lxc-fedora.in revision 8983aa6e1e831f690be9cf38ae434a0de8b5107d
0N/A#!/bin/bash
0N/A
0N/A#
0N/A# template script for generating fedora container for LXC
0N/A#
0N/A
0N/A#
0N/A# lxc: linux Container library
0N/A
0N/A# Authors:
0N/A# Daniel Lezcano <daniel.lezcano@free.fr>
0N/A# Ramez Hanna <rhanna@informatiq.org>
0N/A
0N/A# This library is free software; you can redistribute it and/or
0N/A# modify it under the terms of the GNU Lesser General Public
0N/A# License as published by the Free Software Foundation; either
0N/A# version 2.1 of the License, or (at your option) any later version.
0N/A
0N/A# This library is distributed in the hope that it will be useful,
0N/A# but WITHOUT ANY WARRANTY; without even the implied warranty of
0N/A # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
0N/A# Lesser General Public License for more details.
0N/A
0N/A# You should have received a copy of the GNU Lesser General Public
0N/A# License along with this library; if not, write to the Free Software
0N/A# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
0N/A
0N/A#Configurations
0N/Aarch=$(uname -m)
0N/Acache_base=@LOCALSTATEDIR@/cache/lxc/fedora/$arch
58N/Adefault_path=@LXCPATH@
0N/Aroot_password=root
0N/A
0N/A# is this fedora?
0N/A# Alow for weird remixes like the Raspberry Pi
0N/A#
0N/A# Use the Mitre standard CPE identifier for the release ID if possible...
0N/A# This may be in /etc/os-release or /etc/system-release-cpe. We
0N/A# should be able to use EITHER. Give preference to /etc/os-release for now.
58N/A
0N/Aif [ -e /etc/os-release ]
0N/Athen
0N/A# This is a shell friendly configuration file. We can just source it.
0N/A# What we're looking for in here is the ID, VERSION_ID and the CPE_NAME
0N/A . /etc/os-release
0N/A echo "Host CPE ID from /etc/os-release: ${CPE_NAME}"
0N/Afi
0N/A
0N/Aif [ "${CPE_NAME}" = "" -a -e /etc/system-release-cpe ]
0N/Athen
0N/A CPE_NAME=$(head -n1 /etc/system-release-cpe)
0N/A CPE_URI=$(expr ${CPE_NAME} : '\([^:]*:[^:*]\)')
0N/A if [ "${CPE_URI}" != "cpe:/o" ]
58N/A then
58N/A CPE_NAME=
58N/A else
58N/A echo "Host CPE ID from /etc/system-release-cpe: ${CPE_NAME}"
98N/A # Probably a better way to do this but sill remain posix
98N/A # compatible but this works, shrug...
98N/A # Must be nice and not introduce convenient bashisms here.
98N/A ID=$(expr ${CPE_NAME} : '[^:]*:[^:]*:[^:]*:\([^:]*\)')
98N/A VERSION_ID=$(expr ${CPE_NAME} : '[^:]*:[^:]*:[^:]*:[^:]*:\([^:]*\)')
98N/A fi
98N/Afi
98N/A
98N/Aif [ "${CPE_NAME}" != "" -a "${ID}" = "fedora" -a "${VERSION_ID}" != "" ]
98N/Athen
98N/A fedora_host_ver=${VERSION_ID}
98N/A is_fedora=true
98N/Aelif [ -e /etc/redhat-release ]
98N/Athen
98N/A # Only if all other methods fail, try to parse the redhat-release file.
98N/A fedora_host_ver=$( sed -e '/^Fedora /!d' -e 's/Fedora.*\srelease\s*\([0-9][0-9]*\)\s.*/\1/' < /etc/redhat-release )
98N/A if [ "$fedora_host_ver" != "" ]
98N/A then
98N/A is_fedora=true
98N/A fi
98N/Afi
98N/A
98N/A# Map a few architectures to their generic Fedora repository archs.
98N/A# The two ARM archs are a bit of a guesstimate for the v5 and v6
98N/A# archs. V6 should have hardware floating point (Rasberry Pi).
