3 # lxc template for debootstrapping in userns
6 # Brett Parker <iDunno@sommitrealweird.co.uk>
8 # This library is free software; you can redistribute it and/or
9 # modify it under the terms of the GNU Lesser General Public
10 # License as published by the Free Software Foundation; either
11 # version 2.1 of the License, or (at your option) any later version.
13 # This library is distributed in the hope that it will be useful,
14 # but WITHOUT ANY WARRANTY; without even the implied warranty of
15 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 # Lesser General Public License for more details.
18 # You should have received a copy of the GNU Lesser General Public
19 # License along with this library; if not, write to the Free Software
20 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
24 # Only support usage in userns.
26 [ "$arg" = "--" ] && break
27 if [ "$arg" = "--mapped-uid" -o "$arg" = "--mapped-gid" ]; then
32 if [ "$MAPPED" == "no" ]; then
33 echo "This template can only be used for unprivileged containers." 1>&2
34 echo "You might want the \"debian\" template instead." 1>&2
41 # Make sure the usual locations are in PATH
42 export PATH=/usr/sbin:/usr/bin:/sbin:/bin:$PATH
43 export GREP_OPTIONS=""
47 LXC debootstrap in user namespace for unprivileged containers
50 [ -h | --help ]: Print this help message and exit.
53 [ -r | --release <release> ]: The debian release, e.g. jessie or stretch.
56 [ -m | --mirror <mirrorurl> ]: The debian mirror to user
57 [ -n | --network <networkspec> ]: How to configure networking
63 dhcp4: v4 dhcp will be enabled.
64 dhcp6: v6 dhcp will be enabled.
65 dhcp: v4 and v6 dhcp will be enabled.
66 static: no dhcp will be enabled
69 this is a , seperated list, and sets up static assignments for v4 or v6,
71 The order of arguments is
72 staticv4/staticnetmask
73 staticv6/staticv6netmask
79 --network dhcp4 (default)
80 --network dhcp6 (v6 dhcp)
81 --network dhcp (v4 and v6 dhcp)
82 --network dhcp4,,2001:db8:1234:5678::1/64 (dhcp4 and static v6 address)
83 --network static,,2001:db8:1234:5678::5/64,,fe80::1 (static v6)
84 --network static,192.0.2.15/24,,192.0.2.1 (static v4)
90 options=$(getopt -o r:m:n:h -l release:,mirror:,network:,help,mapped-uid:,mapped-gid:,name:,path:,rootfs: -- "$@")
97 eval set -- "$options"
99 DEBIAN_MIRROR_DEFAULT="http://mirror.sommitrealweird.co.uk/debian/"
100 DEBIAN_MIRROR=$DEBIAN_MIRROR_DEFAULT
101 DEBIAN_RELEASE="jessie"
104 disable_initscripts() {
105 cat <<EOF > "${LXC_ROOTFS}/usr/sbin/policy-rc.d"
110 chmod 755 "${LXC_ROOTFS}/usr/sbin/policy-rc.d"
113 enable_initscripts() {
114 if [ -e "${LXC_ROOTFS}/usr/sbin/policy-rc.d" ]; then
115 rm "${LXC_ROOTFS}/usr/sbin/policy-rc.d"
121 -h|--help) usage && exit 1;;
122 -r|--release) DEBIAN_RELEASE="$2"; shift 2;;
123 -m|--mirror) DEBIAN_MIRROR="$2"; shift 2;;
124 -n|--network) NETWORK_CONFIG="$2"; shift 2;;
125 --mapped-uid) MAPPED_UID="$2"; shift 2;;
126 --mapped-gid) MAPPED_GID="$2"; shift 2;;
127 --name) LXC_NAME="$2"; shift 2;;
128 --path) LXC_PATH="$2"; shift 2;;
129 --rootfs) LXC_ROOTFS="$2"; shift 2;;
134 if [ "$DEBIAN_RELEASE" == "squeeze" ] || [ "$DEBIAN_RELEASE" == "lenny" ] || [ "$DEBIAN_RELEASE" == "etch" ]; then
135 if [ "$DEBIAN_MIRROR" == "$DEBIAN_MIRROR_DEFAULT" ]; then
136 DEBIAN_MIRROR="http://archive.debian.org/debian/"
140 INTERFACE_DEFAULTS="auto eth0
141 iface eth0 inet dhcp"
143 generate_network_config() {
144 if [ "$NETWORK_CONFIG" == "" ]; then
145 echo "$INTERFACE_DEFAULTS"
149 ETH0_HEADER="auto eth0"
154 # see if there's a type
