lxc-fedora.in revision 0655a606dad52725eedd8af18a15f246627091f9
faaa489e1cc905efd364e01fe09111173c95db68jeff.schenk#!/bin/bash
faaa489e1cc905efd364e01fe09111173c95db68jeff.schenk
faaa489e1cc905efd364e01fe09111173c95db68jeff.schenk#
faaa489e1cc905efd364e01fe09111173c95db68jeff.schenk# template script for generating fedora container for LXC
faaa489e1cc905efd364e01fe09111173c95db68jeff.schenk#
faaa489e1cc905efd364e01fe09111173c95db68jeff.schenk
faaa489e1cc905efd364e01fe09111173c95db68jeff.schenk#
faaa489e1cc905efd364e01fe09111173c95db68jeff.schenk# lxc: linux Container library
faaa489e1cc905efd364e01fe09111173c95db68jeff.schenk
faaa489e1cc905efd364e01fe09111173c95db68jeff.schenk# Authors:
faaa489e1cc905efd364e01fe09111173c95db68jeff.schenk# Daniel Lezcano <daniel.lezcano@free.fr>
faaa489e1cc905efd364e01fe09111173c95db68jeff.schenk# Ramez Hanna <rhanna@informatiq.org>
faaa489e1cc905efd364e01fe09111173c95db68jeff.schenk# Michael H. Warfield <mhw@WittsEnd.com>
faaa489e1cc905efd364e01fe09111173c95db68jeff.schenk
faaa489e1cc905efd364e01fe09111173c95db68jeff.schenk# This library is free software; you can redistribute it and/or
faaa489e1cc905efd364e01fe09111173c95db68jeff.schenk# modify it under the terms of the GNU Lesser General Public
faaa489e1cc905efd364e01fe09111173c95db68jeff.schenk# License as published by the Free Software Foundation; either
faaa489e1cc905efd364e01fe09111173c95db68jeff.schenk# version 2.1 of the License, or (at your option) any later version.
faaa489e1cc905efd364e01fe09111173c95db68jeff.schenk
faaa489e1cc905efd364e01fe09111173c95db68jeff.schenk# This library is distributed in the hope that it will be useful,
faaa489e1cc905efd364e01fe09111173c95db68jeff.schenk# but WITHOUT ANY WARRANTY; without even the implied warranty of
faaa489e1cc905efd364e01fe09111173c95db68jeff.schenk # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
faaa489e1cc905efd364e01fe09111173c95db68jeff.schenk# Lesser General Public License for more details.
faaa489e1cc905efd364e01fe09111173c95db68jeff.schenk
faaa489e1cc905efd364e01fe09111173c95db68jeff.schenk# You should have received a copy of the GNU Lesser General Public
faaa489e1cc905efd364e01fe09111173c95db68jeff.schenk# License along with this library; if not, write to the Free Software
faaa489e1cc905efd364e01fe09111173c95db68jeff.schenk# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
faaa489e1cc905efd364e01fe09111173c95db68jeff.schenk
faaa489e1cc905efd364e01fe09111173c95db68jeff.schenk#Configurations
faaa489e1cc905efd364e01fe09111173c95db68jeff.schenkarch=$(uname -m)
faaa489e1cc905efd364e01fe09111173c95db68jeff.schenkcache_base=@LOCALSTATEDIR@/cache/lxc/fedora/$arch
faaa489e1cc905efd364e01fe09111173c95db68jeff.schenkdefault_path=@LXCPATH@
faaa489e1cc905efd364e01fe09111173c95db68jeff.schenk# We really need something better here!
faaa489e1cc905efd364e01fe09111173c95db68jeff.schenkroot_password=root
faaa489e1cc905efd364e01fe09111173c95db68jeff.schenk
faaa489e1cc905efd364e01fe09111173c95db68jeff.schenk# is this fedora?
faaa489e1cc905efd364e01fe09111173c95db68jeff.schenk# Alow for weird remixes like the Raspberry Pi
faaa489e1cc905efd364e01fe09111173c95db68jeff.schenk#
faaa489e1cc905efd364e01fe09111173c95db68jeff.schenk# Use the Mitre standard CPE identifier for the release ID if possible...
faaa489e1cc905efd364e01fe09111173c95db68jeff.schenk# This may be in /etc/os-release or /etc/system-release-cpe. We
faaa489e1cc905efd364e01fe09111173c95db68jeff.schenk# should be able to use EITHER. Give preference to /etc/os-release for now.
faaa489e1cc905efd364e01fe09111173c95db68jeff.schenk
faaa489e1cc905efd364e01fe09111173c95db68jeff.schenkif [ -e /etc/os-release ]
faaa489e1cc905efd364e01fe09111173c95db68jeff.schenkthen
faaa489e1cc905efd364e01fe09111173c95db68jeff.schenk# This is a shell friendly configuration file. We can just source it.
faaa489e1cc905efd364e01fe09111173c95db68jeff.schenk# What we're looking for in here is the ID, VERSION_ID and the CPE_NAME
faaa489e1cc905efd364e01fe09111173c95db68jeff.schenk . /etc/os-release
faaa489e1cc905efd364e01fe09111173c95db68jeff.schenk echo "Host CPE ID from /etc/os-release: ${CPE_NAME}"
faaa489e1cc905efd364e01fe09111173c95db68jeff.schenkfi
faaa489e1cc905efd364e01fe09111173c95db68jeff.schenk
faaa489e1cc905efd364e01fe09111173c95db68jeff.schenkif [ "${CPE_NAME}" = "" -a -e /etc/system-release-cpe ]
dbcf55756e293292dfbfbb75fe317dd094b0585fjeff.schenkthen
faaa489e1cc905efd364e01fe09111173c95db68jeff.schenk CPE_NAME=$(head -n1 /etc/system-release-cpe)
dbcf55756e293292dfbfbb75fe317dd094b0585fjeff.schenk CPE_URI=$(expr ${CPE_NAME} : '\([^:]*:[^:*]\)')
faaa489e1cc905efd364e01fe09111173c95db68jeff.schenk if [ "${CPE_URI}" != "cpe:/o" ]
faaa489e1cc905efd364e01fe09111173c95db68jeff.schenk then
faaa489e1cc905efd364e01fe09111173c95db68jeff.schenk CPE_NAME=
dbcf55756e293292dfbfbb75fe317dd094b0585fjeff.schenk else
faaa489e1cc905efd364e01fe09111173c95db68jeff.schenk echo "Host CPE ID from /etc/system-release-cpe: ${CPE_NAME}"
faaa489e1cc905efd364e01fe09111173c95db68jeff.schenk # Probably a better way to do this but sill remain posix
dbcf55756e293292dfbfbb75fe317dd094b0585fjeff.schenk # compatible but this works, shrug...
