lxc/templates/lxc-altlinux.in

	lxc-altlinux.in revision 96283b546081e7ff709968378fca25cb44f1ab6c
1516N/A#!/bin/bash
181N/A
181N/A#
181N/A# template script for generating altlinux container for LXC
181N/A#
181N/A
181N/A#
181N/A# lxc: linux Container library
181N/A
181N/A# Authors:
181N/A# Alexey Shabalin <shaba@altlinux.org>
181N/A
181N/A# This library is free software; you can redistribute it and/or
181N/A# modify it under the terms of the GNU Lesser General Public
181N/A# License as published by the Free Software Foundation; either
181N/A# version 2.1 of the License, or (at your option) any later version.
181N/A
181N/A# This library is distributed in the hope that it will be useful,
181N/A# but WITHOUT ANY WARRANTY; without even the implied warranty of
181N/A# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
181N/A# Lesser General Public License for more details.
181N/A
2199N/A# You should have received a copy of the GNU Lesser General Public
3339N/A# License along with this library; if not, write to the Free Software
2199N/A# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
181N/A
3339N/A# Detect use under userns (unsupported)
1715N/Afor arg in "$@"; do
1715N/A    [ "$arg" = "--" ] && break
1715N/A    if [ "$arg" = "--mapped-uid" -o "$arg" = "--mapped-gid" ]; then
1715N/A        echo "This template can't be used for unprivileged containers." 1>&2
526N/A        echo "You may want to try the \"download\" template instead." 1>&2
181N/A        exit 1
416N/A    fi
430N/Adone
430N/A
181N/A# Make sure the usual locations are in PATH
430N/Aexport PATH=$PATH:/usr/sbin:/usr/bin:/sbin:/bin
181N/A
181N/A#Configurations
181N/Aarch=$(uname -m)
181N/Acache_base=@LOCALSTATEDIR@/cache/lxc/altlinux/$arch
181N/Adefault_path=@LXCPATH@
416N/Adefault_profile=default
416N/Aprofile_dir=/etc/lxc/profiles
416N/Aroot_password=rooter
181N/Alxc_network_type=veth
181N/Alxc_network_link=virbr0
181N/A
181N/A# is this altlinux?
181N/A[ -f /etc/altlinux-release ] && is_altlinux=true
181N/A
181N/Aconfigure_altlinux()
181N/A{
181N/A
181N/A    # disable selinux in altlinux
416N/A    mkdir -p $rootfs_path/selinux
181N/A    echo 0 > $rootfs_path/selinux/enforce
181N/A
181N/A    mkdir -p ${rootfs_path}/etc/net/ifaces/veth0
181N/A    cat <<EOF > ${rootfs_path}/etc/net/ifaces/veth0/options
181N/ABOOTPROTO=${BOOTPROTO}
181N/AONBOOT=yes
416N/ANM_CONTROLLED=no
416N/ATYPE=eth
416N/AEOF
416N/A
416N/Aif [ ${BOOTPROTO} != "dhcp" ]; then
181N/A    # ip address
526N/A    cat <<EOF > ${rootfs_path}/etc/net/ifaces/veth0/ipv4address
526N/A${ipv4}
526N/AEOF
526N/A
526N/A    cat <<EOF > ${rootfs_path}/etc/net/ifaces/veth0/ipv4route
526N/A${gw}
526N/AEOF
526N/A
526N/A    cat <<EOF > ${rootfs_path}/etc/net/ifaces/veth0/resolv.conf
526N/Anameserver ${dns}
416N/AEOF
3339N/A
3339N/A    cat <<EOF > ${rootfs_path}/etc/net/ifaces/veth0/ipv6address
3339N/A${ipv6}
3339N/AEOF
3339N/A
3339N/A    cat <<EOF > ${rootfs_path}/etc/net/ifaces/veth0/ipv6route
3339N/A${gw6}
3339N/AEOF
3339N/A
3339N/Afi
3339N/A
3339N/A    # set the hostname
3339N/A    cat <<EOF > ${rootfs_path}/etc/sysconfig/network
3339N/ANETWORKING=yes
3339N/ACONFMETHOD=etcnet
3339N/AHOSTNAME=${UTSNAME}
3339N/ARESOLV_MODS=yes
3339N/AEOF
3339N/A
181N/A    # set minimal hosts
416N/A    cat <<EOF > $rootfs_path/etc/hosts
3339N/A127.0.0.1 localhost.localdomain localhost $name
3339N/AEOF
3339N/A    # Allow to login at virsh console. loginuid.so doen't work in the absence of auditd.
3339N/A#    sed -i 's/^.*loginuid.so.*$/\#&/' ${rootfs_path}/etc/pam.d/common-login
3339N/A
