lxc-fedora.in revision 431fdc427247ab1a6189c46d0743e38f30f9e1e9
252N/A#!/bin/bash
252N/A
252N/A#
252N/A# template script for generating fedora container for LXC
252N/A#
252N/A
252N/A#
252N/A# lxc: linux Container library
252N/A
252N/A# Authors:
252N/A# Daniel Lezcano <daniel.lezcano@free.fr>
252N/A# Ramez Hanna <rhanna@informatiq.org>
252N/A
252N/A# This library is free software; you can redistribute it and/or
252N/A# modify it under the terms of the GNU Lesser General Public
252N/A# License as published by the Free Software Foundation; either
252N/A# version 2.1 of the License, or (at your option) any later version.
252N/A
252N/A# This library is distributed in the hope that it will be useful,
252N/A# but WITHOUT ANY WARRANTY; without even the implied warranty of
252N/A # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
252N/A# Lesser General Public License for more details.
252N/A
252N/A# You should have received a copy of the GNU Lesser General Public
252N/A# License along with this library; if not, write to the Free Software
252N/A# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
252N/A
252N/A#Configurations
252N/Aarch=$(uname -m)
252N/Acache_base=@LOCALSTATEDIR@/cache/lxc/fedora/$arch
252N/Adefault_path=@LXCPATH@
252N/Aroot_password=root
252N/A
252N/A# is this fedora?
252N/A# Alow for weird remixes like the Raspberry Pi
252N/A#
252N/A# Use the Mitre standard CPE identifier for the release ID if possible...
252N/A# This may be in /etc/os-release or /etc/system-release-cpe. We
252N/A# should be able to use EITHER. Give preference to /etc/os-release for now.
252N/A
252N/Aif [ -e /etc/os-release ]
252N/Athen
252N/A# This is a shell friendly configuration file. We can just source it.
252N/A# What we're looking for in here is the ID, VERSION_ID and the CPE_NAME
252N/A . /etc/os-release
252N/A echo "Host CPE ID from /etc/os-release: ${CPE_NAME}"
252N/Afi
252N/A
252N/Aif [ "${CPE_NAME}" = "" -a -e /etc/system-release-cpe ]
252N/Athen
252N/A CPE_NAME=$(head -n1 /etc/system-release-cpe)
252N/A CPE_URI=$(expr ${CPE_NAME} : '\([^:]*:[^:*]\)')
252N/A if [ "${CPE_URI}" != "cpe:/o" ]
252N/A then
252N/A CPE_NAME=
252N/A else
252N/A echo "Host CPE ID from /etc/system-release-cpe: ${CPE_NAME}"
252N/A # Probably a better way to do this but sill remain posix
252N/A # compatible but this works, shrug...
252N/A # Must be nice and not introduce convenient bashisms here.
252N/A ID=$(expr ${CPE_NAME} : '[^:]*:[^:]*:[^:]*:\([^:]*\)')
252N/A VERSION_ID=$(expr ${CPE_NAME} : '[^:]*:[^:]*:[^:]*:[^:]*:\([^:]*\)')
252N/A fi
252N/Afi
252N/A
252N/Aif [ "${CPE_NAME}" != "" -a "${ID}" = "fedora" -a "${VERSION_ID}" != "" ]
252N/Athen
252N/A fedora_host_ver=${VERSION_ID}
252N/A is_fedora=true
252N/Aelif [ -e /etc/redhat-release ]
252N/Athen
252N/A # Only if all other methods fail, try to parse the redhat-release file.
fedora_host_ver=$( sed -e '/^Fedora /!d' -e 's/Fedora.*\srelease\s*\([0-9][0-9]*\)\s.*/\1/' < /etc/redhat-release )
if [ "$fedora_host_ver" != "" ]