98N/A# The "arm" arch is safer (no hardware floating point). So
98N/A# there may be cases where we "get it wrong" for some v6 other
98N/A# than RPi.
98N/Acase "$arch" in
98N/Ai686) arch=i386 ;;
58N/Aarmv3l|armv4l|armv5l) arch=arm ;;
0N/Aarmv6l|armv7l|armv8l) arch=armhfp ;;
0N/Aesac
0N/A
0N/Aconfigure_fedora()
0N/A{
0N/A
0N/A # disable selinux in fedora
0N/A mkdir -p $rootfs_path/selinux
0N/A echo 0 > $rootfs_path/selinux/enforce
73N/A
0N/A # configure the network using the dhcp
0N/A cat <<EOF > ${rootfs_path}/etc/sysconfig/network-scripts/ifcfg-eth0
0N/ADEVICE=eth0
0N/ABOOTPROTO=dhcp
0N/AONBOOT=yes
0N/AHOSTNAME=${utsname}
0N/ANM_CONTROLLED=no
0N/ATYPE=Ethernet
0N/AMTU=${MTU}
0N/AEOF
0N/A
0N/A # set the hostname
0N/A cat <<EOF > ${rootfs_path}/etc/sysconfig/network
0N/ANETWORKING=yes
58N/AHOSTNAME=${utsname}
0N/AEOF
0N/A
0N/A # set hostname on systemd Fedora systems
0N/A if [ $release -gt 14 ]; then
0N/A echo "${utsname}" > ${rootfs_path}/etc/hostname
0N/A fi
0N/A
0N/A # set minimal hosts
0N/A cat <<EOF > $rootfs_path/etc/hosts
0N/A127.0.0.1 localhost.localdomain localhost $utsname
0N/A::1 localhost6.localdomain6 localhost6
0N/AEOF
0N/A
0N/A dev_path="${rootfs_path}/dev"
0N/A rm -rf $dev_path
0N/A mkdir -p $dev_path
0N/A mknod -m 666 ${dev_path}/null c 1 3
58N/A mknod -m 666 ${dev_path}/zero c 1 5
58N/A mknod -m 666 ${dev_path}/random c 1 8
58N/A mknod -m 666 ${dev_path}/urandom c 1 9
58N/A mkdir -m 755 ${dev_path}/pts
58N/A mkdir -m 1777 ${dev_path}/shm
58N/A mknod -m 666 ${dev_path}/tty c 5 0
58N/A mknod -m 666 ${dev_path}/tty0 c 4 0
58N/A mknod -m 666 ${dev_path}/tty1 c 4 1
58N/A mknod -m 666 ${dev_path}/tty2 c 4 2
58N/A mknod -m 666 ${dev_path}/tty3 c 4 3
58N/A mknod -m 666 ${dev_path}/tty4 c 4 4
58N/A mknod -m 600 ${dev_path}/console c 5 1
58N/A mknod -m 666 ${dev_path}/full c 1 7
58N/A mknod -m 600 ${dev_path}/initctl p
58N/A mknod -m 666 ${dev_path}/ptmx c 5 2
58N/A
58N/A echo "setting root passwd to $root_password"
58N/A echo "root:$root_password" | chroot $rootfs_path chpasswd
58N/A
58N/A # specifying this in the initial packages doesn't always work.