155 network_type=${NETWORK_CONFIG/,*}
156 other_params=${NETWORK_CONFIG#*,}
161 if [ "$network_type" == "dhcp" ]; then
162 ETH0_IPV4="iface eth0 inet dhcp"
163 ETH0_IPV6="iface eth0 inet6 dhcp"
166 elif [ "$network_type" == "dhcp4" ]; then
167 ETH0_IPV4="iface eth0 inet dhcp"
169 elif [ "$network_type" == "dhcp6" ]; then
170 ETH0_IPV6="iface eth0 inet6 dhcp"
172 elif [ "$network_type" != "static" ]; then
173 echo "Unknown network type: $network_type" 1>&2
179 [ "$network_type" == "$other_params" ] && return 0
181 v4_static=${other_params/,*}
182 other_params=${other_params#*,}
184 if [ "$v4_static" != "" ]; then
185 if [ "$v4_configured" == "yes" ]; then
186 echo "Both v4 DHCP and Static - giving up." 1>&2
193 if [ "$v4_static" == "$other_params" ]; then
194 if [ "$v4_static" != "" ]; then
195 echo "iface eth0 inet static"
196 echo " address $v4_static"
200 v6_static=${other_params/,*}
201 other_params=${other_params#*,}
203 if [ "$v6_static" != "" ]; then
204 if [ "$v6_configured" == "yes" ]; then
205 echo "Both v6 DHCP and Static - giving up." 1>&2
212 if [ "$v6_static" == "$other_params" ]; then
213 if [ "$v4_static" ]; then
214 echo "iface eth0 inet static"
215 echo " address $v4_static"
219 echo "iface eth0 inet6 static"
220 echo " address $v6_static"
225 v4_gateway=${other_params/,*}
226 other_params=${other_params#*,}
228 if [ "$v4_gateway" == "$other_params" ]; then
229 if [ "$v4_static" != "" ]; then
230 echo "iface eth0 inet static"
231 echo " address $v4_static"
232 [ "$v4_gateway" != "" ] && echo " gateway $v4_gateway"
234 if [ "$v6_static" != "" ]; then
235 echo "iface eth0 inet6 static"
236 echo " address $v6_static"
242 if [ "$v4_configured" == "yes" ]; then
243 echo "DHCP and static gateway not supported, giving up." 1>&2
250 v6_gateway=${other_params/,*}
252 if [ "$v4_static" != "" ]; then
253 echo "iface eth0 inet static"
254 echo " address $v4_static"
255 [ "$v4_gateway" != "" ] && echo " gateway $v4_gateway"
259 if [ "$v6_static" != "" ]; then
260 echo "iface eth0 inet6 static"
261 echo " address $v6_static"
262 [ "$v6_gateway" != "" ] && echo " gateway $v6_gateway"
268 INTERFACE_DETAILS="$(generate_network_config)"
270 # rewrite the default config file
272 sed -i -e "/lxc./{w ${LXC_PATH}/config-auto" -e "d}" "${LXC_PATH}/config"
273 sed -i -e '4,$d' "${LXC_PATH}/config"
275 cat <<EOF >> "${LXC_PATH}/config"
278 lxc.include = /usr/share/lxc/config/debian.common.conf
279 lxc.include = /usr/share/lxc/config/debian.userns.conf
282 lxc.uts.name = $LXC_NAME
284 # Automatic configuration
287 # add back in the auto foo
288 cat "${LXC_PATH}/config-auto" >> "${LXC_PATH}/config"
289 rm "${LXC_PATH}/config-auto"
291 mkdir "${LXC_PATH}/bin"
292 cat <<EOF > "${LXC_PATH}/bin/mknod"
295 # look for the first argument that looks like a path
306 chmod 755 "${LXC_PATH}/bin/mknod"
308 export PATH="${LXC_PATH}/bin:$PATH"
310 DEBOOTSTRAPOPTIONS=""
311 STANDARDPACKAGES="debian-archive-keyring,ifupdown,isc-dhcp-client,locales,openssh-server"
313 if [ "$DEBIAN_RELEASE" == "squeeze" ] || [ "$DEBIAN_RELEASE" == "lenny" ] || [ "$DEBIAN_RELEASE" == "etch" ]; then
314 DEBOOTSTRAPOPTIONS="--no-check-gpg"
317 if [ "$DEBIAN_RELEASE" == "lenny" ] || [ "$DEBIAN_RELEASE" == "etch" ]; then
318 STANDARDPACKAGES="debian-archive-keyring,ifupdown,locales,openssh-server"
321 debootstrap $DEBOOTSTRAPOPTIONS --foreign --include "${STANDARDPACKAGES}" $DEBIAN_RELEASE "${LXC_ROOTFS}" $DEBIAN_MIRROR
323 echo "DEBOOTSTRAP STAGE 1 COMPLETE"
325 # now totally skip that check in the new root, because it sucks.