then
is_fedora=true
fi
fi
# Map a few architectures to their generic Fedora repository archs.
# The two ARM archs are a bit of a guesstimate for the v5 and v6
# archs. V6 should have hardware floating point (Rasberry Pi).
# The "arm" arch is safer (no hardware floating point). So
# there may be cases where we "get it wrong" for some v6 other
# than RPi.
case "$arch" in
i686) arch=i386 ;;
armv3l|armv4l|armv5l) arch=arm ;;
armv6l|armv7l|armv8l) arch=armhfp ;;
esac
configure_fedora()
{
# disable selinux in fedora
mkdir -p $rootfs_path/selinux
echo 0 > $rootfs_path/selinux/enforce
# configure the network using the dhcp
cat <<EOF > ${rootfs_path}/etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0
BOOTPROTO=dhcp
ONBOOT=yes
HOSTNAME=${utsname}
NM_CONTROLLED=no
TYPE=Ethernet
MTU=${MTU}
EOF
# set the hostname
cat <<EOF > ${rootfs_path}/etc/sysconfig/network
NETWORKING=yes
HOSTNAME=${utsname}
EOF
# set hostname on systemd Fedora systems
if [ $release -gt 14 ]; then
echo "${utsname}" > ${rootfs_path}/etc/hostname
fi
# set minimal hosts
cat <<EOF > $rootfs_path/etc/hosts
127.0.0.1 localhost.localdomain localhost $utsname
::1 localhost6.localdomain6 localhost6
EOF
dev_path="${rootfs_path}/dev"
rm -rf $dev_path
mkdir -p $dev_path
mknod -m 666 ${dev_path}/null c 1 3
mknod -m 666 ${dev_path}/zero c 1 5
mknod -m 666 ${dev_path}/random c 1 8
mknod -m 666 ${dev_path}/urandom c 1 9
mkdir -m 755 ${dev_path}/pts
mkdir -m 1777 ${dev_path}/shm
mknod -m 666 ${dev_path}/tty c 5 0
mknod -m 666 ${dev_path}/tty0 c 4 0
mknod -m 666 ${dev_path}/tty1 c 4 1
mknod -m 666 ${dev_path}/tty2 c 4 2
mknod -m 666 ${dev_path}/tty3 c 4 3
mknod -m 666 ${dev_path}/tty4 c 4 4
mknod -m 600 ${dev_path}/console c 5 1
mknod -m 666 ${dev_path}/full c 1 7
mknod -m 600 ${dev_path}/initctl p
mknod -m 666 ${dev_path}/ptmx c 5 2
echo "setting root passwd to $root_password"
echo "root:$root_password" | chroot $rootfs_path chpasswd
# specifying this in the initial packages doesn't always work.
echo "installing fedora-release package"
chroot ${rootfs_path} yum --releasever=${release} -y install fedora-release
# silence some needless startup errors
touch ${rootfs_path}/etc/fstab
# give us a console on /dev/console
sed -i 's/ACTIVE_CONSOLES=.*$/ACTIVE_CONSOLES="\/dev\/console \/dev\/tty[1-4]"/' \
${rootfs_path}/etc/sysconfig/init
return 0
}
configure_fedora_init()
{
sed -i 's|.sbin.start_udev||' ${rootfs_path}/etc/rc.sysinit
sed -i 's|.sbin.start_udev||' ${rootfs_path}/etc/rc.d/rc.sysinit
# don't mount devpts, for pete's sake
sed -i 's/^.*dev.pts.*$/#\0/' ${rootfs_path}/etc/rc.sysinit
sed -i 's/^.*dev.pts.*$/#\0/' ${rootfs_path}/etc/rc.d/rc.sysinit
chroot ${rootfs_path} chkconfig udev-post off
chroot ${rootfs_path} chkconfig network on
}
configure_fedora_systemd()
{
unlink ${rootfs_path}/etc/systemd/system/default.target
touch ${rootfs_path}/etc/fstab
chroot ${rootfs_path} ln -s /dev/null /etc/systemd/system/udev.service
chroot ${rootfs_path} ln -s /lib/systemd/system/multi-user.target /etc/systemd/system/default.target
#dependency on a device unit fails it specially that we disabled udev
# sed -i 's/After=dev-%i.device/After=/' ${rootfs_path}/lib/systemd/system/getty\@.service
#
# Actually, the After=dev-%i.device line does not appear in the
# Fedora 17 or Fedora 18 systemd getty\@.service file. It may be left
# over from an earlier version and it's not doing any harm. We do need
# to disable the "ConditionalPathExists=/dev/tty0" line or no gettys are
# started on the ttys in the container. Lets do it in an override copy of
# the service so it can still pass rpm verifies and not be automatically
# updated by a new systemd version. -- mhw /\/\|=mhw=|\/\/
sed -e 's/^ConditionPathExists=/# ConditionPathExists=/' \
-e 's/After=dev-%i.device/After=/' \
< ${rootfs_path}/lib/systemd/system/getty\@.service \
> ${rootfs_path}/etc/systemd/system/getty\@.service
# Setup getty service on the 4 ttys we are going to allow in the
# default config. Number should match lxc.tty
( cd ${rootfs_path}/etc/systemd/system/getty.target.wants
for i in 1 2 3 4 ; do ln -sf ../getty\@.service getty@tty${i}.service; done )
}
download_fedora()
{
# check the mini fedora was not already downloaded
INSTALL_ROOT=$cache/partial
mkdir -p $INSTALL_ROOT
if [ $? -ne 0 ]; then
echo "Failed to create '$INSTALL_ROOT' directory"
return 1
fi
# download a mini fedora into a cache
echo "Downloading fedora minimal ..."
