LXC_MAPPED_UID=
LXC_MAPPED_GID=
-BUSYBOX_EXE=
+BUSYBOX_EXE=$(command -v busybox)
# Make sure the usual locations are in PATH
-export PATH=$PATH:/usr/sbin:/usr/bin:/sbin:/bin
+export PATH="$PATH:/usr/sbin:/usr/bin:/sbin:/bin"
in_userns() {
[ -e /proc/self/uid_map ] || { echo no; return; }
fi
done < /proc/self/uid_map
- [ "$(cat /proc/self/uid_map)" = "$(cat /proc/1/uid_map)" ] && { echo userns-root; return; }
+ if [ -e /proc/1/uid_map ]; then
+ if [ "$(cat /proc/self/uid_map)" = "$(cat /proc/1/uid_map)" ]; then
+ echo userns-root
+ return
+ fi
+ fi
echo yes
}
${rootfs}/tmp \
${rootfs}/var/log \
${rootfs}/var/run \
-${rootfs}/usr/share/udhcpc \
${rootfs}/dev/pts \
-${rootfs}/dev/shm \
${rootfs}/lib \
${rootfs}/usr/lib \
${rootfs}/lib64 \
# shellcheck disable=SC2086
chmod 755 ${fstree} || return 1
- # minimal devices needed for busybox
- if [ "${USERNS}" = "yes" ]; then
- for dev in tty console tty0 tty1 ram0 null urandom; do
- echo "lxc.mount.entry = /dev/${dev} dev/${dev} none bind,optional,create=file 0 0" >> "${path}/config"
- done
- else
- mknod -m 666 "${rootfs}/dev/tty" c 5 0 || res=1
- mknod -m 666 "${rootfs}/dev/console" c 5 1 || res=1
- mknod -m 666 "${rootfs}/dev/tty0" c 4 0 || res=1
- mknod -m 666 "${rootfs}/dev/tty1" c 4 0 || res=1
- mknod -m 666 "${rootfs}/dev/tty5" c 4 0 || res=1
- mknod -m 600 "${rootfs}/dev/ram0" b 1 0 || res=1
- mknod -m 666 "${rootfs}/dev/null" c 1 3 || res=1
- mknod -m 666 "${rootfs}/dev/zero" c 1 5 || res=1
- mknod -m 666 "${rootfs}/dev/urandom" c 1 9 || res=1
- fi
+ # make /tmp accessible to any user (with sticky bit)
+ chmod 1777 "${rootfs}/tmp" || return 1
# root user defined
cat <<EOF >> "${rootfs}/etc/passwd"
chmod 644 "${rootfs}/etc/inittab" || return 1
# Look for the pathname of "default.script" from the help of udhcpc
- DEF_SCRIPT=`${BUSYBOX_EXE} udhcpc -h 2>&1 | grep -- '-s,--script PROG' | cut -d'/' -f2- | cut -d')' -f1`
- DEF_SCRIPT_DIR=`dirname /${DEF_SCRIPT}`
+ DEF_SCRIPT=$(${BUSYBOX_EXE} udhcpc --help 2>&1 | egrep -- '-s.*Run PROG' | cut -d'/' -f2- | cut -d')' -f1)
+ DEF_SCRIPT_DIR=$(dirname /${DEF_SCRIPT})
mkdir -p ${rootfs}/${DEF_SCRIPT_DIR}
chmod 644 ${rootfs}/${DEF_SCRIPT_DIR} || return 1
lxc.signal.halt = SIGUSR1
lxc.signal.reboot = SIGTERM
lxc.uts.name = "${name}"
-lxc.tty.max = 1
+lxc.autodev = 1
+lxc.tty.max = 5
lxc.pty.max = 1
lxc.cap.drop = sys_module mac_admin mac_override sys_time
# When using LXC with apparmor, uncomment the next line to run unconfined:
#lxc.apparmor.profile = unconfined
-lxc.mount.auto = cgroup:mixed proc:mixed sys:mixed
-lxc.mount.entry = shm /dev/shm tmpfs defaults 0 0
+lxc.mount.auto = cgroup:mixed proc:mixed sys:ro
+lxc.mount.entry = shm dev/shm tmpfs defaults,create=dir 0 0
+lxc.mount.entry = mqueue dev/mqueue mqueue defaults,optional,create=dir 0 0
EOF
libdirs="\
LXC busybox image builder
Special arguments:
-[ -h | --help ]: Print this help message and exit.
-
-LXC internal arguments (do not pass manually!):
-[ --name <name> ]: The container name
-[ --path <path> ]: The path to the container
-[ --rootfs <rootfs> ]: The path to the container's rootfs
-[ --mapped-uid <map> ]: A uid map (user namespaces)
-[ --mapped-gid <map> ]: A gid map (user namespaces)
+
+ [ -h | --help ]: Print this help message and exit.
+
+LXC internal arguments:
+
+ [ --name <name> ]: The container name
+ [ --path <path> ]: The path to the container
+ [ --rootfs <rootfs> ]: The path to the container's rootfs (default: config or <path>/rootfs)
+ [ --mapped-uid <map> ]: A uid map (user namespaces)
+ [ --mapped-gid <map> ]: A gid map (user namespaces)
+
+BUSYBOX template specific arguments:
+
+ [ --busybox-path <path> ]: busybox pathname (default: ${BUSYBOX_EXE})
+
EOF
return 0
}
-if ! options=$(getopt -o hp:n: -l help,rootfs:,path:,name:,mapped-uid:,mapped-gid: -- "$@"); then
+if ! options=$(getopt -o hp:n: -l help,rootfs:,path:,name:,mapped-uid:,mapped-gid:,busybox-path: -- "$@"); then
usage
exit 1
fi
--rootfs) rootfs=$2; shift 2;;
--mapped-uid) LXC_MAPPED_UID=$2; shift 2;;
--mapped-gid) LXC_MAPPED_GID=$2; shift 2;;
+ --busybox-path) BUSYBOX_EXE=$2; shift 2;;
--) shift 1; break ;;
*) break ;;
esac
done
# Check that we have all variables we need
-if [ -z "${name}" ] || [ -z "${path}" ] || [ -z "${rootfs}" ]; then
- echo "ERROR: Please pass the name, path, and rootfs for the container" 1>&2
+if [ -z "${name}" ] || [ -z "${path}" ]; then
+ echo "ERROR: Please pass the name and path for the container" 1>&2
exit 1
fi
# Make sure busybox is present
-BUSYBOX_EXE=`which busybox`
-if [ $? -ne 0 ]; then
- echo "ERROR: Failed to find busybox binary" 1>&2
+if [ -z "${BUSYBOX_EXE}" ]; then
+ echo "ERROR: Please pass a pathname for busybox binary" 1>&2
+ exit 1
+fi
+if [ ! -x "${BUSYBOX_EXE}" ]; then
+ echo "ERROR: Failed to find busybox binary (${BUSYBOX_EXE})" 1>&2
exit 1
fi