326 sed -i -e 's#check_sane_mount () {#check_sane_mount () {\n\treturn 0#;' "${LXC_ROOTFS}/debootstrap/functions"
328 # and stop it from bothering to try to setup proc
329 sed -i -e 's#setup_proc () {#setup_proc () {\n\treturn 0#;' "${LXC_ROOTFS}/debootstrap/functions"
331 keyring_dpkg=$(sed -ne "/^debian-archive-keyring/ { s#.* ##; p; }" "${LXC_ROOTFS}/debootstrap/debpaths")
332 # and unpack debian-archive-keyring, because we'll need that
333 (cd "${LXC_ROOTFS}" && dpkg-deb -x ".$keyring_dpkg" .)
335 # replace the tar containing devices with something that doesn't contain any
336 if [ -e "$LXC_ROOTFS/debootstrap/devices.tar.gz" ]; then
337 (cd "$LXC_ROOTFS/debootstrap" && rm devices.tar.gz && tar czvf devices.tar.gz --files-from=/dev/null)
340 # if squeeze, which is totally out of date, then ignore release file expired
341 if [ "$DEBIAN_RELEASE" == "squeeze" ]; then
342 echo 'Acquire::Check-Valid-Until "0";' > ${LXC_ROOTFS}/etc/apt/apt.conf.d/squeeze.conf
345 # and mount a shedload of things for fun and profit...
346 for file in /var/lib/lxcfs/proc/*; do
347 fname="$(basename $file)"
348 touch "${LXC_ROOTFS}/proc/$fname"
349 mount -n -o bind "$file" "${LXC_ROOTFS}/proc/$fname"
352 for dev in null random urandom; do
353 touch "${LXC_ROOTFS}/dev/$dev"
354 mount -n -o bind /dev/$dev "${LXC_ROOTFS}/dev/$dev"
357 # set /proc/cmdline to something
358 echo "debootstrapping" > "${LXC_ROOTFS}/proc/cmdline"
360 # and disable initscripts
363 # and run the second stage
364 chroot "${LXC_ROOTFS}" /debootstrap/debootstrap --second-stage
366 # make sure that initscripts are still disabled
372 if [ ! -z "$LANG" ]; then
377 cat >> "${LXC_ROOTFS}/etc/locale.gen" <<EOF
381 chroot "${LXC_ROOTFS}" /usr/sbin/locale-gen $lang $enc
382 chroot "${LXC_ROOTFS}" /usr/sbin/update-locale LANG=$LANG
385 if [ -f /etc/timezone ]; then
386 cat /etc/timezone > "${LXC_ROOTFS}/etc/timezone"
387 elif [ -f /etc/sysconfig/clock ]; then
388 . /etc/sysconfig/clock
389 echo $ZONE > "${LXC_ROOTFS}/etc/timezone"
391 chroot "${LXC_ROOTFS}" dpkg-reconfigure -f noninteractive tzdata
394 NETWORK_FILE=/etc/network/interfaces
395 if [ -e "${LXC_ROOTFS}/etc/network/interfaces.d" ]; then
396 NETWORK_FILE=/etc/network/interfaces.d/eth0
399 # remove some interesting breakages in pam for unpriv foo
400 sed -i -e 's#^\(session.*required.*pam_loginuid.so\)#\#\1#;' "${LXC_ROOTFS}"/etc/pam.d/*
403 echo $LXC_NAME > "${LXC_ROOTFS}/etc/hostname"
406 if [ "$DEBIAN_RELEASE" != "sid" ] && [ "$DEBIAN_RELEASE" != "unstable" ]; then