faaa489e1cc905efd364e01fe09111173c95db68jeff.schenk # Must be nice and not introduce convenient bashisms here.
dbcf55756e293292dfbfbb75fe317dd094b0585fjeff.schenk ID=$(expr ${CPE_NAME} : '[^:]*:[^:]*:[^:]*:\([^:]*\)')
faaa489e1cc905efd364e01fe09111173c95db68jeff.schenk VERSION_ID=$(expr ${CPE_NAME} : '[^:]*:[^:]*:[^:]*:[^:]*:\([^:]*\)')
faaa489e1cc905efd364e01fe09111173c95db68jeff.schenk fi
faaa489e1cc905efd364e01fe09111173c95db68jeff.schenkfi
dbcf55756e293292dfbfbb75fe317dd094b0585fjeff.schenk
faaa489e1cc905efd364e01fe09111173c95db68jeff.schenkif [ "${CPE_NAME}" != "" -a "${ID}" = "fedora" -a "${VERSION_ID}" != "" ]
faaa489e1cc905efd364e01fe09111173c95db68jeff.schenkthen
dbcf55756e293292dfbfbb75fe317dd094b0585fjeff.schenk fedora_host_ver=${VERSION_ID}
faaa489e1cc905efd364e01fe09111173c95db68jeff.schenk is_fedora=true
dbcf55756e293292dfbfbb75fe317dd094b0585fjeff.schenkelif [ -e /etc/redhat-release ]
faaa489e1cc905efd364e01fe09111173c95db68jeff.schenkthen
faaa489e1cc905efd364e01fe09111173c95db68jeff.schenk # Only if all other methods fail, try to parse the redhat-release file.
faaa489e1cc905efd364e01fe09111173c95db68jeff.schenk fedora_host_ver=$( sed -e '/^Fedora /!d' -e 's/Fedora.*\srelease\s*\([0-9][0-9]*\)\s.*/\1/' < /etc/redhat-release )
dbcf55756e293292dfbfbb75fe317dd094b0585fjeff.schenk if [ "$fedora_host_ver" != "" ]
faaa489e1cc905efd364e01fe09111173c95db68jeff.schenk then
faaa489e1cc905efd364e01fe09111173c95db68jeff.schenk is_fedora=true
dbcf55756e293292dfbfbb75fe317dd094b0585fjeff.schenk fi
faaa489e1cc905efd364e01fe09111173c95db68jeff.schenkfi
dbcf55756e293292dfbfbb75fe317dd094b0585fjeff.schenk
faaa489e1cc905efd364e01fe09111173c95db68jeff.schenk# Map a few architectures to their generic Fedora repository archs.
faaa489e1cc905efd364e01fe09111173c95db68jeff.schenk# The two ARM archs are a bit of a guesstimate for the v5 and v6
faaa489e1cc905efd364e01fe09111173c95db68jeff.schenk# archs. V6 should have hardware floating point (Rasberry Pi).
dbcf55756e293292dfbfbb75fe317dd094b0585fjeff.schenk# The "arm" arch is safer (no hardware floating point). So
faaa489e1cc905efd364e01fe09111173c95db68jeff.schenk# there may be cases where we "get it wrong" for some v6 other
faaa489e1cc905efd364e01fe09111173c95db68jeff.schenk# than RPi.
dbcf55756e293292dfbfbb75fe317dd094b0585fjeff.schenkcase "$arch" in
faaa489e1cc905efd364e01fe09111173c95db68jeff.schenki686) arch=i386 ;;
dbcf55756e293292dfbfbb75fe317dd094b0585fjeff.schenkarmv3l|armv4l|armv5l) arch=arm ;;
faaa489e1cc905efd364e01fe09111173c95db68jeff.schenkarmv6l|armv7l|armv8l) arch=armhfp ;;
faaa489e1cc905efd364e01fe09111173c95db68jeff.schenkesac
faaa489e1cc905efd364e01fe09111173c95db68jeff.schenk
dbcf55756e293292dfbfbb75fe317dd094b0585fjeff.schenkconfigure_fedora()
faaa489e1cc905efd364e01fe09111173c95db68jeff.schenk{
faaa489e1cc905efd364e01fe09111173c95db68jeff.schenk
dbcf55756e293292dfbfbb75fe317dd094b0585fjeff.schenk # disable selinux in fedora
faaa489e1cc905efd364e01fe09111173c95db68jeff.schenk mkdir -p $rootfs_path/selinux
dbcf55756e293292dfbfbb75fe317dd094b0585fjeff.schenk echo 0 > $rootfs_path/selinux/enforce
faaa489e1cc905efd364e01fe09111173c95db68jeff.schenk
faaa489e1cc905efd364e01fe09111173c95db68jeff.schenk # configure the network using the dhcp
