lxc: added void lxc container support (will be upstreamed soon).
This commit is contained in:
parent
da09ceb607
commit
dc2a012145
|
@ -0,0 +1,271 @@
|
|||
#!/bin/bash
|
||||
|
||||
#
|
||||
# template script for generating Void linux container for LXC
|
||||
#
|
||||
|
||||
#
|
||||
# lxc: linux Container library
|
||||
|
||||
# Authors:
|
||||
# Juan RP <xtraeme@gmail.com>
|
||||
|
||||
# This library is free software; you can redistribute it and/or
|
||||
# modify it under the terms of the GNU Lesser General Public
|
||||
# License as published by the Free Software Foundation; either
|
||||
# version 2.1 of the License, or (at your option) any later version.
|
||||
|
||||
# This library is distributed in the hope that it will be useful,
|
||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
||||
# Lesser General Public License for more details.
|
||||
|
||||
# You should have received a copy of the GNU Lesser General Public
|
||||
# License along with this library; if not, write to the Free Software
|
||||
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
|
||||
|
||||
# Detect use under userns (unsupported)
|
||||
for arg in "$@"; do
|
||||
[ "$arg" = "--" ] && break
|
||||
if [ "$arg" = "--mapped-uid" -o "$arg" = "--mapped-gid" ]; then
|
||||
echo "This template can't be used for unprivileged containers." 1>&2
|
||||
echo "You may want to try the \"download\" template instead." 1>&2
|
||||
exit 1
|
||||
fi
|
||||
done
|
||||
|
||||
# Make sure the usual locations are in PATH
|
||||
export PATH=$PATH:/usr/sbin:/usr/bin:/sbin:/bin
|
||||
|
||||
# defaults
|
||||
arch=$(uname -m)
|
||||
default_path="/var/lib/lxc"
|
||||
LXC_TEMPLATE_CONFIG="/usr/share/lxc/config"
|
||||
|
||||
# Install 'base-voidstrap' by default
|
||||
base_packages=('base-voidstrap')
|
||||
declare -a additional_packages
|
||||
|
||||
# split comma-separated string into an array
|
||||
# ${1} - string to split
|
||||
# ${2} - separator (default is ",")
|
||||
# ${result} - result value on success
|
||||
split_string() {
|
||||
local ifs=${IFS}
|
||||
IFS="${2:-,}"
|
||||
read -a result < <(echo "${1}")
|
||||
IFS=${ifs}
|
||||
return 0
|
||||
}
|
||||
|
||||
# write container configuration files
|
||||