3339N/A    # Allow root to login at virsh console
3339N/A    echo "pts/0" >> ${rootfs_path}/etc/securetty
3339N/A    echo "console" >> ${rootfs_path}/etc/securetty
3339N/A
3339N/A    chroot ${rootfs_path} chkconfig network on
3339N/A    chroot ${rootfs_path} chkconfig syslogd on
3339N/A    chroot ${rootfs_path} chkconfig random on
416N/A    chroot ${rootfs_path} chkconfig rawdevices off
3339N/A    chroot ${rootfs_path} chkconfig fbsetfont off
416N/A#    chroot ${rootfs_path} chkconfig keytable off
3339N/A
3339N/A    subst 's/^\([3-9]\+:[0-9]\+:respawn:\/sbin\/mingetty.*\)/#\1/' ${rootfs_path}/etc/inittab
3339N/A    echo "c1:2345:respawn:/sbin/mingetty --noclear console" >>  ${rootfs_path}/etc/inittab
3339N/A    subst 's,\/dev\/tty12,/var/log/syslog/console,' ${rootfs_path}/etc/syslog.conf
3339N/A
181N/A#   touch file for fastboot
526N/A    touch ${rootfs_path}/fastboot
526N/A    chattr +i ${rootfs_path}/fastboot
526N/A
526N/A    dev_path="${rootfs_path}/dev"
526N/A    rm -rf ${dev_path}
526N/A    mkdir -p ${dev_path}
526N/A    mknod -m 666 ${dev_path}/null c 1 3
526N/A    mknod -m 666 ${dev_path}/zero c 1 5
526N/A    mknod -m 644 ${dev_path}/random c 1 8
526N/A    mknod -m 644 ${dev_path}/urandom c 1 9
526N/A    mkdir -m 755 ${dev_path}/pts
526N/A    mkdir -m 1777 ${dev_path}/shm
526N/A    mknod -m 666 ${dev_path}/tty c 5 0
526N/A    chown root:tty ${dev_path}/tty
526N/A    mknod -m 600 ${dev_path}/tty0 c 4 0
526N/A    mknod -m 600 ${dev_path}/tty1 c 4 1
526N/A    mknod -m 600 ${dev_path}/tty2 c 4 2
526N/A    mknod -m 600 ${dev_path}/tty3 c 4 3
526N/A    mknod -m 600 ${dev_path}/tty4 c 4 4
526N/A    mknod -m 600 ${dev_path}/console c 5 1
526N/A    mknod -m 666 ${dev_path}/full c 1 7
526N/A    mknod -m 600 ${dev_path}/initctl p
526N/A    mknod -m 666 ${dev_path}/ptmx c 5 2
526N/A    chown root:tty ${dev_path}/ptmx
526N/A    ln -s /proc/self/fd ${dev_path}/fd
526N/A    ln -s /proc/kcore ${dev_path}/core
526N/A    mkdir -m 755 ${dev_path}/mapper
526N/A    mknod -m 600 ${dev_path}/mapper/control c 10 236
526N/A    mkdir -m 755 ${dev_path}/net
526N/A    mknod -m 666 ${dev_path}/net/tun c 10 200
526N/A
526N/A    echo "setting root passwd to $root_password"
526N/A    echo "root:$root_password" | chroot $rootfs_path chpasswd
526N/A
526N/A    return 0
526N/A}
526N/A
526N/Adownload_altlinux()
526N/A{
526N/A
526N/A    # check the mini altlinux was not already downloaded
526N/A    INSTALL_ROOT=$cache/partial
526N/A    mkdir -p $INSTALL_ROOT
526N/A    if [ $? -ne 0 ]; then
526N/A        echo "Failed to create '$INSTALL_ROOT' directory"
526N/A        return 1
526N/A    fi
526N/A
526N/A    # download a mini altlinux into a cache
526N/A    echo "Downloading altlinux minimal ..."
526N/A    APT_GET="apt-get -o RPM::RootDir=$INSTALL_ROOT -y"
526N/A    PKG_LIST="$(grep -hs '^[^#]' "$profile_dir/$profile")"
526N/A#    PKG_LIST="basesystem apt apt-conf-sisyphus etcnet openssh-server passwd sysklogd net-tools e2fsprogs"
526N/A
526N/A    mkdir -p $INSTALL_ROOT/var/lib/rpm
526N/A    rpm --root $INSTALL_ROOT  --initdb
526N/A    $APT_GET install $PKG_LIST
526N/A
526N/A    if [ $? -ne 0 ]; then
526N/A        echo "Failed to download the rootfs, aborting."
526N/A        return 1
526N/A    fi
526N/A
526N/A    mv "$INSTALL_ROOT" "$cache/rootfs"
526N/A    echo "Download complete."
526N/A
526N/A    return 0
526N/A}
526N/A
526N/Acopy_altlinux()
526N/A{
526N/A
526N/A    # make a local copy of the minialtlinux
526N/A    echo -n "Copying rootfs to $rootfs_path ..."
526N/A    #cp -a $cache/rootfs-$arch $rootfs_path || return 1