faaa489e1cc905efd364e01fe09111173c95db68jeff.schenk cat <<EOF > ${rootfs_path}/etc/sysconfig/network-scripts/ifcfg-eth0
dbcf55756e293292dfbfbb75fe317dd094b0585fjeff.schenkDEVICE=eth0
faaa489e1cc905efd364e01fe09111173c95db68jeff.schenkBOOTPROTO=dhcp
faaa489e1cc905efd364e01fe09111173c95db68jeff.schenkONBOOT=yes
dbcf55756e293292dfbfbb75fe317dd094b0585fjeff.schenkHOSTNAME=${utsname}
faaa489e1cc905efd364e01fe09111173c95db68jeff.schenkNM_CONTROLLED=no
dbcf55756e293292dfbfbb75fe317dd094b0585fjeff.schenkTYPE=Ethernet
faaa489e1cc905efd364e01fe09111173c95db68jeff.schenkMTU=${MTU}
faaa489e1cc905efd364e01fe09111173c95db68jeff.schenkEOF
faaa489e1cc905efd364e01fe09111173c95db68jeff.schenk
dbcf55756e293292dfbfbb75fe317dd094b0585fjeff.schenk # set the hostname
faaa489e1cc905efd364e01fe09111173c95db68jeff.schenk cat <<EOF > ${rootfs_path}/etc/sysconfig/network
faaa489e1cc905efd364e01fe09111173c95db68jeff.schenkNETWORKING=yes
dbcf55756e293292dfbfbb75fe317dd094b0585fjeff.schenkHOSTNAME=${utsname}
faaa489e1cc905efd364e01fe09111173c95db68jeff.schenkEOF
dbcf55756e293292dfbfbb75fe317dd094b0585fjeff.schenk
faaa489e1cc905efd364e01fe09111173c95db68jeff.schenk # set hostname on systemd Fedora systems
faaa489e1cc905efd364e01fe09111173c95db68jeff.schenk if [ $release -gt 14 ]; then
faaa489e1cc905efd364e01fe09111173c95db68jeff.schenk echo "${utsname}" > ${rootfs_path}/etc/hostname
faaa489e1cc905efd364e01fe09111173c95db68jeff.schenk fi
faaa489e1cc905efd364e01fe09111173c95db68jeff.schenk
faaa489e1cc905efd364e01fe09111173c95db68jeff.schenk # set minimal hosts
faaa489e1cc905efd364e01fe09111173c95db68jeff.schenk cat <<EOF > $rootfs_path/etc/hosts
faaa489e1cc905efd364e01fe09111173c95db68jeff.schenk127.0.0.1 localhost.localdomain localhost $utsname
faaa489e1cc905efd364e01fe09111173c95db68jeff.schenk::1 localhost6.localdomain6 localhost6
faaa489e1cc905efd364e01fe09111173c95db68jeff.schenkEOF
faaa489e1cc905efd364e01fe09111173c95db68jeff.schenk
faaa489e1cc905efd364e01fe09111173c95db68jeff.schenk dev_path="${rootfs_path}/dev"
faaa489e1cc905efd364e01fe09111173c95db68jeff.schenk rm -rf $dev_path
faaa489e1cc905efd364e01fe09111173c95db68jeff.schenk mkdir -p $dev_path
faaa489e1cc905efd364e01fe09111173c95db68jeff.schenk mknod -m 666 ${dev_path}/null c 1 3
faaa489e1cc905efd364e01fe09111173c95db68jeff.schenk mknod -m 666 ${dev_path}/zero c 1 5
faaa489e1cc905efd364e01fe09111173c95db68jeff.schenk mknod -m 666 ${dev_path}/random c 1 8
faaa489e1cc905efd364e01fe09111173c95db68jeff.schenk mknod -m 666 ${dev_path}/urandom c 1 9
faaa489e1cc905efd364e01fe09111173c95db68jeff.schenk mkdir -m 755 ${dev_path}/pts
faaa489e1cc905efd364e01fe09111173c95db68jeff.schenk mkdir -m 1777 ${dev_path}/shm
mknod -m 666 ${dev_path}/tty c 5 0
mknod -m 666 ${dev_path}/tty0 c 4 0
mknod -m 666 ${dev_path}/tty1 c 4 1
mknod -m 666 ${dev_path}/tty2 c 4 2
mknod -m 666 ${dev_path}/tty3 c 4 3
mknod -m 666 ${dev_path}/tty4 c 4 4
mknod -m 600 ${dev_path}/console c 5 1
mknod -m 666 ${dev_path}/full c 1 7
mknod -m 600 ${dev_path}/initctl p
mknod -m 666 ${dev_path}/ptmx c 5 2
echo "setting root passwd to $root_password"
echo "root:$root_password" | chroot $rootfs_path chpasswd
# specifying this in the initial packages doesn't always work.
# Even though it should have...
echo "installing fedora-release package"
