lxc/templates/lxc-altlinux.in

	lxc-altlinux.in revision 96283b546081e7ff709968378fca25cb44f1ab6c
883N/A#!/bin/bash
883N/A
883N/A#
883N/A# template script for generating altlinux container for LXC
883N/A#
883N/A
883N/A#
883N/A# lxc: linux Container library
883N/A
883N/A# Authors:
883N/A# Alexey Shabalin <shaba@altlinux.org>
883N/A
883N/A# This library is free software; you can redistribute it and/or
883N/A# modify it under the terms of the GNU Lesser General Public
883N/A# License as published by the Free Software Foundation; either
883N/A# version 2.1 of the License, or (at your option) any later version.
883N/A
883N/A# This library is distributed in the hope that it will be useful,
883N/A# but WITHOUT ANY WARRANTY; without even the implied warranty of
883N/A# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
883N/A# Lesser General Public License for more details.
883N/A
3996N/A# You should have received a copy of the GNU Lesser General Public
883N/A# License along with this library; if not, write to the Free Software
883N/A# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
883N/A
883N/A# Detect use under userns (unsupported)
883N/Afor arg in "$@"; do
883N/A    [ "$arg" = "--" ] && break
883N/A    if [ "$arg" = "--mapped-uid" -o "$arg" = "--mapped-gid" ]; then
883N/A        echo "This template can't be used for unprivileged containers." 1>&2
883N/A        echo "You may want to try the \"download\" template instead." 1>&2
1273N/A        exit 1
883N/A    fi
883N/Adone
883N/A
883N/A# Make sure the usual locations are in PATH
883N/Aexport PATH=$PATH:/usr/sbin:/usr/bin:/sbin:/bin
883N/A
883N/A#Configurations
883N/Aarch=$(uname -m)
1653N/Acache_base=@LOCALSTATEDIR@/cache/lxc/altlinux/$arch
883N/Adefault_path=@LXCPATH@
956N/Adefault_profile=default
883N/Aprofile_dir=/etc/lxc/profiles
883N/Aroot_password=rooter
883N/Alxc_network_type=veth
883N/Alxc_network_link=virbr0
883N/A
883N/A# is this altlinux?
883N/A[ -f /etc/altlinux-release ] && is_altlinux=true
883N/A
1574N/Aconfigure_altlinux()
1574N/A{
1574N/A
883N/A    # disable selinux in altlinux
883N/A    mkdir -p $rootfs_path/selinux
883N/A    echo 0 > $rootfs_path/selinux/enforce
883N/A
883N/A    mkdir -p ${rootfs_path}/etc/net/ifaces/veth0
883N/A    cat <<EOF > ${rootfs_path}/etc/net/ifaces/veth0/options
883N/ABOOTPROTO=${BOOTPROTO}
883N/AONBOOT=yes
883N/ANM_CONTROLLED=no
883N/ATYPE=eth
887N/AEOF
887N/A
887N/Aif [ ${BOOTPROTO} != "dhcp" ]; then
913N/A    # ip address
913N/A    cat <<EOF > ${rootfs_path}/etc/net/ifaces/veth0/ipv4address
913N/A${ipv4}
913N/AEOF
883N/A
3996N/A    cat <<EOF > ${rootfs_path}/etc/net/ifaces/veth0/ipv4route
${gw}
EOF

    cat <<EOF > ${rootfs_path}/etc/net/ifaces/veth0/resolv.conf
nameserver ${dns}
EOF

    cat <<EOF > ${rootfs_path}/etc/net/ifaces/veth0/ipv6address
${ipv6}
EOF

    cat <<EOF > ${rootfs_path}/etc/net/ifaces/veth0/ipv6route
${gw6}
EOF

fi

    # set the hostname
    cat <<EOF > ${rootfs_path}/etc/sysconfig/network
NETWORKING=yes
CONFMETHOD=etcnet
HOSTNAME=${UTSNAME}
RESOLV_MODS=yes
EOF

    # set minimal hosts
    cat <<EOF > $rootfs_path/etc/hosts
127.0.0.1 localhost.localdomain localhost $name
EOF
    # Allow to login at virsh console. loginuid.so doen't work in the absence of auditd.
#    sed -i 's/^.*loginuid.so.*$/\#&/' ${rootfs_path}/etc/pam.d/common-login

