /proc
/self
/uid_map
] ||
{ echo no
; return; }
33 while read -r line
; do
34 fields
="$(echo "$line" | awk '{ print $1 " " $2 " " $3 }')"
35 if [ "${fields}" = "0 0 4294967295" ]; then
39 if echo "${fields}" |
grep -q " 0 1$"; then
43 done < /proc
/self
/uid_map
45 [ "$(cat /proc/self/uid_map)" = "$(cat /proc/1/uid_map)" ] && { echo userns-root
; return; }
62 ${rootfs}/etc/init.d \
73 ${rootfs}/usr/share/udhcpc \
81 # shellcheck disable=SC2086
82 mkdir
-p ${fstree} ||
return 1
83 # shellcheck disable=SC2086
84 chmod 755 ${fstree} ||
return 1
86 # minimal devices needed for busybox
87 if [ "${USERNS}" = "yes" ]; then
88 for dev
in tty console tty0 tty1 ram0 null urandom
; do
89 echo "lxc.mount.entry = /dev/${dev} dev/${dev} none bind,optional,create=file 0 0" >> "${path}/config"
92 mknod
-m 666 "${rootfs}/dev/tty" c
5 0 || res
=1
93 mknod
-m 666 "${rootfs}/dev/console" c
5 1 || res
=1
94 mknod
-m 666 "${rootfs}/dev/tty0" c
4 0 || res
=1
95 mknod
-m 666 "${rootfs}/dev/tty1" c
4 0 || res
=1
96 mknod
-m 666 "${rootfs}/dev/tty5" c
4 0 || res
=1
97 mknod
-m 600 "${rootfs}/dev/ram0" b
1 0 || res
=1
98 mknod
-m 666 "${rootfs}/dev/null" c
1 3 || res
=1
99 mknod
-m 666 "${rootfs}/dev/zero" c
1 5 || res
=1
100 mknod
-m 666 "${rootfs}/dev/urandom" c
1 9 || res
=1
104 cat <<EOF >> "${rootfs}/etc/passwd"
105 root:x:0:0:root:/root:/bin/sh
108 cat <<EOF >> "${rootfs}/etc/group"
113 cat <<EOF >> "${rootfs}/etc/init.d/rcS"
121 chmod 744 "${rootfs}/etc/init.d/rcS" ||
return 1
123 # launch rcS first then make a console available
124 # and propose a shell on the tty, the last one is
126 cat <<EOF >> "${rootfs}/etc/inittab"
127 ::sysinit:/etc/init.d/rcS
128 tty1::respawn:/bin/getty -L tty1 115200 vt100
129 console::askfirst:/bin/sh
131 # writable and readable for other
132 chmod 644 "${rootfs}/etc/inittab" ||
return 1
134 # Look for the pathname of "default.script" from the help of udhcpc
135 DEF_SCRIPT
=`${BUSYBOX_EXE} udhcpc -h 2>&1 | grep -- '-s,--script PROG' | cut -d'/' -f2- | cut -d')' -f1`
136 DEF_SCRIPT_DIR
=`dirname /${DEF_SCRIPT}`
137 mkdir
-p ${rootfs}/${DEF_SCRIPT_DIR}
138 chmod 644 ${rootfs}/${DEF_SCRIPT_DIR} ||
return 1
140 cat <<EOF >> ${rootfs}/${DEF_SCRIPT}
144 ip addr flush dev \$interface
148 # flush all the routes
149 if [ -n "\$router" ]; then
150 ip route del default 2> /dev/null
154 if [ -n "\$broadcast" ]; then
155 broadcast="broadcast \$broadcast"
158 # add a new ip address
159 ip addr add \$ip/\$mask \$broadcast dev \$interface
161 if [ -n "\$router" ]; then
162 ip route add default via \$router dev \$interface
165 [ -n "\$domain" ] && echo search \$domain > /etc/resolv.conf
167 grep "nameserver \$i" /etc/resolv.conf > /dev/null 2>&1
168 if [ \$? -ne 0 ]; then
169 echo nameserver \$i >> /etc/resolv.conf
177 chmod 744 ${rootfs}/${DEF_SCRIPT}
186 # copy busybox in the rootfs
187 if ! cp "${BUSYBOX_EXE}" "${rootfs}/bin"; then
188 echo "ERROR: Failed to copy busybox binary" 1>&2
192 # symlink busybox for the commands it supports
193 # it would be nice to just use "chroot $rootfs busybox --install -s /bin"
194 # but that only works right in a chroot with busybox >= 1.19.0
196 cd "${rootfs}/bin" ||
return 1
197 .