YUM="yum --installroot $INSTALL_ROOT -y --nogpgcheck"
PKG_LIST="yum initscripts passwd rsyslog vim-minimal dhclient chkconfig rootfiles policycoreutils fedora-release"
MIRRORLIST_URL="http://mirrors.fedoraproject.org/mirrorlist?repo=fedora-$release&arch=$arch"
DOWNLOAD_OK=no
# We're splitting the old loop into two loops plus a directory retrival.
# First loop... Try and retrive a mirror list with retries and a slight
# delay between attempts...
for trynumber in 1 2 3 4; do
[ $trynumber != 1 ] && echo "Trying again..."
# This code is mildly "brittle" in that it assumes a certain
# page format and parsing HTML. I've done worse. :-P
MIRROR_URLS=$(curl -s -S -f "$MIRRORLIST_URL" | sed -e '/^http:/!d' -e '2,6!d')
if [ $? -eq 0 ] && [ -n "$MIRROR_URLS" ]
then
break
fi
echo "Failed to get a mirror on try $trynumber"
sleep 3
done
# This will fall through if we didn't get any URLS above
for MIRROR_URL in ${MIRROR_URLS}
do
if [ "$release" -eq "19" ]; then
RELEASE_URL="$MIRROR_URL/Packages/f/fedora-release-$release-2.noarch.rpm"
elif [ "$release" -gt "16" ]; then
RELEASE_URL="$MIRROR_URL/Packages/f"
else
RELEASE_URL="$MIRROR_URL/Packages/"
fi
echo "Fetching rpm name from $RELEASE_URL..."
# This code is mildly "brittle" in that it assumes a certain directory
# page format and parsing HTML. I've done worse. :-P
RELEASE_RPM=$(curl -L -f "$RELEASE_URL" | sed -e "/fedora-release-${release}-/!d" -e 's/.*<a href=\"//' -e 's/\">.*//' )
if [ $? -ne 0 -o "${RELEASE_RPM}" = "" ]; then
echo "Failed to identify fedora release rpm."
continue
fi
echo "Fetching fedora release rpm from ${RELEASE_URL}/${RELEASE_RPM}......"
curl -L -f "${RELEASE_URL}/${RELEASE_RPM}" > ${INSTALL_ROOT}/${RELEASE_RPM}
if [ $? -ne 0 ]; then
echo "Failed to download fedora release rpm ${RELEASE_RPM}."
continue
fi
DOWNLOAD_OK=yes
break
done
if [ $DOWNLOAD_OK != yes ]; then
echo "Aborting"
return 1
fi
mkdir -p $INSTALL_ROOT/var/lib/rpm
rpm --root $INSTALL_ROOT --initdb
rpm --root $INSTALL_ROOT -ivh ${INSTALL_ROOT}/${RELEASE_RPM}
$YUM install $PKG_LIST
if [ $? -ne 0 ]; then
echo "Failed to download the rootfs, aborting."
return 1
fi
mv "$INSTALL_ROOT" "$cache/rootfs"
echo "Download complete."
return 0
}
copy_fedora()
{
# make a local copy of the minifedora
echo -n "Copying rootfs to $rootfs_path ..."
