lxc-ubuntu-cloud.in revision 65d8ae9c4a66f5ca85289c02dc06d63261c84619
65d8ae9c4a66f5ca85289c02dc06d63261c84619Scott Moser# template script for generating ubuntu container for LXC based on released
65d8ae9c4a66f5ca85289c02dc06d63261c84619Scott Moser# cloud images.
d1458ac8d13880f83fa2d1e08623b97c50d311d7Serge Hallyn# Copyright © 2012 Serge Hallyn <serge.hallyn@canonical.com>
d1458ac8d13880f83fa2d1e08623b97c50d311d7Serge Hallyn# This program is free software; you can redistribute it and/or modify
d1458ac8d13880f83fa2d1e08623b97c50d311d7Serge Hallyn# it under the terms of the GNU General Public License version 2, as
d1458ac8d13880f83fa2d1e08623b97c50d311d7Serge Hallyn# published by the Free Software Foundation.
d1458ac8d13880f83fa2d1e08623b97c50d311d7Serge Hallyn# This program is distributed in the hope that it will be useful,
d1458ac8d13880f83fa2d1e08623b97c50d311d7Serge Hallyn# but WITHOUT ANY WARRANTY; without even the implied warranty of
d1458ac8d13880f83fa2d1e08623b97c50d311d7Serge Hallyn# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
d1458ac8d13880f83fa2d1e08623b97c50d311d7Serge Hallyn# GNU General Public License for more details.
d1458ac8d13880f83fa2d1e08623b97c50d311d7Serge Hallyn# You should have received a copy of the GNU General Public License along
d1458ac8d13880f83fa2d1e08623b97c50d311d7Serge Hallyn# with this program; if not, write to the Free Software Foundation, Inc.,
d1458ac8d13880f83fa2d1e08623b97c50d311d7Serge Hallyn# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
1aad9e44d65e7c20dabc4c99f57bcf532db66c68Serge Hallyn [ -e /proc/self/uid_map ] || { echo no; return; }
1aad9e44d65e7c20dabc4c99f57bcf532db66c68Serge Hallyn [ "$(wc -l /proc/self/uid_map | awk '{ print $1 }')" -eq 1 ] || { echo yes; return; }
1aad9e44d65e7c20dabc4c99f57bcf532db66c68Serge Hallyn line=$(awk '{ print $1 " " $2 " " $3 }' /proc/self/uid_map)
1aad9e44d65e7c20dabc4c99f57bcf532db66c68Serge Hallyn [ "$line" = "0 0 4294967295" ] && { echo no; return; }
4759162d078d86628956cae4846c6efccf548e67Serge Hallyn # if there is exactly one veth network entry, make sure it has an
4759162d078d86628956cae4846c6efccf548e67Serge Hallyn nics=`grep -e '^lxc\.network\.type[ \t]*=[ \t]*veth' $path/config | wc -l`
4759162d078d86628956cae4846c6efccf548e67Serge Hallyn if [ $nics -eq 1 ]; then
daaf41b36790bdaae855048e56ed090b17a77c97Stéphane Graber grep -q "^lxc.network.hwaddr" $path/config || sed -i -e "/^lxc\.network\.type[ \t]*=[ \t]*veth/a lxc.network.hwaddr = 00:16:3e:$(openssl rand -hex 3| sed 's/\(..\)/\1:/g; s/.$//')" $path/config
1881820ae4ff9004beef1bf7f04553580840441dSerge Hallyn grep -q "^lxc.rootfs" $path/config 2>/dev/null || echo "lxc.rootfs = $rootfs" >> $path/config