mount -o bind /dev ${rootfs_path}/dev
mount -t proc proc ${rootfs_path}/proc
# Always make sure /etc/resolv.conf is up to date in the target!
cp /etc/resolv.conf ${rootfs_path}/etc/
# Rebuild the rpm database based on the target rpm version...
rm -f ${rootfs_path}/var/lib/rpm/__db*
chroot ${rootfs_path} rpm --rebuilddb
chroot ${rootfs_path} yum -y install fedora-release
# This just makes sure the rpm db is synced to that version...
umount ${rootfs_path}/proc
umount ${rootfs_path}/dev
# silence some needless startup errors
touch ${rootfs_path}/etc/fstab
# give us a console on /dev/console
sed -i 's/ACTIVE_CONSOLES=.*$/ACTIVE_CONSOLES="\/dev\/console \/dev\/tty[1-4]"/' \
${rootfs_path}/etc/sysconfig/init
return 0
}
configure_fedora_init()
{
sed -i 's|.sbin.start_udev||' ${rootfs_path}/etc/rc.sysinit
sed -i 's|.sbin.start_udev||' ${rootfs_path}/etc/rc.d/rc.sysinit
# don't mount devpts, for pete's sake
sed -i 's/^.*dev.pts.*$/#\0/' ${rootfs_path}/etc/rc.sysinit
sed -i 's/^.*dev.pts.*$/#\0/' ${rootfs_path}/etc/rc.d/rc.sysinit
chroot ${rootfs_path} chkconfig udev-post off
chroot ${rootfs_path} chkconfig network on
}
configure_fedora_systemd()
{
unlink ${rootfs_path}/etc/systemd/system/default.target
touch ${rootfs_path}/etc/fstab
chroot ${rootfs_path} ln -s /dev/null /etc/systemd/system/udev.service
chroot ${rootfs_path} ln -s /lib/systemd/system/multi-user.target /etc/systemd/system/default.target
#dependency on a device unit fails it specially that we disabled udev
# sed -i 's/After=dev-%i.device/After=/' ${rootfs_path}/lib/systemd/system/getty\@.service
#
# Actually, the After=dev-%i.device line does not appear in the
# Fedora 17 or Fedora 18 systemd getty\@.service file. It may be left
# over from an earlier version and it's not doing any harm. We do need
# to disable the "ConditionalPathExists=/dev/tty0" line or no gettys are
# started on the ttys in the container. Lets do it in an override copy of
# the service so it can still pass rpm verifies and not be automatically
# updated by a new systemd version. -- mhw /\/\|=mhw=|\/\/
sed -e 's/^ConditionPathExists=/# ConditionPathExists=/' \
-e 's/After=dev-%i.device/After=/' \
< ${rootfs_path}/lib/systemd/system/getty\@.service \
> ${rootfs_path}/etc/systemd/system/getty\@.service
# Setup getty service on the 4 ttys we are going to allow in the
# default config. Number should match lxc.tty
( cd ${rootfs_path}/etc/systemd/system/getty.target.wants
for i in 1 2 3 4 ; do ln -sf ../getty\@.service getty@tty${i}.service; done )
}
### BEGIN Bootstrap Environment Code... Michael H. Warfield /\/\|=mhw=|\/\/
# Ok... Heads up. If you're reading these comments, you're either a
# template owner or someone wondering how the hell I did this (or, worse,
# someone in the future trying to maintain it). This code is slightly
# "evil coding bastard" code with one significant hack / dirty trick
# that you would probably miss just reading the code below. I'll mark
# it out with comments.
#
# Because of what this code does, it deserves a lot of comments so people
# can understand WHY I did it this way...
#
# Ultimate Objective - Build a Fedora container on a host system which does
# not have a (complete compatible) version of rpm and/or yum. That basically
# means damn near any distro other than Fedora and Ubuntu (which has rpm and
# yum available). Only requirements for this function are rsync and
# squashfs available to the kernel. If you don't have those, why are you
# even attempting to build containers?
#
# Challenge for this function - Bootstrap a Fedora install bootstrap
# run time environment which has all the pieces to run rpm and yum and
# from which we can build targets containers even where the host system
# has no support for rpm, yum, or fedora.
#
# Steps:
# Stage 0 - Download a Fedora LiveOS squashfs core (netinst core).
# Stage 1 - Extract filesystem from Stage 0 and update to full rpm & yum
# Stage 2 - Use Stage 1 to build a rootfs with python, rpm, and yum.
#
# Stage 2 becomes our bootstrap file system which can be cached
# and then used to build other arbitrary vesions of Fedora of a
# given architecture. Not that this only has to run once for
# Fedora on a given architecture since rpm and yum can build other
# versions. We'll arbitrarily pick Fedora 19 to build this. This
# will need to change as time goes on.
# Programmers Note... A future fall back may be to download the netinst
# iso image instead of the LiveOS squasfs image and work from that.
# That may be more general but will introduce another substep
# (mounting the iso) to the stage0 setup.
# This system is designed to be as autonomous as possible so all whitelists
# and controlls are self-contained.
# Initial testing - Whitelist nobody. Build for everybody...
# Initial deployment - Whitelist Fedora.
# Long term - Whitelist Fedora, Debian, Ubuntu, CentOs, Scientific, and NST.
# List of distros which do not (should not) need a bootstrap (but we will test
# for rpm and yum none the less... OS SHOULD be taken from CPE values but
# Debian / Ubuntu doesn't support CPE yet.
# BOOTSTRAP_WHITE_LIST=""
BOOTSTRAP_WHITE_LIST="fedora"
# BOOTSTRAP_WHITE_LIST="fedora debian ubuntu centos scientific sl nst"
BOOTSTRAP=0
BOOTSTRAP_DIR=
BOOTSTRAP_CHROOT=
fedora_get_bootstrap()
{
echo "Bootstrap Environment testing..."
WHITE_LISTED=1
# We need rpm. No rpm - not possible to white list...
if ! which rpm > /dev/null 2>&1
then
WHITE_LISTED=0
fi
# We need yum No yum - not possible to white list...
if ! which yum > /dev/null 2>&1
then
WHITE_LISTED=0
fi
if [[ ${WHITE_LISTED} != 0 ]]
then
for OS in ${BOOTSTRAP_WHITE_LIST}
do
if [[ ${ID} = ${OS} ]]
then
echo "
OS ${ID} is whitelisted. Installation Bootstrap Environment not required.
"
return 0;
fi
done
fi
echo "
Fedora Installation Bootstrap Build..."
if ! which rsync > /dev/null 2>&1
then
echo "
Unable to locate rsync. Cravely bailing out before even attempting to build
an Installation Bootstrap Please install rsync and then rerun this process.
"
return 255
fi
[[ -d ${cache_base} ]] || mkdir -p ${cache_base}
cd ${cache_base}
# We know we don't have a cache directory of this version or we
# would have never reached this code to begin with. But we may
# have another Fedora cache directory from which we could run...
# We'll give a preference for close matches prefering higher over
# lower - which makes for really ugly code...
# Is this a "bashism" that will need cleaning up????
BOOTSTRAP_LIST="$(( $release + 1 ))/rootfs $(( $release - 1 ))/rootfs \
$(( $release + 2 ))/rootfs $(( $release - 2 ))/rootfs \
$(( $release + 3 ))/rootfs $(( $release - 3 ))/rootfs \
bootstrap"
for bootstrap in ${BOOTSTRAP_LIST}
do
if [[ -d ${bootstrap} ]]
then
echo "
Existing Bootstrap found. Testing..."
mount -o bind /dev ${bootstrap}/dev
mount -t proc proc ${bootstrap}/proc
# Always make sure /etc/resolv.conf is up to date in the target!
cp /etc/resolv.conf ${bootstrap}/etc/
rm -f ${bootstrap}/var/lib/rpm/__db*
chroot ${bootstrap} rpm --rebuilddb
chroot ${bootstrap} yum -y update
RC=$?
umount ${bootstrap}/proc
umount ${bootstrap}/dev
if [[ 0 == ${RC} ]]
then
BOOTSTRAP=1
BOOTSTRAP_DIR="${cache_base}/${bootstrap}"
BOOTSTRAP_CHROOT="chroot ${BOOTSTRAP_DIR} "
BOOTSTRAP_INSTALL_ROOT=/run/install
echo "
Functional Installation Bootstrap exists and appears to be completed.