58N/A echo "installing fedora-release package"
58N/A chroot ${rootfs_path} yum --releasever=${release} -y install fedora-release
58N/A
58N/A # silence some needless startup errors
58N/A touch ${rootfs_path}/etc/fstab
58N/A
58N/A # give us a console on /dev/console
58N/A sed -i 's/ACTIVE_CONSOLES=.*$/ACTIVE_CONSOLES="\/dev\/console \/dev\/tty[1-4]"/' \
58N/A ${rootfs_path}/etc/sysconfig/init
58N/A
58N/A return 0
58N/A}
58N/Aconfigure_fedora_init()
58N/A{
58N/A sed -i 's|.sbin.start_udev||' ${rootfs_path}/etc/rc.sysinit
58N/A sed -i 's|.sbin.start_udev||' ${rootfs_path}/etc/rc.d/rc.sysinit
58N/A # don't mount devpts, for pete's sake
58N/A sed -i 's/^.*dev.pts.*$/#\0/' ${rootfs_path}/etc/rc.sysinit
58N/A sed -i 's/^.*dev.pts.*$/#\0/' ${rootfs_path}/etc/rc.d/rc.sysinit
58N/A chroot ${rootfs_path} chkconfig udev-post off
58N/A chroot ${rootfs_path} chkconfig network on
58N/A}
58N/A
58N/Aconfigure_fedora_systemd()
58N/A{
58N/A unlink ${rootfs_path}/etc/systemd/system/default.target
58N/A touch ${rootfs_path}/etc/fstab
58N/A chroot ${rootfs_path} ln -s /dev/null /etc/systemd/system/udev.service
58N/A chroot ${rootfs_path} ln -s /lib/systemd/system/multi-user.target /etc/systemd/system/default.target
0N/A #dependency on a device unit fails it specially that we disabled udev
0N/A # sed -i 's/After=dev-%i.device/After=/' ${rootfs_path}/lib/systemd/system/getty\@.service
0N/A #
98N/A # Actually, the After=dev-%i.device line does not appear in the
97N/A # Fedora 17 or Fedora 18 systemd getty\@.service file. It may be left
98N/A # over from an earlier version and it's not doing any harm. We do need
97N/A # to disable the "ConditionalPathExists=/dev/tty0" line or no gettys are
98N/A # started on the ttys in the container. Lets do it in an override copy of
0N/A # the service so it can still pass rpm verifies and not be automatically
0N/A # updated by a new systemd version. -- mhw /\/\|=mhw=|\/\/
0N/A
0N/A sed -e 's/^ConditionPathExists=/# ConditionPathExists=/' \
0N/A -e 's/After=dev-%i.device/After=/' \
0N/A < ${rootfs_path}/lib/systemd/system/getty\@.service \
0N/A > ${rootfs_path}/etc/systemd/system/getty\@.service
0N/A # Setup getty service on the 4 ttys we are going to allow in the
0N/A # default config. Number should match lxc.tty
0N/A ( cd ${rootfs_path}/etc/systemd/system/getty.target.wants
0N/A for i in 1 2 3 4 ; do ln -sf ../getty\@.service getty@tty${i}.service; done )
0N/A}
0N/A
0N/Adownload_fedora()
0N/A{
0N/A
0N/A # check the mini fedora was not already downloaded
0N/A INSTALL_ROOT=$cache/partial
0N/A mkdir -p $INSTALL_ROOT
0N/A if [ $? -ne 0 ]; then
0N/A echo "Failed to create '$INSTALL_ROOT' directory"
0N/A return 1
53N/A fi
0N/A
0N/A # download a mini fedora into a cache
0N/A echo "Downloading fedora minimal ..."
0N/A YUM="yum --installroot $INSTALL_ROOT -y --nogpgcheck"
0N/A PKG_LIST="yum initscripts passwd rsyslog vim-minimal dhclient chkconfig rootfiles policycoreutils fedora-release"
0N/A MIRRORLIST_URL="http://mirrors.fedoraproject.org/mirrorlist?repo=fedora-$release&arch=$arch"
0N/A
0N/A DOWNLOAD_OK=no
0N/A
0N/A # We're splitting the old loop into two loops plus a directory retrival.
0N/A # First loop... Try and retrive a mirror list with retries and a slight
0N/A # delay between attempts...
0N/A for trynumber in 1 2 3 4; do
98N/A [ $trynumber != 1 ] && echo "Trying again..."
98N/A # This code is mildly "brittle" in that it assumes a certain
98N/A # page format and parsing HTML. I've done worse. :-P
98N/A MIRROR_URLS=$(curl -s -S -f "$MIRRORLIST_URL" | sed -e '/^http:/!d' -e '2,6!d')
98N/A if [ $? -eq 0 ] && [ -n "$MIRROR_URLS" ]
98N/A then
98N/A break
98N/A fi
98N/A
98N/A echo "Failed to get a mirror on try $trynumber"
98N/A sleep 3
98N/A done
98N/A
98N/A # This will fall through if we didn't get any URLS above
98N/A for MIRROR_URL in ${MIRROR_URLS}
98N/A do
98N/A if [ "$release" -eq "19" ]; then
98N/A RELEASE_URL="$MIRROR_URL/Packages/f/fedora-release-$release-2.noarch.rpm"
98N/A elif [ "$release" -gt "16" ]; then
98N/A RELEASE_URL="$MIRROR_URL/Packages/f"
98N/A else
98N/A RELEASE_URL="$MIRROR_URL/Packages/"
98N/A fi
98N/A
98N/A echo "Fetching rpm name from $RELEASE_URL..."