copy_configuration() {
|
||||
path=$1
|
||||
rootfs=$2
|
||||
hostname=$3
|
||||
arch=$4
|
||||
|
||||
## Add all the includes
|
||||
echo "" >> $path/config
|
||||
echo "# Common configuration" >> $path/config
|
||||
if [ -e "${LXC_TEMPLATE_CONFIG}/void.common.conf" ]; then
|
||||
echo "lxc.include = ${LXC_TEMPLATE_CONFIG}/void.common.conf" >> $path/config
|
||||
fi
|
||||
|
||||
## Add the container-specific config
|
||||
echo "" >> $path/config
|
||||
echo "# Container specific configuration" >> $path/config
|
||||
grep -q "^lxc.rootfs" $path/config 2> /dev/null || echo "lxc.rootfs = $rootfs" >> $path/config
|
||||
|
||||
cat <<EOF >> $path/config
|
||||
lxc.utsname = $hostname
|
||||
lxc.arch = $arch
|
||||
EOF
|
||||
|
||||
if [ $? -ne 0 ]; then
|
||||
echo "Failed to add configuration"
|
||||
return 1
|
||||
fi
|
||||
|
||||
return 0
|
||||
}
|
||||
|
||||
# install packages within container chroot
|
||||
install_void() {
|
||||
path=$1
|
||||
rootfs=$2
|
||||
hostname=$3
|
||||
arch=$4
|
||||
|
||||
[ "${arch}" != "$(uname -m)" ] && different_arch=true
|
||||
|
||||
if [ "${different_arch}" = "true" ]; then
|
||||
export XBPS_ARCH=${arch}
|
||||
fi
|
||||
|
||||
# set the hostname
|
||||
mkdir -p $rootfs/etc
|
||||
echo $hostname > $rootfs/etc/hostname
|
||||
|
||||
# missing device nodes
|
||||
mkdir -p $rootfs/dev
|
||||
mknod -m 666 "$rootfs/dev/null" c 1 3
|
||||
|
||||
echo "Installing ${base_packages[@]}"
|
||||
mkdir -p ${rootfs}/var/db/xbps/keys
|
||||
|
||||
# base64 encoded Void RSA public key
|
||||
vkb64=$(mktemp || return 1)
|
||||
cat > ${vkb64} << EOF
|
||||
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPCFET0NUWVBFIHBsaXN0IFBV
|
||||
QkxJQyAiLS8vQXBwbGUgQ29tcHV0ZXIvL0RURCBQTElTVCAxLjAvL0VOIiAiaHR0cDovL3d3dy5h
|
||||
cHBsZS5jb20vRFREcy9Qcm9wZXJ0eUxpc3QtMS4wLmR0ZCI+CjxwbGlzdCB2ZXJzaW9uPSIxLjAi
|
||||
Pgo8ZGljdD4KCTxrZXk+cHVibGljLWtleTwva2V5PgoJPGRhdGE+TFMwdExTMUNSVWRKVGlCUVZV
|
||||
Sk1TVU1nUzBWWkxTMHRMUzBLVFVsSlEwbHFRVTVDWjJ0eGFHdHBSemwzTUVKQlVVVkdRVUZQUTBG
|
||||
bk9FRk5TVWxEUTJkTFEwRm5SVUYyY2xONlFscE5kbWQyVDBOSk0wRllZazlxWVFveWNrdFNhMHBU
|
||||
VkUwell5OUZhbFJKWjBOblJGaG5kVzA1TTBKUVEzUlpPRTFqUmxadlExVTBUMmxZU0VkbVZHMXhN
|
||||