    # Allow root to login at virsh console
    echo "pts/0" >> ${rootfs_path}/etc/securetty
    echo "console" >> ${rootfs_path}/etc/securetty

    chroot ${rootfs_path} chkconfig network on
    chroot ${rootfs_path} chkconfig syslogd on
    chroot ${rootfs_path} chkconfig random on
    chroot ${rootfs_path} chkconfig rawdevices off
    chroot ${rootfs_path} chkconfig fbsetfont off
#    chroot ${rootfs_path} chkconfig keytable off

    subst 's/^\([3-9]\+:[0-9]\+:respawn:\/sbin\/mingetty.*\)/#\1/' ${rootfs_path}/etc/inittab
    echo "c1:2345:respawn:/sbin/mingetty --noclear console" >>  ${rootfs_path}/etc/inittab
    subst 's,\/dev\/tty12,/var/log/syslog/console,' ${rootfs_path}/etc/syslog.conf

#   touch file for fastboot
    touch ${rootfs_path}/fastboot
    chattr +i ${rootfs_path}/fastboot

    dev_path="${rootfs_path}/dev"
    rm -rf ${dev_path}
    mkdir -p ${dev_path}
    mknod -m 666 ${dev_path}/null c 1 3
    mknod -m 666 ${dev_path}/zero c 1 5
    mknod -m 644 ${dev_path}/random c 1 8
    mknod -m 644 ${dev_path}/urandom c 1 9
    mkdir -m 755 ${dev_path}/pts
    mkdir -m 1777 ${dev_path}/shm
    mknod -m 666 ${dev_path}/tty c 5 0
    chown root:tty ${dev_path}/tty
    mknod -m 600 ${dev_path}/tty0 c 4 0
    mknod -m 600 ${dev_path}/tty1 c 4 1
    mknod -m 600 ${dev_path}/tty2 c 4 2
    mknod -m 600 ${dev_path}/tty3 c 4 3
    mknod -m 600 ${dev_path}/tty4 c 4 4
    mknod -m 600 ${dev_path}/console c 5 1
    mknod -m 666 ${dev_path}/full c 1 7
    mknod -m 600 ${dev_path}/initctl p
    mknod -m 666 ${dev_path}/ptmx c 5 2
    chown root:tty ${dev_path}/ptmx
    ln -s /proc/self/fd ${dev_path}/fd
    ln -s /proc/kcore ${dev_path}/core
    mkdir -m 755 ${dev_path}/mapper
    mknod -m 600 ${dev_path}/mapper/control c 10 236
    mkdir -m 755 ${dev_path}/net
    mknod -m 666 ${dev_path}/net/tun c 10 200

    echo "setting root passwd to $root_password"
    echo "root:$root_password" | chroot $rootfs_path chpasswd

    return 0
}

download_altlinux()
{

    # check the mini altlinux was not already downloaded
    INSTALL_ROOT=$cache/partial
    mkdir -p $INSTALL_ROOT
    if [ $? -ne 0 ]; then
        echo "Failed to create '$INSTALL_ROOT' directory"
        return 1
    fi

    # download a mini altlinux into a cache
    echo "Downloading altlinux minimal ..."
    APT_GET="apt-get -o RPM::RootDir=$INSTALL_ROOT -y"
    PKG_LIST="$(grep -hs '^[^#]' "$profile_dir/$profile")"
#    PKG_LIST="basesystem apt apt-conf-sisyphus etcnet openssh-server passwd sysklogd net-tools e2fsprogs"

    mkdir -p $INSTALL_ROOT/var/lib/rpm
    rpm --root $INSTALL_ROOT  --initdb
    $APT_GET install $PKG_LIST

    if [ $? -ne 0 ]; then
        echo "Failed to download the rootfs, aborting."
        return 1
    fi

    mv "$INSTALL_ROOT" "$cache/rootfs"
    echo "Download complete."