daaf41b36790bdaae855048e56ed090b17a77c97Stéphane Graberlxc.mount = $path/fstab
daaf41b36790bdaae855048e56ed090b17a77c97Stéphane Graberlxc.pivotdir = lxc_putold
daaf41b36790bdaae855048e56ed090b17a77c97Stéphane Graberlxc.devttydir =$ttydir
d1458ac8d13880f83fa2d1e08623b97c50d311d7Serge Hallynlxc.pts = 1024
daaf41b36790bdaae855048e56ed090b17a77c97Stéphane Graberlxc.utsname = $name
d1458ac8d13880f83fa2d1e08623b97c50d311d7Serge Hallynlxc.arch = $arch
eee3ba81c88e64b8a732694fc4843a39d5bde491Serge Hallynlxc.cap.drop = sys_module mac_admin mac_override sys_time
f02ce27d4b1a9d01b88d0ffaf626e5bafa671bf0Stéphane Graber# When using LXC with apparmor, uncomment the next line to run unconfined:
f02ce27d4b1a9d01b88d0ffaf626e5bafa671bf0Stéphane Graber#lxc.aa_profile = unconfined
b85ab7989ebe24629267048cb269b278eeb50490Serge Hallyn# To support container nesting on an Ubuntu host, uncomment next two lines:
b85ab7989ebe24629267048cb269b278eeb50490Serge Hallyn#lxc.aa_profile = lxc-container-default-with-nesting
b85ab7989ebe24629267048cb269b278eeb50490Serge Hallyn#lxc.hook.mount = /usr/share/lxc/hooks/mountcgroups
65d8ae9c4a66f5ca85289c02dc06d63261c84619Scott Moserlxc.hook.clone = ${CLONE_HOOK_FN}
d1458ac8d13880f83fa2d1e08623b97c50d311d7Serge Hallynlxc.cgroup.devices.deny = a
d1458ac8d13880f83fa2d1e08623b97c50d311d7Serge Hallyn# Allow any mknod (but not using the node)
d1458ac8d13880f83fa2d1e08623b97c50d311d7Serge Hallynlxc.cgroup.devices.allow = c *:* m
d1458ac8d13880f83fa2d1e08623b97c50d311d7Serge Hallynlxc.cgroup.devices.allow = b *:* m
d1458ac8d13880f83fa2d1e08623b97c50d311d7Serge Hallyn# /dev/null and zero
d1458ac8d13880f83fa2d1e08623b97c50d311d7Serge Hallynlxc.cgroup.devices.allow = c 1:3 rwm
d1458ac8d13880f83fa2d1e08623b97c50d311d7Serge Hallynlxc.cgroup.devices.allow = c 1:5 rwm
d1458ac8d13880f83fa2d1e08623b97c50d311d7Serge Hallynlxc.cgroup.devices.allow = c 5:1 rwm
d1458ac8d13880f83fa2d1e08623b97c50d311d7Serge Hallynlxc.cgroup.devices.allow = c 5:0 rwm
d1458ac8d13880f83fa2d1e08623b97c50d311d7Serge Hallyn# /dev/{,u}random
d1458ac8d13880f83fa2d1e08623b97c50d311d7Serge Hallynlxc.cgroup.devices.allow = c 1:9 rwm
d1458ac8d13880f83fa2d1e08623b97c50d311d7Serge Hallynlxc.cgroup.devices.allow = c 1:8 rwm
d1458ac8d13880f83fa2d1e08623b97c50d311d7Serge Hallynlxc.cgroup.devices.allow = c 136:* rwm
d1458ac8d13880f83fa2d1e08623b97c50d311d7Serge Hallynlxc.cgroup.devices.allow = c 5:2 rwm
eee3ba81c88e64b8a732694fc4843a39d5bde491Serge Hallynlxc.cgroup.devices.allow = c 254:0 rm
d1458ac8d13880f83fa2d1e08623b97c50d311d7Serge Hallynlxc.cgroup.devices.allow = c 10:229 rwm
d1458ac8d13880f83fa2d1e08623b97c50d311d7Serge Hallynlxc.cgroup.devices.allow = c 10:200 rwm