emxDVms1d1RIWk1TRXc1UzJzeENuQXlOemhUUW1oWVZrOTBZa0l5UlZadFJFdHVkbVpKUkVWVWJH
|
||||
Uk1SM3BsTjNKYVRsSktaSFIxVGpKdFdpOVVWbkpWUWpsVE1IbFJZeXRKZFdZMGFIWUtNeXRFT1Rk
|
||||
V1NXUlVTa2hCTjBGVGNqQTBNamh3Y0VWSFNrZDNVMU5vV1RKWVNtMDVSRFZKTUVWMVIxSlhZekUw
|
||||
VFVWSE4yUkpTMHBwV1dsTk1HNUZOQXAwV1c4eUwzWklORWxHVkVoa2JsWkJNMmRaYVZwNVJHNWlk
|
||||
VU5CVWk4NFJWTm1WVlJWTVROVFRrTlBaR0oxWkdZelJEVkNZM2tyVldsTlJFcEpNMWxsQ2pSTlJr
|
||||
dENjbFE1V21oYUswZHpXRUphV1RRNE1teHhhVnBwTmtOTU5YQjBZemxKVVVabU9DOWxTMXBoT0dw
|
||||
aGRHdHBWa1pXWjNKTFpVNVNhazlVZUU0S1psZFRkVEp1YTNoSFRsZ3JZbWhZV1hSb2FVZFhiVXBG
|
||||
V1RoalEwRlFlVVpPSzB4Mk5WSmxkRXN5TlRablpHTmlNbk5yYlVWeFpXWjJNbnBRUXl0M1ZncFhR
|
||||
bUprU0RWaVJEUmlXbXB1TUU0MldtdzRNWEoyTlZKNlJIWnVkbVlyZGtReE5HRkdWV0phT0ZGR2NY
|
||||
VTNOVkJpVERSM05tMVpUVFJzWkUwdlp6QlNDalpPV0VVNFFYbzVRbmQ0TW5SRVpsbGxTM1YxZEhj
|
||||
eFJYQlFiVEpaZGtaNVZGVmlNV052ZVVGMVZFZFNlVUZoY0RGVlZFaDJaemxzYUZCSlNtMW9SbEVL
|
||||
U2pWclEyY3hjVVEzUVRNeFYyd3dVbXh1WlRab1owZHZNRnBhVGtvMVkwcE5MM1l2ZWxOVVMwcGpk
|
||||
VVpuZDI4M1NEQm9UMGRwYkRaRVptODRPVUkwYWdwSE9UWkJRM2xRVXl0RVZrdFFSbGhTV1hkcUww
|
||||
RnJZa2h3WVZFeVpqRkdUVUZ2VTNCQ2NYVkVjVWhvTTNWcmF6Y3hTMWcyYWpFNWREQnBSamhFVVV4
|
||||
eUNuWjBSbE5UWkVscVJFRXdNbXgzWlZZNVRtRlJjRmR6UTBGM1JVRkJVVDA5Q2kwdExTMHRSVTVF
|
||||
SUZCVlFreEpReUJMUlZrdExTMHRMUW89PC9kYXRhPgoJPGtleT5wdWJsaWMta2V5LXNpemU8L2tl
|
||||
eT4KCTxpbnRlZ2VyPjQwOTY8L2ludGVnZXI+Cgk8a2V5PnNpZ25hdHVyZS1ieTwva2V5PgoJPHN0
|
||||
cmluZz5Wb2lkIExpbnV4PC9zdHJpbmc+CjwvZGljdD4KPC9wbGlzdD4K
|
||||
EOF
|
||||
base64 -d ${vkb64} > ${rootfs}/var/db/xbps/keys/60\:ae\:0c\:d6\:f0\:95\:17\:80\:bc\:93\:46\:7a\:89\:af\:a3\:2d.plist
|
||||
rm -f ${vkb64}
|
||||
|
||||
mkdir -p ${rootfs}/usr/share/xbps/repo.d
|
||||
echo "repository=http://repo.voidlinux.eu/current" > ${rootfs}/usr/share/xbps/repo.d/00-main.conf
|
||||
|
||||
if ! xbps-install ${xbps_cachedir:+ -c $xbps_cachedir} \
|
||||
${xbps_config:+-C $xbps_config} -r "${rootfs}" \
|
||||
-Sy ${base_packages[@]}; then
|
||||
echo "Failed to install container packages"
|
||||
return 1
|
||||
fi
|
||||
|
||||
grep nameserver /etc/resolv.conf > "${rootfs}/etc/resolv.conf"
|
||||
|
||||
echo "root:root" | chroot ${rootfs} chpasswd -c SHA512
|
||||
echo
|
||||
echo "Root password is 'root', please change!"