    return 0
}

copy_altlinux()
{

    # make a local copy of the minialtlinux
    echo -n "Copying rootfs to $rootfs_path ..."
    #cp -a $cache/rootfs-$arch $rootfs_path || return 1
    # i prefer rsync (no reason really)
    mkdir -p $rootfs_path
    rsync -Ha $cache/rootfs/ $rootfs_path/
    return 0
}

update_altlinux()
{
    chroot $cache/rootfs apt-get update
    chroot $cache/rootfs apt-get -y dist-upgrade
}

install_altlinux()
{
    mkdir -p @LOCALSTATEDIR@/lock/subsys/
    (
        flock -x 9
        if [ $? -ne 0 ]; then
            echo "Cache repository is busy."
            return 1
        fi

        echo "Checking cache download in $cache/rootfs ... "
        if [ ! -e "$cache/rootfs" ]; then
            download_altlinux
            if [ $? -ne 0 ]; then
                echo "Failed to download 'altlinux base'"
                return 1
            fi
        else
            echo "Cache found. Updating..."
            update_altlinux
            if [ $? -ne 0 ]; then
                echo "Failed to update 'altlinux base', continuing with last known good cache"
            else
                echo "Update finished"
            fi
        fi

        echo "Copy $cache/rootfs to $rootfs_path ... "
        copy_altlinux
        if [ $? -ne 0 ]; then
            echo "Failed to copy rootfs"
            return 1
        fi
        return 0
    ) 9>@LOCALSTATEDIR@/lock/subsys/lxc-altlinux

    return $?
}

copy_configuration()
{

    mkdir -p $config_path
    grep -q "^lxc.rootfs" $config_path/config 2>/dev/null || echo "lxc.rootfs = $rootfs_path" >> $config_path/config
    cat <<EOF >> $config_path/config
lxc.utsname = $name
lxc.tty = 4
lxc.pts = 1024
lxc.mount = $config_path/fstab
lxc.cap.drop = sys_module mac_admin mac_override sys_time

# When using LXC with apparmor, uncomment the next line to run unconfined:
#lxc.aa_profile = unconfined

#networking
lxc.network.type = $lxc_network_type
lxc.network.flags = up
lxc.network.link = $lxc_network_link
lxc.network.name = veth0
lxc.network.mtu = 1500
EOF
if [ ! -z ${ipv4} ]; then
    cat <<EOF >> $config_path/config
lxc.network.ipv4 = $ipv4
EOF
fi
if [ ! -z ${gw} ]; then
    cat <<EOF >> $config_path/config
lxc.network.ipv4.gateway = $gw
EOF
fi
if [ ! -z ${ipv6} ]; then
    cat <<EOF >> $config_path/config
lxc.network.ipv6 = $ipv6
EOF
fi
if [ ! -z ${gw6} ]; then
    cat <<EOF >> $config_path/config
lxc.network.ipv6.gateway = $gw6
EOF
fi
    cat <<EOF >> $config_path/config
#cgroups
lxc.cgroup.devices.deny = a
# /dev/null and zero
lxc.cgroup.devices.allow = c 1:3 rwm
lxc.cgroup.devices.allow = c 1:5 rwm
# consoles
lxc.cgroup.devices.allow = c 5:1 rwm
lxc.cgroup.devices.allow = c 5:0 rwm
lxc.cgroup.devices.allow = c 4:0 rwm
lxc.cgroup.devices.allow = c 4:1 rwm
# /dev/{,u}random
lxc.cgroup.devices.allow = c 1:9 rwm
lxc.cgroup.devices.allow = c 1:8 rwm
lxc.cgroup.devices.allow = c 136:* rwm
lxc.cgroup.devices.allow = c 5:2 rwm
# rtc
lxc.cgroup.devices.allow = c 10:135 rwm
EOF

    cat <<EOF > $config_path/fstab
proc            proc         proc    nodev,noexec,nosuid 0 0
sysfs           sys          sysfs   defaults  0 0
EOF

    if [ $? -ne 0 ]; then
        echo "Failed to add configuration"
        return 1
    fi

    return 0
}

clean()
{

    if [ ! -e $cache ]; then
        exit 0
    fi

    # lock, so we won't purge while someone is creating a repository
    (
        flock -x 9
        if [ $? != 0 ]; then
            echo "Cache repository is busy."
            exit 1
        fi

        echo -n "Purging the download cache for ALTLinux-$release..."
        rm --preserve-root --one-file-system -rf $cache && echo "Done." || exit 1
        exit 0
    ) 9>@LOCALSTATEDIR@/lock/subsys/lxc-altlinux
}