98N/A # This code is mildly "brittle" in that it assumes a certain directory
98N/A # page format and parsing HTML. I've done worse. :-P
0N/A RELEASE_RPM=$(curl -L -f "$RELEASE_URL" | sed -e "/fedora-release-${release}-/!d" -e 's/.*<a href=\"//' -e 's/\">.*//' )
0N/A if [ $? -ne 0 -o "${RELEASE_RPM}" = "" ]; then
0N/A echo "Failed to identify fedora release rpm."
0N/A continue
0N/A fi
0N/A
0N/A echo "Fetching fedora release rpm from ${RELEASE_URL}/${RELEASE_RPM}......"
58N/A curl -L -f "${RELEASE_URL}/${RELEASE_RPM}" > ${INSTALL_ROOT}/${RELEASE_RPM}
0N/A if [ $? -ne 0 ]; then
0N/A echo "Failed to download fedora release rpm ${RELEASE_RPM}."
0N/A continue
0N/A fi
0N/A
0N/A DOWNLOAD_OK=yes
0N/A break
0N/A done
0N/A
0N/A if [ $DOWNLOAD_OK != yes ]; then
0N/A echo "Aborting"
0N/A return 1
0N/A fi
0N/A
0N/A mkdir -p $INSTALL_ROOT/var/lib/rpm
0N/A rpm --root $INSTALL_ROOT --initdb
0N/A rpm --root $INSTALL_ROOT -ivh ${INSTALL_ROOT}/${RELEASE_RPM}
0N/A $YUM install $PKG_LIST
0N/A
0N/A if [ $? -ne 0 ]; then
0N/A echo "Failed to download the rootfs, aborting."
0N/A return 1
0N/A fi
0N/A
0N/A mv "$INSTALL_ROOT" "$cache/rootfs"
0N/A echo "Download complete."
0N/A
0N/A return 0
0N/A}
0N/A
0N/Acopy_fedora()
0N/A{
0N/A
0N/A # make a local copy of the minifedora
0N/A echo -n "Copying rootfs to $rootfs_path ..."
0N/A #cp -a $cache/rootfs-$arch $rootfs_path || return 1
0N/A # i prefer rsync (no reason really)
0N/A mkdir -p $rootfs_path
0N/A rsync -Ha $cache/rootfs/ $rootfs_path/
0N/A return 0
0N/A}
0N/A
0N/Aupdate_fedora()
0N/A{
0N/A YUM="yum --installroot $cache/rootfs -y --nogpgcheck"
0N/A $YUM update
0N/A}
0N/A
0N/Ainstall_fedora()
0N/A{
0N/A mkdir -p @LOCALSTATEDIR@/lock/subsys/
0N/A (
0N/A flock -x 200
0N/A if [ $? -ne 0 ]; then
0N/A echo "Cache repository is busy."
0N/A return 1
0N/A fi
0N/A
0N/A echo "Checking cache download in $cache/rootfs ... "
0N/A if [ ! -e "$cache/rootfs" ]; then
0N/A download_fedora
0N/A if [ $? -ne 0 ]; then
0N/A echo "Failed to download 'fedora base'"
0N/A return 1
0N/A fi
0N/A else
0N/A echo "Cache found. Updating..."