|
||||
echo
|
||||
|
||||
return 0
|
||||
}
|
||||
|
||||
usage() {
|
||||
cat <<EOF
|
||||
usage:
|
||||
${1} -n|--name=<container_name>
|
||||
[-P|--packages=<pkg1,pkg2,...>] [-p|--path=<path>] [-h|--help]
|
||||
Mandatory args:
|
||||
-n,--name container name, used to as an identifier for that container from now on
|
||||
Optional args:
|
||||
-p,--path path to where the container rootfs will be created, defaults to ${default_path}/rootfs. The container config will go under ${default_path} in that case
|
||||
-P,--packages preinstall additional packages, comma-separated list
|
||||
-c,--config use specified xbps config when installing container packages
|
||||
--cachedir XBPS cache directory to store downloaded packages
|
||||
-a,--arch use specified architecture instead of host's architecture
|
||||
-r,--root_passwd set container root password
|
||||
-h,--help print this help
|
||||
EOF
|
||||
return 0
|
||||
}
|
||||
|
||||
options=$(getopt -o hp:P:e:n:c:a:l:t:r: -l help,rootfs:,path:,packages:,name:,config:,cachedir:,arch:,root_passwd: -- "${@}")
|
||||
if [ ${?} -ne 0 ]; then
|
||||
usage $(basename ${0})
|
||||
exit 1
|
||||
fi
|
||||
eval set -- "${options}"
|
||||
|
||||
while true
|
||||
do
|
||||
case "${1}" in
|
||||
-h|--help) usage ${0} && exit 0;;
|
||||
-p|--path) path=${2}; shift 2;;
|
||||
-n|--name) name=${2}; shift 2;;
|
||||
--rootfs) rootfs_path=${2}; shift 2;;
|
||||
-P|--packages) additional_packages=${2}; shift 2;;
|
||||
-c|--config) xbps_config=${2}; shift 2;;
|
||||
--cachedir) xbps_cachedir=${2}; shift 2;;
|
||||
-a|--arch) arch=${2}; shift 2;;
|
||||
-r|--root_passwd) root_passwd=${2}; shift 2;;
|
||||
--) shift 1; break ;;
|
||||
*) break ;;
|
||||
esac
|
||||
done
|
||||
|
||||
if [ -z "${name}" ]; then
|
||||
echo "missing required 'name' parameter"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
type xbps-install >/dev/null 2>&1
|
||||
if [ ${?} -ne 0 ]; then
|
||||
echo "'xbps-install' command is missing, download xbps from http://repo.voidlinux.eu/static/"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if [ -z "${path}" ]; then
|
||||
path="${default_path}/${name}"
|
||||
fi
|
||||
|
||||
if [ "${EUID}" != "0" ]; then
|
||||
echo "This script should be run as 'root'"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if [ -z "${rootfs_path}_path" ]; then
|
||||
rootfs_path="${path}/rootfs"
|
||||
fi
|
||||
config_path="${default_path}/${name}"
|
||||
|
||||
revert() {
|
||||
echo "Interrupted, cleaning up"
|
||||
lxc-destroy -n "${name}"
|
||||
rm -rf "${path}/${name}"
|
||||
rm -rf "${default_path}/${name}"
|
||||
exit 1
|
||||
}
|
||||
|
||||
trap revert SIGHUP SIGINT SIGTERM
|
||||
|
||||
copy_configuration $path $rootfs_path $name $arch
|
||||
if [ ${?} -ne 0 ]; then
|
||||
echo "failed to write configuration file"
|
||||
rm -rf "${config_path}"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if [ ${#additional_packages[@]} -gt 0 ]; then
|
||||
split_string ${additional_packages}
|
||||
base_packages+=(${result[@]})
|
||||
fi
|
||||
|
||||
mkdir -p "${rootfs_path}"
|
||||
install_void $path $rootfs_path $name $arch
|
||||
if [ ${?} -ne 0 ]; then
|
||||
echo "failed to install Void Linux"
|
||||
rm -rf "${config_path}" "${path}"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
cat << EOF
|
||||
Void container ${name} is successfully created! The configuration is
|
||||
stored in ${config_path}/config. Please refer to http://www.voidlinux.eu
|
||||
for information about configuring your Void installation.