2958N/A    # i prefer rsync (no reason really)
526N/A    mkdir -p $rootfs_path
526N/A    rsync -Ha $cache/rootfs/ $rootfs_path/
526N/A    return 0
526N/A}
526N/A
526N/Aupdate_altlinux()
526N/A{
526N/A    chroot $cache/rootfs apt-get update
526N/A    chroot $cache/rootfs apt-get -y dist-upgrade
526N/A}
526N/A
526N/Ainstall_altlinux()
526N/A{
526N/A    mkdir -p @LOCALSTATEDIR@/lock/subsys/
181N/A    (
3339N/A        flock -x 9
181N/A        if [ $? -ne 0 ]; then
181N/A            echo "Cache repository is busy."
3339N/A            return 1
181N/A        fi
181N/A
3339N/A        echo "Checking cache download in $cache/rootfs ... "
181N/A        if [ ! -e "$cache/rootfs" ]; then
181N/A            download_altlinux
3339N/A            if [ $? -ne 0 ]; then
181N/A                echo "Failed to download 'altlinux base'"
416N/A                return 1
3339N/A            fi
416N/A        else
416N/A            echo "Cache found. Updating..."
3339N/A            update_altlinux
416N/A            if [ $? -ne 0 ]; then
181N/A                echo "Failed to update 'altlinux base', continuing with last known good cache"
3339N/A            else
181N/A                echo "Update finished"
181N/A            fi
3339N/A        fi
181N/A
181N/A        echo "Copy $cache/rootfs to $rootfs_path ... "
3339N/A        copy_altlinux
181N/A        if [ $? -ne 0 ]; then
181N/A            echo "Failed to copy rootfs"
3339N/A            return 1
181N/A        fi
416N/A        return 0
3339N/A    ) 9>@LOCALSTATEDIR@/lock/subsys/lxc-altlinux
416N/A
416N/A    return $?
3339N/A}
416N/A
181N/Acopy_configuration()
3339N/A{
3339N/A
3339N/A    mkdir -p $config_path
3339N/A    grep -q "^lxc.rootfs" $config_path/config 2>/dev/null || echo "lxc.rootfs = $rootfs_path" >> $config_path/config
181N/A    cat <<EOF >> $config_path/config
181N/Alxc.utsname = $name
3339N/Alxc.tty = 4
3339N/Alxc.pts = 1024
3339N/Alxc.mount = $config_path/fstab
3339N/Alxc.cap.drop = sys_module mac_admin mac_override sys_time
181N/A
181N/A# When using LXC with apparmor, uncomment the next line to run unconfined:
3339N/A#lxc.aa_profile = unconfined
181N/A
181N/A#networking
181N/Alxc.network.type = $lxc_network_type
3339N/Alxc.network.flags = up
181N/Alxc.network.link = $lxc_network_link
181N/Alxc.network.name = veth0
181N/Alxc.network.mtu = 1500
3339N/AEOF
181N/Aif [ ! -z ${ipv4} ]; then
181N/A    cat <<EOF >> $config_path/config
181N/Alxc.network.ipv4 = $ipv4
3339N/AEOF
181N/Afi
181N/Aif [ ! -z ${gw} ]; then
181N/A    cat <<EOF >> $config_path/config
3339N/Alxc.network.ipv4.gateway = $gw
181N/AEOF
181N/Afi
416N/Aif [ ! -z ${ipv6} ]; then
3339N/A    cat <<EOF >> $config_path/config
416N/Alxc.network.ipv6 = $ipv6
416N/AEOF
416N/Afi
3339N/Aif [ ! -z ${gw6} ]; then
416N/A    cat <<EOF >> $config_path/config
416N/Alxc.network.ipv6.gateway = $gw6
416N/AEOF
3339N/Afi
416N/A    cat <<EOF >> $config_path/config
181N/A#cgroups
416N/Alxc.cgroup.devices.deny = a
3339N/A# /dev/null and zero
416N/Alxc.cgroup.devices.allow = c 1:3 rwm
416N/Alxc.cgroup.devices.allow = c 1:5 rwm
526N/A# consoles
526N/Alxc.cgroup.devices.allow = c 5:1 rwm
526N/Alxc.cgroup.devices.allow = c 5:0 rwm
526N/Alxc.cgroup.devices.allow = c 4:0 rwm
416N/Alxc.cgroup.devices.allow = c 4:1 rwm
526N/A# /dev/{,u}random
416N/Alxc.cgroup.devices.allow = c 1:9 rwm
416N/Alxc.cgroup.devices.allow = c 1:8 rwm
416N/Alxc.cgroup.devices.allow = c 136:* rwm
416N/Alxc.cgroup.devices.allow = c 5:2 rwm
416N/A# rtc
416N/Alxc.cgroup.devices.allow = c 10:135 rwm
416N/AEOF
416N/A
416N/A    cat <<EOF > $config_path/fstab