d1458ac8d13880f83fa2d1e08623b97c50d311d7Serge Hallynlxc.cgroup.devices.allow = c 1:7 rwm
d1458ac8d13880f83fa2d1e08623b97c50d311d7Serge Hallynlxc.cgroup.devices.allow = c 10:228 rwm
d1458ac8d13880f83fa2d1e08623b97c50d311d7Serge Hallynlxc.cgroup.devices.allow = c 10:232 rwm
80a881b232b8955b85b360d4def99e6e680ff61bSerge Hallynproc proc proc nodev,noexec,nosuid 0 0
80a881b232b8955b85b360d4def99e6e680ff61bSerge Hallynsysfs sys sysfs defaults 0 0
6f259716e75552cf46ee5125bdbd21e34456d0c0Serge Hallyn/sys/fs/fuse/connections sys/fs/fuse/connections none bind 0 0
6f259716e75552cf46ee5125bdbd21e34456d0c0Serge Hallyn/sys/kernel/debug sys/kernel/debug none bind 0 0
6f259716e75552cf46ee5125bdbd21e34456d0c0Serge Hallyn/sys/kernel/security sys/kernel/security none bind 0 0
1aad9e44d65e7c20dabc4c99f57bcf532db66c68Serge Hallyn # unprivileged user can't mknod these. One day we may allow
1aad9e44d65e7c20dabc4c99f57bcf532db66c68Serge Hallyn # that in the kernel, but not right now. So let's just bind
1aad9e44d65e7c20dabc4c99f57bcf532db66c68Serge Hallyn if [ $in_userns -eq 1 ]; then
1aad9e44d65e7c20dabc4c99f57bcf532db66c68Serge Hallyn echo "/dev/$dev dev/$dev none bind 0 0" >> $path/fstab
542939c31bb73bab55f2fd71243b98f5559597d1Stéphane Graber # rmdir /dev/shm for containers that have /run/shm
42ff5f0f8767114d060f5031055038a1a1c3759aSerge Hallyn # I'm afraid of doing rm -rf $rootfs/dev/shm, in case it did
42ff5f0f8767114d060f5031055038a1a1c3759aSerge Hallyn # get bind mounted to the host's /run/shm. So try to rmdir
42ff5f0f8767114d060f5031055038a1a1c3759aSerge Hallyn # it, and in case that fails move it out of the way.
542939c31bb73bab55f2fd71243b98f5559597d1Stéphane Graber if [ ! -L $rootfs/dev/shm ] && [ -d $rootfs/run/shm ] && [ -e $rootfs/dev/shm ]; then
4759162d078d86628956cae4846c6efccf548e67Serge HallynLXC Container configuration for Ubuntu Cloud images.
4759162d078d86628956cae4846c6efccf548e67Serge HallynGeneric Options
4759162d078d86628956cae4846c6efccf548e67Serge Hallyn[ -r | --release <release> ]: Release name of container, defaults to host
1897e3bcd36af9f3fe6d3649910a9adb93e5e988Serge Hallyn[ --rootfs <path> ]: Path in which rootfs will be placed
4759162d078d86628956cae4846c6efccf548e67Serge Hallyn[ -a | --arch ]: Arhcitecture of container, defaults to host arcitecture
4759162d078d86628956cae4846c6efccf548e67Serge Hallyn[ -T | --tarball ]: Location of tarball
52c8f624b5f9ef665f33a7aa80e0aa18b91daa4aSerge Hallyn[ -d | --debug ]: Run with 'set -x' to debug errors
427bffc7a10c9015dc78ef52543f7b8cb9414359Serge Hallyn[ -s | --stream]: Use specified stream rather than 'released'
65d8ae9c4a66f5ca85289c02dc06d63261c84619Scott MoserAdditionally, clone hooks can be passed through (ie, --userdata). For those,