0N/A update_fedora
0N/A if [ $? -ne 0 ]; then
0N/A echo "Failed to update 'fedora base', continuing with last known good cache"
0N/A else
97N/A echo "Update finished"
97N/A fi
0N/A fi
0N/A
0N/A echo "Copy $cache/rootfs to $rootfs_path ... "
0N/A copy_fedora
0N/A if [ $? -ne 0 ]; then
0N/A echo "Failed to copy rootfs"
0N/A return 1
0N/A fi
0N/A
0N/A return 0
0N/A ) 200>@LOCALSTATEDIR@/lock/subsys/lxc-fedora
0N/A
0N/A return $?
0N/A}
0N/A
0N/Acopy_configuration()
0N/A{
0N/A
0N/A mkdir -p $config_path
0N/A grep -q "^lxc.rootfs" $config_path/config 2>/dev/null || echo "lxc.rootfs = $rootfs_path" >> $config_path/config
0N/A cat <<EOF >> $config_path/config
0N/Alxc.utsname = $utsname
0N/Alxc.tty = 4
0N/Alxc.pts = 1024
0N/Alxc.mount = $config_path/fstab
0N/Alxc.cap.drop = sys_module mac_admin mac_override sys_time
0N/A
0N/Alxc.autodev = $auto_dev
0N/A
0N/A# When using LXC with apparmor, uncomment the next line to run unconfined:
0N/A#lxc.aa_profile = unconfined
0N/A
0N/A#cgroups
97N/Alxc.cgroup.devices.deny = a
0N/A# /dev/null and zero
0N/Alxc.cgroup.devices.allow = c 1:3 rwm
0N/Alxc.cgroup.devices.allow = c 1:5 rwm
0N/A# consoles
0N/Alxc.cgroup.devices.allow = c 5:1 rwm
0N/Alxc.cgroup.devices.allow = c 5:0 rwm
0N/Alxc.cgroup.devices.allow = c 4:0 rwm
0N/Alxc.cgroup.devices.allow = c 4:1 rwm
0N/A# /dev/{,u}random
0N/Alxc.cgroup.devices.allow = c 1:9 rwm
0N/Alxc.cgroup.devices.allow = c 1:8 rwm
0N/Alxc.cgroup.devices.allow = c 136:* rwm
0N/Alxc.cgroup.devices.allow = c 5:2 rwm
0N/A# rtc
0N/Alxc.cgroup.devices.allow = c 254:0 rm
0N/AEOF
0N/A
0N/A cat <<EOF > $config_path/fstab
0N/Aproc proc proc nodev,noexec,nosuid 0 0
0N/Asysfs sys sysfs defaults 0 0
0N/AEOF
0N/A if [ $? -ne 0 ]; then
58N/A echo "Failed to add configuration"
0N/A return 1
0N/A fi
0N/A
0N/A return 0
0N/A}
0N/A
0N/Aclean()
58N/A{
58N/A
0N/A if [ ! -e $cache ]; then
0N/A exit 0
0N/A fi
0N/A
0N/A # lock, so we won't purge while someone is creating a repository
0N/A (
0N/A flock -x 200
0N/A if [ $? != 0 ]; then
0N/A echo "Cache repository is busy."
0N/A exit 1
0N/A fi
0N/A
66N/A echo -n "Purging the download cache for Fedora-$release..."
0N/A rm --preserve-root --one-file-system -rf $cache && echo "Done." || exit 1
0N/A exit 0
0N/A ) 200>@LOCALSTATEDIR@/lock/subsys/lxc-fedora
0N/A}
58N/A
0N/Ausage()
0N/A{
cat <<EOF
usage:
$1 -n|--name=<container_name>
[-p|--path=<path>] [-c|--clean] [-R|--release=<Fedora_release>] [--fqdn=<network name of container>] [-A|--arch=<arch of the container>]
[-h|--help]
Mandatory args:
-n,--name container name, used to as an identifier for that container from now on
Optional args:
-p,--path path to where the container will be created, defaults to @LXCPATH@. The container config will go under @LXCPATH@ in that case
--rootfs path for actual rootfs.
-c,--clean clean the cache
-R,--release Fedora release for the new container. if the host is Fedora, then it will default to the host's release.