181N/Aproc            proc         proc    nodev,noexec,nosuid 0 0
416N/Asysfs           sys          sysfs   defaults  0 0
416N/AEOF
416N/A
416N/A    if [ $? -ne 0 ]; then
416N/A        echo "Failed to add configuration"
416N/A        return 1
416N/A    fi
416N/A
416N/A    return 0
416N/A}
416N/A
416N/Aclean()
416N/A{
181N/A
416N/A    if [ ! -e $cache ]; then
416N/A        exit 0
416N/A    fi
416N/A
416N/A    # lock, so we won't purge while someone is creating a repository
416N/A    (
3339N/A        flock -x 9
3339N/A        if [ $? != 0 ]; then
3339N/A            echo "Cache repository is busy."
3339N/A            exit 1
3339N/A        fi
416N/A
416N/A        echo -n "Purging the download cache for ALTLinux-$release..."
416N/A        rm --preserve-root --one-file-system -rf $cache && echo "Done." || exit 1
416N/A        exit 0
416N/A    ) 9>@LOCALSTATEDIR@/lock/subsys/lxc-altlinux
416N/A}
3339N/A
181N/Ausage()
2199N/A{
2199N/A    cat <<EOF
2199N/Ausage:
2199N/A    $1 -n|--name=<container_name>
2199N/A        [-p|--path=<path>] [-c|--clean] [-R|--release=<ALTLinux_release>]
2199N/A        [-4|--ipv4=<ipv4 address>] [-6|--ipv6=<ipv6 address>]
2199N/A        [-g|--gw=<gw address>] [-d|--dns=<dns address>]
2199N/A        [-P|--profile=<name of the profile>] [--rootfs=<path>]
2199N/A        [-A|--arch=<arch of the container>]
2199N/A        [-h|--help]
2199N/AMandatory args:
2199N/A  -n,--name         container name, used to as an identifier for that container from now on
2199N/AOptional args:
2199N/A  -p,--path         path to where the container rootfs will be created, defaults to @LXCPATH@. The container config will go under @LXCPATH@ in that case
2199N/A  -c,--clean        clean the cache
2199N/A  -R,--release      ALTLinux release for the new container. if the host is ALTLinux, then it will defaultto the host's release.
2199N/A  -4,--ipv4         specify the ipv4 address to assign to the virtualized interface, eg. 192.168.1.123/24
2199N/A  -6,--ipv6         specify the ipv6 address to assign to the virtualized interface, eg. 2003:db8:1:0:214:1234:fe0b:3596/64
2199N/A  -g,--gw           specify the default gw, eg. 192.168.1.1
2199N/A  -G,--gw6          specify the default gw, eg. 2003:db8:1:0:214:1234:fe0b:3596
2199N/A  -d,--dns          specify the DNS server, eg. 192.168.1.2
2199N/A  -P,--profile      Profile name is the file name in /etc/lxc/profiles contained packages name for install to cache.
2199N/A  -A,--arch         NOT USED YET. Define what arch the container will be [i686,x86_64]
2199N/A  ---rootfs         rootfs path
2199N/A  -h,--help         print this help
2199N/AEOF
2199N/A    return 0
2199N/A}
2199N/A
2199N/Aoptions=$(getopt -o hp:n:P:cR:4:6:g:d: -l help,rootfs:,path:,name:,profile:,clean,release:ipv4:ipv6:gw:dns: -- "$@")
2199N/Aif [ $? -ne 0 ]; then
2199N/A    usage $(basename $0)
2199N/A    exit 1
2199N/Afi
2199N/Aeval set -- "$options"
2199N/A
2199N/Awhile true
181N/Ado
181N/A    case "$1" in
        -h|--help)      usage $0 && exit 0;;
        -p|--path)      path=$2; shift 2;;
        --rootfs)       rootfs_path=$2; shift 2;;
        -n|--name)      name=$2; shift 2;;
        -P|--profile)   profile=$2; shift 2;;
        -c|--clean)     clean=$2; shift 2;;
        -R|--release)   release=$2; shift 2;;
        -4|--ipv4)      ipv4=$2; shift 2;;
        -6|--ipv6)      ipv6=$2; shift 2;;
        -g|--gw)        gw=$2; shift 2;;
        -d|--dns)       dns=$2; shift 2;;
        --)             shift 1; break ;;
        *)              break ;;
    esac
done