65d8ae9c4a66f5ca85289c02dc06d63261c84619Scott Moser $CLONE_HOOK_FN --help
1897e3bcd36af9f3fe6d3649910a9adb93e5e988Serge Hallynoptions=$(getopt -o a:hp:r:n:Fi:CLS:T:ds:u: -l arch:,help,rootfs:,path:,release:,name:,flush-cache,hostid:,auth-key:,cloud,no_locales,tarball:,debug,stream:,userdata: -- "$@")
65d8ae9c4a66f5ca85289c02dc06d63261c84619Scott Moser# default release is precise, or the systems release if recognized
65d8ae9c4a66f5ca85289c02dc06d63261c84619Scott Moser rels=$(ubuntu-distro-info --supported 2>/dev/null) ||
65d8ae9c4a66f5ca85289c02dc06d63261c84619Scott Moser rels="lucid natty oneiric precise quantal raring saucy"
d1458ac8d13880f83fa2d1e08623b97c50d311d7Serge Hallyn# Code taken from debootstrap
d1458ac8d13880f83fa2d1e08623b97c50d311d7Serge Hallynif [ -x /usr/bin/dpkg ] && /usr/bin/dpkg --print-architecture >/dev/null 2>&1; then
d1458ac8d13880f83fa2d1e08623b97c50d311d7Serge Hallynelif type udpkg >/dev/null 2>&1 && udpkg --print-architecture >/dev/null 2>&1; then
3eecde703e9ac3af788ac17357f378d6b6d7c658Serge Hallyn # note: arm images don't exist before oneiric; are called armhf in
b8bced69a80a8be95fdbbb6b4e9ad7fa85464b1eSerge Hallyn # precise and later; and are not supported by the query, so we don't actually
3eecde703e9ac3af788ac17357f378d6b6d7c658Serge Hallyn # support them yet (see check later on). When Query2 is available,
3eecde703e9ac3af788ac17357f378d6b6d7c658Serge Hallyn # we'll use that to enable arm images.
65d8ae9c4a66f5ca85289c02dc06d63261c84619Scott Moser -L|--no?locales) cloneargs[${#cloneargs[@]}]="--no-locales"; shift 1;;
65d8ae9c4a66f5ca85289c02dc06d63261c84619Scott Moser -i|--hostid) cloneargs[${#cloneargs[@]}]="--hostid=$2"; shift 2;;
65d8ae9c4a66f5ca85289c02dc06d63261c84619Scott Moser -u|--userdata) cloneargs[${#cloneargs[@]}]="--userdata=$2"; shift 2;;
65d8ae9c4a66f5ca85289c02dc06d63261c84619Scott Moser -C|--cloud) cloneargs[${#cloneargs[@]}]="--cloud"; shift 1;;
65d8ae9c4a66f5ca85289c02dc06d63261c84619Scott Moser -S|--auth-key) cloneargs[${#cloneargs[@]}]="--auth-key=$2"; shift 2;;
4759162d078d86628956cae4846c6efccf548e67Serge Hallyn --) shift 1; break ;;
8a63c0a9d9089e6365e5a696455476febed39d6aStéphane Graberif [ $arch != "i386" -a $arch != "amd64" -a $arch != "armhf" -a $arch != "armel" ]; then
8a63c0a9d9089e6365e5a696455476febed39d6aStéphane Graber echo "Only i386, amd64, armel and armhf are supported by the ubuntu cloud template."
8a63c0a9d9089e6365e5a696455476febed39d6aStéphane Graberif [ $hostarch != "i386" -a $hostarch != "amd64" -a $hostarch != "armhf" -a $hostarch != "armel" ]; then
8a63c0a9d9089e6365e5a696455476febed39d6aStéphane Graber echo "Only i386, amd64, armel and armhf are supported as host."