Will use existing Bootstrap: ${BOOTSTRAP_DIR}
"
return 0
fi
echo "
Installation Bootstrap in ${BOOTSTRAP_DIR} exists
but appears to be non-functional. Skipping... It should be removed.
"
fi
done
TMP_BOOTSTRAP_DIR=$( mktemp -d --tmpdir=${cache_base} bootstrap_XXXXXX )
cd ${TMP_BOOTSTRAP_DIR}
mkdir squashfs stage0 stage1 bootstrap
### Stage 0 setup.
# Download the LiveOS squashfs image
# mount image to "squashfs"
# mount contained LiveOS to stage0
# We're going to use the kernel.org mirror for the initial stages...
# 1 - It's generally up to date and comnplete
# 2 - It's has high bandwidth access
# 3 - It supports rsync and wildcarding (and we need both)
# 4 - Not all the mirrors carry the LiveOS images
if [[ ! -f ../LiveOS/squashfs.img ]]
then
echo "
Downloading stage 0 LiveOS squashfs file system from mirrors.kernel.org...
Have a beer or a cup of coffee. This will take a bit (~300MB).
"
sleep 3 # let him read it...
# Right now, we are using Fedora 19 for the inial bootstrap.
# We could make this the "current" Fedora rev (F > 15).
rsync -av mirrors.kernel.org::fedora/releases/19/Fedora/x86_64/os/LiveOS .
if [[ 0 == $? ]]
then
echo "Download of squashfs image complete."
mv LiveOS ..
else
echo "
Download of squashfs image failed.
"
return 255
fi
else
echo "Using cached stage 0 LiveOS squashfs file system."
fi
mount -o loop ../LiveOS/squashfs.img squashfs
if [[ $? != 0 ]]
then
echo "
Mount of LiveOS squashfs image failed! You mush have squashfs support
available to mount image. Unable to continue. Correct and retry
process later! LiveOS image not removed. Process may be rerun
without penalty of downloading LiveOS again. If LiveOS is corrupt,
remove ${cache_base}/LiveOS before rerunning to redownload.
"
return 255
fi
mount -o loop squashfs/LiveOS/rootfs.img stage0
if [[ $? != 0 ]]
then
echo "
Mount of LiveOS stage0 rootfs image failed! LiveOS download may be corrupt.
Remove ${cache_base}/LiveOS to force a new download or
troubleshoot cached image and then rerun process.
"
return 255
fi
### Stage 1 setup.
# Copy stage0 (which is ro) to stage1 area (rw) for modification.
# Unmount stage0 mounts - we're done with stage 0 at this point.
# Download our rpm and yum rpm packages.
# Force install of rpm and yum into stage1 image (dirty hack!)
echo "Stage 0 complete, building Stage 1 image...
This will take a couple of minutes. Patience..."
echo "Creating Stage 1 r/w copy of r/o Stage 0 squashfs image from LiveOS."
rsync -aAHS stage0/. stage1/
umount stage0
umount squashfs
cd stage1
# Setup stage1 image with pieces to run installs...
mount -o bind /dev dev
mount -t proc proc proc
# Always make sure /etc/resolv.conf is up to date in the target!
cp /etc/resolv.conf etc/
mkdir run/install
echo "Updating Stage 1 image with full rpm and yum packages"
# Retrieve our 2 rpm packages we need to force down the throat
# of this LiveOS image we're camped out on. This is the beginning
# of the butt ugly hack. Look close or you may missing it...
rsync -av mirrors.kernel.org::fedora/releases/19/Fedora/x86_64/os/Packages/r/rpm-[0-9]* \
mirrors.kernel.org::fedora/releases/19/Fedora/x86_64/os/Packages/y/yum-[0-9]* .
# And here it is...
# The --nodeps is STUPID but F15 had a bogus dependency on RawHide?!?!
chroot . rpm -ivh --nodeps rpm-* yum-*
# Did you catch it?
# The LiveOS image contains rpm (but not rpmdb) and yum (but not
# yummain.py - What the hell good does yum do with no
# yummain.py?!?! - Sigh...). It contains all the supporting
# pieces but the rpm database has not be initialized and it
# doesn't know all the dependences (seem to) have been met.
# So we do a "--nodeps" rpm install in the chrooted environment
# to force the installation of the full rpm and yum packages.
#
# For the purists - Yes, I know the rpm database is wildly out
# of whack now. That's why this is a butt ugly hack / dirty trick.
# But, this is just the stage1 image that we are going to discard as
# soon as the stage2 image is built, so we don't care. All we care
# is that the stage2 image ends up with all the pieces it need to
# run yum and rpm and that the stage2 rpm database is coherent.
#
# NOW we can really go to work!
### Stage 2 setup.
# Download our Fedora Release rpm packages.
# Install fedora-release into bootstrap to initialize fs and databases.
# Install rpm, and yum into bootstrap image using yum
echo "Stage 1 creation complete. Building stage 2 Installation Bootstrap"
mount -o bind ../bootstrap run/install
rsync -av mirrors.kernel.org::fedora/releases/19/Fedora/x86_64/os/Packages/f/fedora-release-19* .