--fqdn fully qualified domain name (FQDN) for DNS and system naming
-A,--arch NOT USED YET. Define what arch the container will be [i686,x86_64]
-h,--help print this help
EOF
return 0
}
options=$(getopt -o hp:n:cR: -l help,path:,rootfs:,name:,clean,release:,fqdn: -- "$@")
if [ $? -ne 0 ]; then
usage $(basename $0)
exit 1
fi
eval set -- "$options"
while true
do
case "$1" in
-h|--help) usage $0 && exit 0;;
-p|--path) path=$2; shift 2;;
--rootfs) rootfs=$2; shift 2;;
-n|--name) name=$2; shift 2;;
-c|--clean) clean=$2; shift 2;;
-R|--release) release=$2; shift 2;;
--fqdn) utsname=$2; shift 2;;
--) shift 1; break ;;
*) break ;;
esac
done
if [ ! -z "$clean" -a -z "$path" ]; then
clean || exit 1
exit 0
fi
if [ -z "${utsname}" ]; then
utsname=${name}
fi
# This follows a standard "resolver" convention that an FQDN must have
# at least two dots or it is considered a local relative host name.
# If it doesn't, append the dns domain name of the host system.
#
# This changes one significant behavior when running
# "lxc_create -n Container_Name" without using the
# --fqdn option.
#
# Old behavior:
# utsname and hostname = Container_Name
# New behavior:
# utsname and hostname = Container_Name.Domain_Name
if [ $(expr "$utsname" : '.*\..*\.') = 0 ]; then
if [ -n "$(dnsdomainname)" ]; then
utsname=${utsname}.$(dnsdomainname)
fi
fi
needed_pkgs=""
type yum >/dev/null 2>&1
if [ $? -ne 0 ]; then
needed_pkgs="yum $needed_pkgs"
fi
type curl >/dev/null 2>&1
if [ $? -ne 0 ]; then
needed_pkgs="curl $needed_pkgs"
fi
if [ -n "$needed_pkgs" ]; then
echo "Missing commands: $needed_pkgs"
echo "Please install these using \"sudo yum install $needed_pkgs\""
exit 1
fi
if [ -z "$path" ]; then
path=$default_path/$name
fi
if [ -z "$release" ]; then
if [ "$is_fedora" -a "$fedora_host_ver" ]; then
release=$fedora_host_ver
else
echo "This is not a fedora host and release missing, defaulting to 18. use -R|--release to specify release"
release=18
fi
fi
# Fedora 15 and above run systemd. We need autodev enabled to keep
# systemd from causing problems.
if [ $release -gt 14 ]; then
auto_dev="1"
else
auto_dev="0"
fi
if [ "$(id -u)" != "0" ]; then
echo "This script should be run as 'root'"
exit 1
fi
if [ -z "$rootfs_path" ]; then
rootfs_path=$path/rootfs
# check for 'lxc.rootfs' passed in through default config by lxc-create
if grep -q '^lxc.rootfs' $path/config 2>/dev/null ; then
rootfs_path=`grep 'lxc.rootfs =' $path/config | awk -F= '{ print $2 }'`
fi
fi
config_path=$default_path/$name
cache=$cache_base/$release
revert()
{
echo "Interrupted, so cleaning up"
lxc-destroy -n $name
# maybe was interrupted before copy config
rm -rf $path
rm -rf $default_path/$name
echo "exiting..."
exit 1
}
trap revert SIGHUP SIGINT SIGTERM
copy_configuration
if [ $? -ne 0 ]; then
echo "failed write configuration file"
exit 1
fi
install_fedora
if [ $? -ne 0 ]; then
echo "failed to install fedora"
exit 1
fi
configure_fedora
if [ $? -ne 0 ]; then
echo "failed to configure fedora for a container"
exit 1
fi
# If the systemd configuration directory exists - set it up for what we need.
if [ -d ${rootfs_path}/etc/systemd/system ]
then
configure_fedora_systemd
fi
# This configuration (rc.sysinit) is not inconsistent with the systemd stuff
# above and may actually coexist on some upgraded systems. Let's just make
# sure that, if it exists, we update this file, even if it's not used...
if [ -f ${rootfs_path}/etc/rc.sysinit ]
then
configure_fedora_init
fi
if [ ! -z $clean ]; then
clean || exit 1
exit 0
fi
echo "container rootfs and config created"