#cp -a $cache/rootfs-$arch $rootfs_path || return 1
# i prefer rsync (no reason really)
mkdir -p $rootfs_path
rsync -Ha $cache/rootfs/ $rootfs_path/
return 0
}
update_fedora()
{
YUM="yum --installroot $cache/rootfs -y --nogpgcheck"
$YUM update
}
install_fedora()
{
mkdir -p @LOCALSTATEDIR@/lock/subsys/
(
flock -x 200
if [ $? -ne 0 ]; then
echo "Cache repository is busy."
return 1
fi
echo "Checking cache download in $cache/rootfs ... "
if [ ! -e "$cache/rootfs" ]; then
download_fedora
if [ $? -ne 0 ]; then
echo "Failed to download 'fedora base'"
return 1
fi
else
echo "Cache found. Updating..."
update_fedora
if [ $? -ne 0 ]; then
echo "Failed to update 'fedora base', continuing with last known good cache"
else
echo "Update finished"
fi
fi
echo "Copy $cache/rootfs to $rootfs_path ... "
copy_fedora
if [ $? -ne 0 ]; then
echo "Failed to copy rootfs"
return 1
fi
return 0
) 200>@LOCALSTATEDIR@/lock/subsys/lxc-fedora
return $?
}
copy_configuration()
{
mkdir -p $config_path
grep -q "^lxc.rootfs" $config_path/config 2>/dev/null || echo "lxc.rootfs = $rootfs_path" >> $config_path/config
cat <<EOF >> $config_path/config
lxc.utsname = $utsname
lxc.tty = 4
lxc.pts = 1024
lxc.mount = $config_path/fstab
lxc.cap.drop = sys_module mac_admin mac_override sys_time
lxc.autodev = $auto_dev
# When using LXC with apparmor, uncomment the next line to run unconfined:
#lxc.aa_profile = unconfined
#cgroups
lxc.cgroup.devices.deny = a
# /dev/null and zero
lxc.cgroup.devices.allow = c 1:3 rwm
lxc.cgroup.devices.allow = c 1:5 rwm
# consoles
lxc.cgroup.devices.allow = c 5:1 rwm
lxc.cgroup.devices.allow = c 5:0 rwm
lxc.cgroup.devices.allow = c 4:0 rwm
lxc.cgroup.devices.allow = c 4:1 rwm
# /dev/{,u}random
lxc.cgroup.devices.allow = c 1:9 rwm
lxc.cgroup.devices.allow = c 1:8 rwm
lxc.cgroup.devices.allow = c 136:* rwm
lxc.cgroup.devices.allow = c 5:2 rwm
# rtc
lxc.cgroup.devices.allow = c 254:0 rm
EOF
cat <<EOF > $config_path/fstab
proc proc proc nodev,noexec,nosuid 0 0
sysfs sys sysfs defaults 0 0
EOF
if [ $? -ne 0 ]; then
echo "Failed to add configuration"
return 1
fi
return 0
}
clean()
{
if [ ! -e $cache ]; then
exit 0
fi
# lock, so we won't purge while someone is creating a repository
(
flock -x 200
if [ $? != 0 ]; then
echo "Cache repository is busy."
exit 1
fi
echo -n "Purging the download cache for Fedora-$release..."
rm --preserve-root --one-file-system -rf $cache && echo "Done." || exit 1
exit 0
) 200>@LOCALSTATEDIR@/lock/subsys/lxc-fedora
}
usage()
{
cat <<EOF
usage:
$1 -n|--name=<container_name>
[-p|--path=<path>] [-c|--clean] [-R|--release=<Fedora_release>] [--fqdn=<network name of container>] [-A|--arch=<arch of the container>]
[-h|--help]
Mandatory args:
-n,--name container name, used to as an identifier for that container from now on
Optional args:
-p,--path path to where the container will be created, defaults to @LXCPATH@. The container config will go under @LXCPATH@ in that case
--rootfs path for actual rootfs.
-c,--clean clean the cache
-R,--release Fedora release for the new container. if the host is Fedora, then it will default to the host's release.