407 SECURITY="deb http://security.debian.org/ $DEBIAN_RELEASE/updates main"
410 if [ "$DEBIAN_RELEASE" == "squeeze" ]; then
411 SECURITY="deb http://archive.debian.org/debian/ squeeze-lts main"
414 if [ "$DEBIAN_RELEASE" == "lenny" ] || [ "$DEBIAN_RELEASE" == "etch" ]; then
419 cat <<EOF > "${LXC_ROOTFS}/etc/apt/sources.list"
420 deb $DEBIAN_MIRROR $DEBIAN_RELEASE main
424 # disable bits of systemd / initrd that break things
425 chroot "${LXC_ROOTFS}" /usr/sbin/update-rc.d -f checkroot.sh disable > /dev/null 2>&1 || true
426 chroot "${LXC_ROOTFS}" /usr/sbin/update-rc.d -f umountfs disable > /dev/null 2>&1 || true
427 chroot "${LXC_ROOTFS}" /usr/sbin/update-rc.d -f hwclock.sh disable > /dev/null 2>&1 || true
428 chroot "${LXC_ROOTFS}" /usr/sbin/update-rc.d -f hwclockfirst.sh disable > /dev/null 2>&1 || true
430 if [ -e "${LXC_ROOTFS}/etc/systemd/system/" ]; then
431 touch "${LXC_ROOTFS}/etc/systemd/system/systemd-setup-dgram-qlen.service"
432 touch "${LXC_ROOTFS}/etc/systemd/system/dev-hugepages.mount"
433 touch "${LXC_ROOTFS}/etc/systemd/system/udev.service"
434 touch "${LXC_ROOTFS}/etc/systemd/system/systemd-udevd.service"
435 chroot "${LXC_ROOTFS}" systemctl set-default multi-user.target || true
436 chroot "${LXC_ROOTFS}" ln -s /lib/systemd/system/halt.target /etc/systemd/system/sigpwr.target
439 if [ -e "${LXC_ROOTFS}/lib/systemd/system/systemd-journald-audit.socket" ]; then
440 touch "${LXC_ROOTFS}/etc/systemd/system/systemd-journald-audit.socket"
443 echo "$INTERFACE_DETAILS" >> "${LXC_ROOTFS}${NETWORK_FILE}"
445 # and update to the latest security
446 chroot "${LXC_ROOTFS}" apt-get update
447 chroot "${LXC_ROOTFS}" apt-get -y upgrade
449 # if we're all good here, unmount things and clean up
450 [ -e "${LXC_ROOTFS}/usr/sbin/policy-rc.d" ] && rm "${LXC_ROOTFS}/usr/sbin/policy-rc.d"
451 rm "${LXC_ROOTFS}/proc/cmdline"
453 for dev in null random urandom; do
454 umount "${LXC_ROOTFS}/dev/$dev"
455 rm "${LXC_ROOTFS}/dev/$dev"
458 for file in /var/lib/lxcfs/proc/*; do
459 fname="$(basename $file)"
460 umount "${LXC_ROOTFS}/proc/$fname"
461 rm "${LXC_ROOTFS}/proc/$fname"
466 rm -r "${LXC_PATH}/bin"
470 You have successfully created a new debian container, ${LXC_NAME} running ${DEBIAN_RELEASE}.
472 You should start the new container, and use:
474 lxc-attach -n ${LXC_NAME} -- su -
476 To create a user account / set the root password.
478 Note, by default, it's likely only to be the console that can login as root, so that'd be:
480 lxc-console -n ${LXC_NAME} -t 0