# The --nodeps is STUPID but F15 had a bogus dependency on RawHide?!?!
chroot . rpm --root /run/install --nodeps -ivh fedora-release-*
chroot . yum -y --nogpgcheck --installroot /run/install install python rpm yum
umount run/install
umount proc
umount dev
# That's it! We should now have a viable installation BOOTSTRAP in
# bootstrap We'll do a yum update in that to verify and then
# move it to the cache location before cleaning up.
cd ../bootstrap
mount -o bind /dev dev
mount -t proc proc proc
# Always make sure /etc/resolv.conf is up to date in the target!
cp /etc/resolv.conf etc/
chroot . yum -y update
RC=$?
umount proc
umount dev
cd ..
if [[ ${RC} != 0 ]]
then
echo "
Build of Installation Bootstrap failed. Temp directory
not removed so it can be investigated.
"
return 255
fi
# We know have a working run time environment in rootfs...
mv bootstrap ..
cd ..
rm -rf ${TMP_BOOTSTRAP_DIR}
echo "
Build of Installation Bootstrap complete! We now return you to your
normally scheduled template creation.
"
BOOTSTRAP=1
BOOTSTRAP_DIR="${cache_base}/bootstrap"
BOOTSTRAP_CHROOT="chroot ${BOOTSTRAP_DIR} "
BOOTSTRAP_INSTALL_ROOT=/run/install
return 0
}
fedora_bootstrap_mounts()
{
if [[ ${BOOTSTRAP} -ne 1 ]]
then
return 0
fi
BOOTSTRAP_CHROOT="chroot ${BOOTSTRAP_DIR} "
echo "Mounting Bootstrap mount points"
[[ -d ${BOOTSTRAP_DIR}/run/install ]] || mkdir -p ${BOOTSTRAP_DIR}/run/install
mount -o bind ${INSTALL_ROOT} ${BOOTSTRAP_DIR}/run/install
mount -o bind /dev ${BOOTSTRAP_DIR}/dev
mount -t proc proc ${BOOTSTRAP_DIR}/proc
# Always make sure /etc/resolv.conf is up to date in the target!
cp /etc/resolv.conf ${BOOTSTRAP_DIR}/etc/
}
fedora_bootstrap_umounts()
{
if [[ ${BOOTSTRAP} -ne 1 ]]
then
return 0
fi
umount ${BOOTSTRAP_DIR}/proc
umount ${BOOTSTRAP_DIR}/dev
umount ${BOOTSTRAP_DIR}/run/install
}
# This is the code to create the initial roofs for Fedora. It may
# require a run time environment by calling the routines above...
download_fedora()
{
# check the mini fedora was not already downloaded
INSTALL_ROOT=$cache/partial
mkdir -p $INSTALL_ROOT
if [ $? -ne 0 ]; then
echo "Failed to create '$INSTALL_ROOT' directory"
return 1
fi
# download a mini fedora into a cache
echo "Downloading fedora minimal ..."
# These will get changed if it's decided that we need a
# boostrap environment (can not build natively)
BOOTSTRAP_INSTALL_ROOT=${INSTALL_ROOT}
BOOTSTRAP_CHROOT=
PKG_LIST="yum initscripts passwd rsyslog vim-minimal dhclient chkconfig rootfiles policycoreutils fedora-release"
MIRRORLIST_URL="http://mirrors.fedoraproject.org/mirrorlist?repo=fedora-$release&arch=$arch"
if [[ ${release} -lt 17 ]]
then
# The reflects the move of db_dump and db_load from db4_utils to
# libdb_utils in Fedora 17 and above and it's inclusion as a dep...
# Prior to Fedora 11, we need to explicitly include it!
PKG_LIST="${PKG_LIST} db4-utils"
fi
DOWNLOAD_OK=no
# We're splitting the old loop into two loops plus a directory retrival.
# First loop... Try and retrive a mirror list with retries and a slight
# delay between attempts...
for trynumber in 1 2 3 4; do
[ $trynumber != 1 ] && echo "Trying again..."
# This code is mildly "brittle" in that it assumes a certain
# page format and parsing HTML. I've done worse. :-P
MIRROR_URLS=$(curl -s -S -f "$MIRRORLIST_URL" | sed -e '/^http:/!d' -e '2,6!d')
if [ $? -eq 0 ] && [ -n "$MIRROR_URLS" ]
then
break
fi
echo "Failed to get a mirror on try $trynumber"
sleep 3
done
# This will fall through if we didn't get any URLS above
for MIRROR_URL in ${MIRROR_URLS}
do
if [ "$release" -gt "16" ]; then
RELEASE_URL="$MIRROR_URL/Packages/f"
else
RELEASE_URL="$MIRROR_URL/Packages/"
fi
echo "Fetching rpm name from $RELEASE_URL..."
# This code is mildly "brittle" in that it assumes a certain directory
# page format and parsing HTML. I've done worse. :-P
RELEASE_RPM=$(curl -L -f "$RELEASE_URL" | sed -e "/fedora-release-${release}-/!d" -e 's/.*<a href=\"//' -e 's/\">.*//' )
if [ $? -ne 0 -o "${RELEASE_RPM}" = "" ]; then
echo "Failed to identify fedora release rpm."
continue
fi
echo "Fetching fedora release rpm from ${RELEASE_URL}/${RELEASE_RPM}......"
curl -L -f "${RELEASE_URL}/${RELEASE_RPM}" > ${INSTALL_ROOT}/${RELEASE_RPM}
if [ $? -ne 0 ]; then
echo "Failed to download fedora release rpm ${RELEASE_RPM}."