|
||||
EOF
|
|
@ -0,0 +1,67 @@
|
|||
# Default pivot location
|
||||
#lxc.pivotdir = lxc_putold
|
||||
|
||||
# Default mount entries
|
||||
lxc.mount.entry = run run tmpfs rw,nosuid,nodev,mode=755 0 0
|
||||
lxc.mount.entry = proc proc proc nodev,noexec,nosuid 0 0
|
||||
lxc.mount.entry = sysfs sys sysfs defaults 0 0
|
||||
|
||||
# Default console settings
|
||||
lxc.tty = 6
|
||||
lxc.pts = 1024
|
||||
lxc.autodev = 1
|
||||
|
||||
# Default capabilities
|
||||
lxc.cap.drop = sys_module mac_admin mac_override sys_time
|
||||
|
||||
# When using LXC with apparmor, the container will be confined by default.
|
||||
# If you wish for it to instead run unconfined, copy the following line
|
||||
# (uncommented) to the container's configuration file.
|
||||
#lxc.aa_profile = unconfined
|
||||
|
||||
# To support container nesting on an Ubuntu host while retaining most of
|
||||
# apparmor's added security, use the following two lines instead.
|
||||
#lxc.aa_profile = lxc-container-default-with-nesting
|
||||
#lxc.hook.mount = /usr/share/lxc/hooks/mountcgroups
|
||||
|
||||
# If you wish to allow mounting block filesystems, then use the following
|
||||
# line instead, and make sure to grant access to the block device and/or loop
|
||||
# devices below in lxc.cgroup.devices.allow.
|
||||
#lxc.aa_profile = lxc-container-default-with-mounting
|
||||
|
||||
# Default cgroup limits
|
||||
lxc.cgroup.devices.deny = a
|
||||
## Allow any mknod (but not using the node)
|
||||
lxc.cgroup.devices.allow = c *:* m
|
||||
lxc.cgroup.devices.allow = b *:* m
|
||||
## /dev/null and zero
|
||||
lxc.cgroup.devices.allow = c 1:3 rwm
|
||||
lxc.cgroup.devices.allow = c 1:5 rwm
|
||||
## consoles
|
||||
lxc.cgroup.devices.allow = c 5:0 rwm
|
||||
lxc.cgroup.devices.allow = c 5:1 rwm
|
||||
## /dev/{,u}random
|
||||
lxc.cgroup.devices.allow = c 1:8 rwm
|
||||
lxc.cgroup.devices.allow = c 1:9 rwm
|
||||
## /dev/pts/*
|
||||
lxc.cgroup.devices.allow = c 5:2 rwm
|
||||
lxc.cgroup.devices.allow = c 136:* rwm
|
||||
## rtc
|
||||
lxc.cgroup.devices.allow = c 254:0 rm
|
||||
## fuse
|
||||
lxc.cgroup.devices.allow = c 10:229 rwm
|
||||
## tun
|
||||
lxc.cgroup.devices.allow = c 10:200 rwm
|
||||
## full
|
||||
lxc.cgroup.devices.allow = c 1:7 rwm
|
||||
## hpet
|
||||
lxc.cgroup.devices.allow = c 10:228 rwm
|
||||
## kvm
|
||||
lxc.cgroup.devices.allow = c 10:232 rwm
|
||||
## To use loop devices, copy the following line to the container's
|
||||
## configuration file (uncommented).
|
||||
#lxc.cgroup.devices.allow = b 7:* rwm
|
||||
|
||||
# Blacklist some syscalls which are not safe in privileged
|
||||
# containers
|
||||
lxc.seccomp = /usr/share/lxc/config/common.seccomp
|
|
@ -3,7 +3,7 @@ _desc="Linux Containers"
|
|||
|
||||
pkgname=lxc
|
||||
version=1.0.5
|
||||
revision=2
|
||||
revision=3
|
||||
build_style=gnu-configure
|
||||
configure_args="--enable-doc --enable-seccomp --disable-apparmor --with-distro=none
|
||||
--with-rootfs-path=/var/lxc/containers --with-log-path=/var/lxc/log"
|
||||
|
@ -30,6 +30,10 @@ post_install() {
|
|||
vinstall ${FILESDIR}/service 644 usr/lib/systemd/system lxc@.service
|
||||
vmkdir usr/share/bash-completion/completions
|
||||
mv ${DESTDIR}/etc/bash_completion.d/* ${DESTDIR}/usr/share/bash-completion/completions/
|
||||
# Install void lxc config/template.
|
||||
vinstall ${FILESDIR}/void.common.conf 644 usr/share/lxc/config
|
||||
vinstall ${FILESDIR}/lxc-void 755 usr/share/lxc/templates
|
||||
|
||||
}
|
||||
|
||||
liblxc_package() {
|
||||
|
|
Loading…
Reference in New Issue