if [ ! -z "$clean" -a -z "$path" ]; then
    clean || exit 1
    exit 0
fi

type apt-get >/dev/null 2>&1
if [ $? -ne 0 ]; then
    echo "'apt-get' command is missing"
    exit 1
fi

if [ -z "$path" ]; then
    path=$default_path
fi

if [ -z "$profile" ]; then
    profile=$default_profile
fi

if [ -z "$release" ]; then
    if [ "$is_altlinux" ]; then
        release=$(cat /etc/altlinux-release |awk '/^ALT/ {print $3}')
    else
        echo "This is not a ALTLinux host and release missing, use -R|--release to specify release"
        exit 1
    fi
fi

if [ -z "$ipv4" -a -z "$ipv6" ]; then
    BOOTPROTO="dhcp"
else
    BOOTPROTO="static"
fi

if [ "$(id -u)" != "0" ]; then
    echo "This script should be run as 'root'"
    exit 1
fi

# check for 'lxc.rootfs' passed in through default config by lxc-create
if [ -z "$rootfs_path" ]; then
    if grep -q '^lxc.rootfs' $path/config 2>/dev/null ; then
        rootfs_path=$(awk -F= '/^lxc.rootfs =/{ print $2 }' $path/config)
    else
        rootfs_path=$path/rootfs
    fi
fi

config_path=$default_path/$name
cache=$cache_base/$release/$profile

if [ -f $config_path/config ]; then
    echo "A container with that name exists, chose a different name"
    exit 1
fi

install_altlinux
if [ $? -ne 0 ]; then
    echo "failed to install altlinux"
    exit 1
fi

configure_altlinux
if [ $? -ne 0 ]; then
    echo "failed to configure altlinux for a container"
    exit 1
fi

copy_configuration
if [ $? -ne 0 ]; then
    echo "failed write configuration file"
    exit 1
fi

if [ ! -z $clean ]; then
    clean || exit 1
    exit 0
fi
echo "container rootfs and config created"
echo "network configured as $lxc_network_type in the $lxc_network_link"