/busybox
--list |
grep -v busybox |
xargs -n1 ln -s busybox
201 ln "${rootfs}/bin/busybox" "${rootfs}/sbin/init"
203 # /etc/fstab must exist for "mount -a"
204 touch "${rootfs}/etc/fstab"
206 # passwd exec must be setuid
207 chmod +s
"${rootfs}/bin/passwd"
208 touch "${rootfs}/etc/shadow"
219 grep -q "^lxc.rootfs.path" "${path}/config" 2>/dev/null || echo "lxc.rootfs.path = ${rootfs}" >> "${path}/config"
220 cat <<EOF >> "${path}/config"
221 lxc.signal.halt = SIGUSR1
222 lxc.signal.reboot = SIGTERM
223 lxc.uts.name = "${name}"
226 lxc.cap.drop = sys_module mac_admin mac_override sys_time
228 # When using LXC with apparmor, uncomment the next line to run unconfined:
229 #lxc.apparmor.profile = unconfined
231 lxc.mount.auto = cgroup:mixed proc:mixed sys:mixed
232 lxc.mount.entry = shm /dev/shm tmpfs defaults 0 0
241 for dir
in ${libdirs}; do
242 if [ -d "/${dir}" ] && [ -d "${rootfs}/${dir}" ]; then
243 echo "lxc.mount.entry = /${dir} ${dir} none ro,bind 0 0" >> "${path}/config"
246 echo "lxc.mount.entry = /sys/kernel/security sys/kernel/security none ro,bind,optional 0 0" >> "${path}/config"
253 if [ -n "$LXC_MAPPED_UID" ] && [ "$LXC_MAPPED_UID" != "-1" ]; then
254 chown
"${LXC_MAPPED_UID}" "${path}/config" > /dev
/null
2>&1
255 chown
-R root
"${path}/rootfs" > /dev
/null
2>&1
258 if [ -n "$LXC_MAPPED_GID" ] && [ "$LXC_MAPPED_GID" != "-1" ]; then
259 chgrp
"${LXC_MAPPED_GID}" "${path}/config" > /dev
/null
2>&1
260 chgrp
-R root
"${path}/rootfs" > /dev
/null
2>&1
266 LXC busybox image builder
270 [ -h | --help ]: Print this help message and exit.
272 LXC internal arguments:
274 [ --name <name> ]: The container name
275 [ --path <path> ]: The path to the container
276 [ --rootfs <rootfs> ]: The path to the container's rootfs (default: config or <path>/rootfs)
277 [ --mapped-uid <map> ]: A uid map (user namespaces)
278 [ --mapped-gid <map> ]: A gid map (user namespaces)
280 BUSYBOX template specific arguments:
282 [ --bbpath <path> ]: busybox pathname (default: ${BUSYBOX_EXE})
288 if ! options
=$
(getopt
-o hp
:n
: -l help,rootfs
:,path
:,name
:,mapped-uid
:,mapped-gid
:,bbpath
: -- "$@"); then
292 eval set -- "$options"
297 -h|
--help) usage
&& exit 0;;
298 -n|
--name) name
=$2; shift 2;;
299 -p|
--path) path
=$2; shift 2;;
300 --rootfs) rootfs
=$2; shift 2;;
301 --mapped-uid) LXC_MAPPED_UID
=$2; shift 2;;
302 --mapped-gid) LXC_MAPPED_GID
=$2; shift 2;;
303 --bbpath) BUSYBOX_EXE
=$2; shift 2;;
304 --) shift 1; break ;;
309 # Check that we have all variables we need
310 if [ -z "${name}" ] ||
[ -z "${path}" ]; then
311 echo "ERROR: Please pass the name and path for the container" 1>&2
315 # Make sure busybox is present
316 if [ -z "${BUSYBOX_EXE}" ]; then
317 echo "ERROR: Please pass a pathname for busybox binary" 1>&2
320 if [ ! -x "${BUSYBOX_EXE}" ]; then
321 echo "ERROR: Failed to find busybox binary (${BUSYBOX_EXE})" 1>&2
326 config
="$path/config"
327 if [ -z "$rootfs" ]; then
328 if grep -q '^lxc.rootfs.path' "${config}" 2> /dev
/null
; then
329 rootfs
=$
(awk -F= '/^lxc.rootfs.path =/{ print $2 }' "${config}")
331 rootfs
="${path}/rootfs"
335 if ! install_busybox
"${rootfs}" "${name}"; then
336 echo "ERROR: Failed to install rootfs" 1>&2
340 if ! configure_busybox
"${rootfs}"; then
341 echo "ERROR: Failed to configure busybox" 1>&2
345 if ! copy_configuration
"${path}" "${rootfs}" "${name}"; then
346 echo "ERROR: Failed to write config file" 1>&2
350 if ! remap_userns
"${path}"; then
351 echo "ERROR: Failed to change idmappings" 1>&2