continue
fi
DOWNLOAD_OK=yes
break
done
if [ $DOWNLOAD_OK != yes ]; then
echo "Aborting"
return 1
fi
mkdir -p ${INSTALL_ROOT}/var/lib/rpm
if ! fedora_get_bootstrap
then
echo "Fedora Bootstrap setup failed"
return 1
fi
fedora_bootstrap_mounts
${BOOTSTRAP_CHROOT}rpm --root ${BOOTSTRAP_INSTALL_ROOT} --initdb
# The --nodeps is STUPID but F15 had a bogus dependency on RawHide?!?!
${BOOTSTRAP_CHROOT}rpm --root ${BOOTSTRAP_INSTALL_ROOT} --nodeps -ivh ${BOOTSTRAP_INSTALL_ROOT}/${RELEASE_RPM}
${BOOTSTRAP_CHROOT}yum --installroot ${BOOTSTRAP_INSTALL_ROOT} -y --nogpgcheck install ${PKG_LIST}
RC=$?
if [[ ${BOOTSTRAP} -eq 1 ]]
then
# Here we have a bit of a sticky problem. We MIGHT have just installed
# this template cache using versions of yum and rpm in the bootstrap
# chroot that use a different database version than the target version.
# That can be a very big problem. Solution is to rebuild the rpmdatabase
# with the target database now that we are done building the cache. In the
# vast majority of cases, this is a do-not-care with no harm done if we
# didn't do it. But it catches several corner cases with older unsupported
# releases and it really doesn't cost us a lot of time for a one shot
# install that will never be done again for this rev.
#
# Thanks and appreciation to Dwight Engen and the Oracle template for the
# database rewrite hint!
echo "Fixing up rpm databases"
# Change to our target install directory (if we're not already
# there) just to simplify some of the logic to follow...
cd ${INSTALL_ROOT}
rm -f var/lib/rpm/__db*
# Programmers Note (warning):
#
# Pay careful attention to the following commands! It
# crosses TWO chroot boundaries linked by a bind mount!
# In the bootstrap case, that's the bind mount of ${INSTALL_ROOT}
# to the ${BOOTSTRAP_CHROOT}/run/install directory! This is
# a deliberate hack across that bind mount to do a database
# translation between two environments, neither of which may
# be the host environment! It's ugly and hard to follow but,
# if you don't understand it, don't mess with it! The pipe
# is in host space between the two chrooted environments!
# This is also why we cd'ed into the INSTALL_ROOT directory
# in advance of this loop, so everything is relative to the
# current working directory and congruent with the same working
# space in both chrooted environments. The output into the new
# db is also done in INSTALL_ROOT space but works in either host
# space or INSTALL_ROOT space for the mv, so we don't care. It's
# just not obvious what's happening in the db_dump and db_load
# commands...
#
for db in var/lib/rpm/* ; do
${BOOTSTRAP_CHROOT} db_dump ${BOOTSTRAP_INSTALL_ROOT}/$db | chroot . db_load $db.new
mv $db.new $db
done
# finish up by rebuilding the database...
# This should be redundant but we do it for completeness and
# any corner cases I may have missed...
mount -t proc proc proc
mount -o bind /dev dev
chroot . rpm --rebuilddb
umount dev
umount proc
fi
fedora_bootstrap_umounts
if [ ${RC} -ne 0 ]; then
echo "Failed to download the rootfs, aborting."
return 1
fi
mv "$INSTALL_ROOT" "$cache/rootfs"
echo "Download complete."
return 0
}
copy_fedora()
{
# make a local copy of the minifedora
echo -n "Copying rootfs to $rootfs_path ..."
#cp -a $cache/rootfs-$arch $rootfs_path || return 1
# i prefer rsync (no reason really)
mkdir -p $rootfs_path
rsync -Ha $cache/rootfs/ $rootfs_path/
return 0
}
update_fedora()
{
mount -o bind /dev ${cache}/rootfs/dev
mount -t proc proc ${cache}/rootfs/proc
# Always make sure /etc/resolv.conf is up to date in the target!
cp /etc/resolv.conf ${cache}/rootfs/etc/
chroot ${cache}/rootfs yum -y update
umount ${cache}/rootfs/proc
umount ${cache}/rootfs/dev
}
install_fedora()
{
mkdir -p @LOCALSTATEDIR@/lock/subsys/
(
flock -x 200
if [ $? -ne 0 ]; then
echo "Cache repository is busy."
return 1
fi
echo "Checking cache download in $cache/rootfs ... "
if [ ! -e "$cache/rootfs" ]; then
download_fedora
if [ $? -ne 0 ]; then
echo "Failed to download 'fedora base'"
return 1
fi
else
echo "Cache found. Updating..."
update_fedora
if [ $? -ne 0 ]; then
echo "Failed to update 'fedora base', continuing with last known good cache"
else
echo "Update finished"
fi
fi
echo "Copy $cache/rootfs to $rootfs_path ... "
copy_fedora
if [ $? -ne 0 ]; then
echo "Failed to copy rootfs"
return 1
fi
return 0
) 200>@LOCALSTATEDIR@/lock/subsys/lxc-fedora
return $?
}
copy_configuration()
{
mkdir -p $config_path
grep -q "^lxc.rootfs" $config_path/config 2>/dev/null || echo "lxc.rootfs = $rootfs_path" >> $config_path/config
cat <<EOF >> $config_path/config
lxc.utsname = $utsname
lxc.tty = 4
lxc.pts = 1024
lxc.mount = $config_path/fstab
lxc.cap.drop = sys_module mac_admin mac_override sys_time
lxc.autodev = $auto_dev
# When using LXC with apparmor, uncomment the next line to run unconfined:
#lxc.aa_profile = unconfined
#cgroups
lxc.cgroup.devices.deny = a
# /dev/null and zero
lxc.cgroup.devices.allow = c 1:3 rwm
lxc.cgroup.devices.allow = c 1:5 rwm
# consoles
lxc.cgroup.devices.allow = c 5:1 rwm
lxc.cgroup.devices.allow = c 5:0 rwm
# /dev/{,u}random
lxc.cgroup.devices.allow = c 1:9 rwm
lxc.cgroup.devices.allow = c 1:8 rwm
lxc.cgroup.devices.allow = c 136:* rwm
lxc.cgroup.devices.allow = c 5:2 rwm
# rtc
lxc.cgroup.devices.allow = c 254:0 rm
EOF
cat <<EOF > $config_path/fstab
proc proc proc nodev,noexec,nosuid 0 0
sysfs sys sysfs defaults 0 0
EOF
if [ $? -ne 0 ]; then
echo "Failed to add configuration"
return 1
fi
return 0
}
clean()
{
if [ ! -e $cache ]; then
exit 0
fi
# lock, so we won't purge while someone is creating a repository
(
flock -x 200
if [ $? != 0 ]; then
echo "Cache repository is busy."