usage()
{
    cat <<EOF
usage:
    $1 -n|--name=<container_name>
        [-p|--path=<path>] [-c|--clean] [-R|--release=<ALTLinux_release>]
        [-4|--ipv4=<ipv4 address>] [-6|--ipv6=<ipv6 address>]
        [-g|--gw=<gw address>] [-d|--dns=<dns address>]
        [-P|--profile=<name of the profile>] [--rootfs=<path>]
        [-A|--arch=<arch of the container>]
        [-h|--help]
Mandatory args:
  -n,--name         container name, used to as an identifier for that container from now on
Optional args:
  -p,--path         path to where the container rootfs will be created, defaults to @LXCPATH@. The container config will go under @LXCPATH@ in that case
  -c,--clean        clean the cache
  -R,--release      ALTLinux release for the new container. if the host is ALTLinux, then it will defaultto the host's release.
  -4,--ipv4         specify the ipv4 address to assign to the virtualized interface, eg. 192.168.1.123/24
  -6,--ipv6         specify the ipv6 address to assign to the virtualized interface, eg. 2003:db8:1:0:214:1234:fe0b:3596/64
  -g,--gw           specify the default gw, eg. 192.168.1.1
  -G,--gw6          specify the default gw, eg. 2003:db8:1:0:214:1234:fe0b:3596
  -d,--dns          specify the DNS server, eg. 192.168.1.2
  -P,--profile      Profile name is the file name in /etc/lxc/profiles contained packages name for install to cache.
  -A,--arch         NOT USED YET. Define what arch the container will be [i686,x86_64]
  ---rootfs         rootfs path
  -h,--help         print this help
EOF
    return 0
}

options=$(getopt -o hp:n:P:cR:4:6:g:d: -l help,rootfs:,path:,name:,profile:,clean,release:ipv4:ipv6:gw:dns: -- "$@")
if [ $? -ne 0 ]; then
    usage $(basename $0)
    exit 1
fi
eval set -- "$options"

while true
do
    case "$1" in
        -h|--help)      usage $0 && exit 0;;
        -p|--path)      path=$2; shift 2;;
        --rootfs)       rootfs_path=$2; shift 2;;
        -n|--name)      name=$2; shift 2;;
        -P|--profile)   profile=$2; shift 2;;
        -c|--clean)     clean=$2; shift 2;;
        -R|--release)   release=$2; shift 2;;
        -4|--ipv4)      ipv4=$2; shift 2;;
        -6|--ipv6)      ipv6=$2; shift 2;;
        -g|--gw)        gw=$2; shift 2;;
        -d|--dns)       dns=$2; shift 2;;
        --)             shift 1; break ;;
        *)              break ;;
    esac
done

if [ ! -z "$clean" -a -z "$path" ]; then
    clean || exit 1
    exit 0
fi

type apt-get >/dev/null 2>&1
if [ $? -ne 0 ]; then
    echo "'apt-get' command is missing"
    exit 1
fi

if [ -z "$path" ]; then
    path=$default_path
fi

if [ -z "$profile" ]; then
    profile=$default_profile
fi

if [ -z "$release" ]; then
    if [ "$is_altlinux" ]; then
        release=$(cat /etc/altlinux-release |awk '/^ALT/ {print $3}')
    else
        echo "This is not a ALTLinux host and release missing, use -R|--release to specify release"
        exit 1
    fi
fi

if [ -z "$ipv4" -a -z "$ipv6" ]; then
    BOOTPROTO="dhcp"
else
    BOOTPROTO="static"
fi

if [ "$(id -u)" != "0" ]; then
    echo "This script should be run as 'root'"
    exit 1
fi

# check for 'lxc.rootfs' passed in through default config by lxc-create
if [ -z "$rootfs_path" ]; then
    if grep -q '^lxc.rootfs' $path/config 2>/dev/null ; then
        rootfs_path=$(awk -F= '/^lxc.rootfs =/{ print $2 }' $path/config)
    else
        rootfs_path=$path/rootfs
    fi
fi

config_path=$default_path/$name
cache=$cache_base/$release/$profile

if [ -f $config_path/config ]; then
    echo "A container with that name exists, chose a different name"
    exit 1
fi

install_altlinux
if [ $? -ne 0 ]; then
    echo "failed to install altlinux"
    exit 1
fi

configure_altlinux
if [ $? -ne 0 ]; then
    echo "failed to configure altlinux for a container"
    exit 1
fi

copy_configuration
if [ $? -ne 0 ]; then
    echo "failed write configuration file"
    exit 1
fi

if [ ! -z $clean ]; then
    clean || exit 1
    exit 0
fi
echo "container rootfs and config created"
echo "network configured as $lxc_network_type in the $lxc_network_link"