8a63c0a9d9089e6365e5a696455476febed39d6aStéphane Graberif [ $hostarch = "amd64" -a $arch != "amd64" -a $arch != "i386" ]; then
8a63c0a9d9089e6365e5a696455476febed39d6aStéphane Graber echo "can't create $arch container on $hostarch"
8a63c0a9d9089e6365e5a696455476febed39d6aStéphane Graberif [ $hostarch = "i386" -a $arch != "i386" ]; then
8a63c0a9d9089e6365e5a696455476febed39d6aStéphane Graber echo "can't create $arch container on $hostarch"
8a63c0a9d9089e6365e5a696455476febed39d6aStéphane Graberif [ $hostarch = "armhf" -o $hostarch = "armel" ] && \
8a63c0a9d9089e6365e5a696455476febed39d6aStéphane Graber [ $arch != "armhf" -a $arch != "armel" ]; then
8a63c0a9d9089e6365e5a696455476febed39d6aStéphane Graber echo "can't create $arch container on $hostarch"
427bffc7a10c9015dc78ef52543f7b8cb9414359Serge Hallynif [ "$stream" != "daily" -a "$stream" != "released" ]; then
427bffc7a10c9015dc78ef52543f7b8cb9414359Serge Hallyn echo "Only 'daily' and 'released' streams are supported"
d1458ac8d13880f83fa2d1e08623b97c50d311d7Serge Hallynif [ -z "$path" ]; then
d1458ac8d13880f83fa2d1e08623b97c50d311d7Serge Hallyn echo "'path' parameter is required"
d1458ac8d13880f83fa2d1e08623b97c50d311d7Serge Hallyn echo "This script should be run as 'root'"
1881820ae4ff9004beef1bf7f04553580840441dSerge Hallyn# detect rootfs
1897e3bcd36af9f3fe6d3649910a9adb93e5e988Serge Hallynif [ -z "$rootfs" ]; then
1897e3bcd36af9f3fe6d3649910a9adb93e5e988Serge Hallyn if grep -q '^lxc.rootfs' $config 2>/dev/null ; then
1897e3bcd36af9f3fe6d3649910a9adb93e5e988Serge Hallyn rootfs=`grep 'lxc.rootfs =' $config | awk -F= '{ print $2 }'`
d1458ac8d13880f83fa2d1e08623b97c50d311d7Serge Hallyn# determine the url, tarball, and directory names
d1458ac8d13880f83fa2d1e08623b97c50d311d7Serge Hallyn# download if needed
4759162d078d86628956cae4846c6efccf548e67Serge Hallynif [ -n "$tarball" ]; then
b942e67226af9e690bd63ac440b99aedb6becbb3Scott Moser url1=`ubuntu-cloudimg-query $release $stream $arch --format "%{url}\n"`
3eecde703e9ac3af788ac17357f378d6b6d7c658Serge Hallyn# if the release doesn't have a *-rootfs.tar.gz, then create one from the
3eecde703e9ac3af788ac17357f378d6b6d7c658Serge Hallyn# cloudimg.tar.gz by extracting the .img, mounting it loopback, and creating
3eecde703e9ac3af788ac17357f378d6b6d7c658Serge Hallyn# a tarball from the mounted image.
3eecde703e9ac3af788ac17357f378d6b6d7c658Serge Hallyn if [ $flushcache -eq 1 -o ! -f $cache/$tarname ]; then
3eecde703e9ac3af788ac17357f378d6b6d7c658Serge Hallyn wget $url || { echo "Couldn't find cloud image $url."; exit 1; }
d1458ac8d13880f83fa2d1e08623b97c50d311d7Serge Hallyn if [ $flushcache -eq 1 ]; then
d1458ac8d13880f83fa2d1e08623b97c50d311d7Serge Hallyn if [ ! -f $filename ]; then
1aad9e44d65e7c20dabc4c99f57bcf532db66c68Serge Hallynif [ -n "$tarball" ]; then
42ff5f0f8767114d060f5031055038a1a1c3759aSerge Hallyncopy_configuration $path $rootfs $name $arch $release
65d8ae9c4a66f5ca85289c02dc06d63261c84619Scott Moser"$CLONE_HOOK_FN" "${cloneargs[@]}" "$rootfs"
d1458ac8d13880f83fa2d1e08623b97c50d311d7Serge Hallynecho "Container $name created."
b942e67226af9e690bd63ac440b99aedb6becbb3Scott Moser# vi: ts=4 expandtab