exit 1
fi
echo -n "Purging the download cache for Fedora-$release..."
rm --preserve-root --one-file-system -rf $cache && echo "Done." || exit 1
exit 0
) 200>@LOCALSTATEDIR@/lock/subsys/lxc-fedora
}
usage()
{
cat <<EOF
usage:
$1 -n|--name=<container_name>
[-p|--path=<path>] [-c|--clean] [-R|--release=<Fedora_release>] [--fqdn=<network name of container>] [-A|--arch=<arch of the container>]
[-h|--help]
Mandatory args:
-n,--name container name, used to as an identifier for that container from now on
Optional args:
-p,--path path to where the container will be created, defaults to @LXCPATH@. The container config will go under @LXCPATH@ in that case
--rootfs path for actual rootfs.
-c,--clean clean the cache
-R,--release Fedora release for the new container. if the host is Fedora, then it will default to the host's release.
--fqdn fully qualified domain name (FQDN) for DNS and system naming
-A,--arch NOT USED YET. Define what arch the container will be [i686,x86_64]
-h,--help print this help
EOF
return 0
}
options=$(getopt -o hp:n:cR: -l help,path:,rootfs:,name:,clean,release:,fqdn: -- "$@")
if [ $? -ne 0 ]; then
usage $(basename $0)
exit 1
fi
eval set -- "$options"
while true
do
case "$1" in
-h|--help) usage $0 && exit 0;;
-p|--path) path=$2; shift 2;;
--rootfs) rootfs=$2; shift 2;;
-n|--name) name=$2; shift 2;;
-c|--clean) clean=$2; shift 2;;
-R|--release) release=$2; shift 2;;
--fqdn) utsname=$2; shift 2;;
--) shift 1; break ;;
*) break ;;
esac
done
if [ ! -z "$clean" -a -z "$path" ]; then
clean || exit 1
exit 0
fi
if [ -z "${utsname}" ]; then
utsname=${name}
fi
# This follows a standard "resolver" convention that an FQDN must have
# at least two dots or it is considered a local relative host name.
# If it doesn't, append the dns domain name of the host system.
#
# This changes one significant behavior when running
# "lxc_create -n Container_Name" without using the
# --fqdn option.
#
# Old behavior:
# utsname and hostname = Container_Name
# New behavior:
# utsname and hostname = Container_Name.Domain_Name
if [ $(expr "$utsname" : '.*\..*\.') = 0 ]; then
if [ -n "$(dnsdomainname)" ]; then
utsname=${utsname}.$(dnsdomainname)
fi
fi
needed_pkgs=""
type curl >/dev/null 2>&1
if [ $? -ne 0 ]; then
needed_pkgs="curl $needed_pkgs"
fi
if [ -n "$needed_pkgs" ]; then
echo "Missing commands: $needed_pkgs"
echo "Please install these using \"sudo yum install $needed_pkgs\""
exit 1
fi
if [ -z "$path" ]; then
path=$default_path/$name
fi
if [ -z "$release" ]; then
if [ "$is_fedora" -a "$fedora_host_ver" ]; then
release=$fedora_host_ver
else
echo "This is not a fedora host and release missing, defaulting to 18. use -R|--release to specify release"
release=18
fi
fi
# Fedora 15 and above run systemd. We need autodev enabled to keep
# systemd from causing problems.
if [ $release -gt 14 ]; then
auto_dev="1"
else
auto_dev="0"
fi
if [ "$(id -u)" != "0" ]; then
echo "This script should be run as 'root'"
exit 1
fi
if [ -z "$rootfs_path" ]; then
rootfs_path=$path/rootfs
# check for 'lxc.rootfs' passed in through default config by lxc-create
if grep -q '^lxc.rootfs' $path/config 2>/dev/null ; then
rootfs_path=`grep 'lxc.rootfs =' $path/config | awk -F= '{ print $2 }'`
fi
fi
config_path=$default_path/$name
cache=$cache_base/$release
revert()
{
echo "Interrupted, so cleaning up"
lxc-destroy -n $name
# maybe was interrupted before copy config
rm -rf $path
rm -rf $default_path/$name
echo "exiting..."
exit 1
}
trap revert SIGHUP SIGINT SIGTERM
copy_configuration
if [ $? -ne 0 ]; then
echo "failed write configuration file"
exit 1
fi
install_fedora
if [ $? -ne 0 ]; then
echo "failed to install fedora"
exit 1
fi
configure_fedora
if [ $? -ne 0 ]; then
echo "failed to configure fedora for a container"
exit 1
fi
# If the systemd configuration directory exists - set it up for what we need.
if [ -d ${rootfs_path}/etc/systemd/system ]
then
configure_fedora_systemd
fi
# This configuration (rc.sysinit) is not inconsistent with the systemd stuff
# above and may actually coexist on some upgraded systems. Let's just make
# sure that, if it exists, we update this file, even if it's not used...
if [ -f ${rootfs_path}/etc/rc.sysinit ]
then
configure_fedora_init
fi
if [ ! -z $clean ]; then
clean || exit 1
exit 0
fi
echo "container rootfs and config created"
if [[ -d ${cache_base}/bootstrap ]]
then
echo "
You have successfully built a Fedora container and cache. This cache may
be used to create future containers of various revisions. The directory
${cache_base}/bootstrap contains a bootstrap
which may no longer needed and can be removed.
"
fi
if [[ -e ${cache_base}/LiveOS ]]
then
echo "A LiveOS directory exists at ${cache_base}/LiveOS.
This is only used in the creation of the bootstrap run-time-environment
and may be removed.
"
fi