--fqdn fully qualified domain name (FQDN) for DNS and system naming
-A,--arch NOT USED YET. Define what arch the container will be [i686,x86_64]
-h,--help print this help
EOF
return 0
}
options=$(getopt -o hp:n:cR: -l help,path:,rootfs:,name:,clean,release:,fqdn: -- "$@")
if [ $? -ne 0 ]; then
usage $(basename $0)
exit 1
fi
eval set -- "$options"
while true
do
case "$1" in
-h|--help) usage $0 && exit 0;;
-p|--path) path=$2; shift 2;;
--rootfs) rootfs=$2; shift 2;;
-n|--name) name=$2; shift 2;;
-c|--clean) clean=$2; shift 2;;
-R|--release) release=$2; shift 2;;
--fqdn) utsname=$2; shift 2;;
--) shift 1; break ;;
*) break ;;
esac
done
if [ ! -z "$clean" -a -z "$path" ]; then
clean || exit 1
exit 0
fi
if [ -z "${utsname}" ]; then
utsname=${name}
fi
# This follows a standard "resolver" convention that an FQDN must have
# at least two dots or it is considered a local relative host name.
# If it doesn't, append the dns domain name of the host system.
#
# This changes one significant behavior when running
# "lxc_create -n Container_Name" without using the
# --fqdn option.
#
# Old behavior:
# utsname and hostname = Container_Name
# New behavior:
# utsname and hostname = Container_Name.Domain_Name
if [ $(expr "$utsname" : '.*\..*\.') = 0 ]; then
if [ -n "$(dnsdomainname)" ]; then
utsname=${utsname}.$(dnsdomainname)
fi
fi
needed_pkgs=""
type yum >/dev/null 2>&1
if [ $? -ne 0 ]; then
needed_pkgs="yum $needed_pkgs"
fi
type curl >/dev/null 2>&1
if [ $? -ne 0 ]; then
needed_pkgs="curl $needed_pkgs"
fi
if [ -n "$needed_pkgs" ]; then
echo "Missing commands: $needed_pkgs"
echo "Please install these using \"sudo yum install $needed_pkgs\""
exit 1
fi
if [ -z "$path" ]; then
path=$default_path/$name
fi
if [ -z "$release" ]; then
if [ "$is_fedora" -a "$fedora_host_ver" ]; then
release=$fedora_host_ver
else
echo "This is not a fedora host and release missing, defaulting to 18. use -R|--release to specify release"
release=18
fi
fi
# Fedora 15 and above run systemd. We need autodev enabled to keep
# systemd from causing problems.
if [ $release -gt 14 ]; then
auto_dev="1"
else
auto_dev="0"
fi
if [ "$(id -u)" != "0" ]; then
echo "This script should be run as 'root'"
exit 1
fi
if [ -z "$rootfs_path" ]; then
rootfs_path=$path/rootfs
# check for 'lxc.rootfs' passed in through default config by lxc-create
if grep -q '^lxc.rootfs' $path/config 2>/dev/null ; then
rootfs_path=`grep 'lxc.rootfs =' $path/config | awk -F= '{ print $2 }'`
fi
fi
config_path=$default_path/$name
cache=$cache_base/$release
revert()
{
echo "Interrupted, so cleaning up"
lxc-destroy -n $name
# maybe was interrupted before copy config
rm -rf $path
rm -rf $default_path/$name
echo "exiting..."
exit 1
}
trap revert SIGHUP SIGINT SIGTERM
copy_configuration
if [ $? -ne 0 ]; then
echo "failed write configuration file"
exit 1
fi
install_fedora
if [ $? -ne 0 ]; then
echo "failed to install fedora"
exit 1
fi
configure_fedora
if [ $? -ne 0 ]; then
echo "failed to configure fedora for a container"
exit 1
fi
# If the systemd configuration directory exists - set it up for what we need.
if [ -d ${rootfs_path}/etc/systemd/system ]
then
configure_fedora_systemd
fi
# This configuration (rc.sysinit) is not inconsistent with the systemd stuff
# above and may actually coexist on some upgraded systems. Let's just make
# sure that, if it exists, we update this file, even if it's not used...
if [ -f ${rootfs_path}/etc/rc.sysinit ]
then
configure_fedora_init
fi
if [ ! -z $clean ]; then
clean || exit 1
exit 0
fi
echo "container rootfs and config created"