]> git.sommitrealweird.co.uk Git - lxc-debian-unprivileged.git/blob - templates/lxc-debian-unprivileged
Quick fixups to unpriv'd debian template for newer lxc
[lxc-debian-unprivileged.git] / templates / lxc-debian-unprivileged
1 #!/bin/bash
2
3 # lxc template for debootstrapping in userns
4
5 # Authors:
6 # Brett Parker <iDunno@sommitrealweird.co.uk>
7
8 # This library is free software; you can redistribute it and/or
9 # modify it under the terms of the GNU Lesser General Public
10 # License as published by the Free Software Foundation; either
11 # version 2.1 of the License, or (at your option) any later version.
12
13 # This library is distributed in the hope that it will be useful,
14 # but WITHOUT ANY WARRANTY; without even the implied warranty of
15 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
16 # Lesser General Public License for more details.
17
18 # You should have received a copy of the GNU Lesser General Public
19 # License along with this library; if not, write to the Free Software
20 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
21
22 MAPPED=no
23
24 # Only support usage in userns.
25 for arg in "$@"; do
26     [ "$arg" = "--" ] && break
27     if [ "$arg" = "--mapped-uid" -o "$arg" = "--mapped-gid" ]; then
28         MAPPED=yes
29     fi
30 done
31
32 if [ "$MAPPED" == "no" ]; then
33     echo "This template can only be used for unprivileged containers." 1>&2
34     echo "You might want the \"debian\" template instead." 1>&2
35     exit 1
36 fi
37
38 set -e
39 set -u
40
41 # Make sure the usual locations are in PATH
42 export PATH=/usr/sbin:/usr/bin:/sbin:/bin:$PATH
43 export GREP_OPTIONS=""
44
45 usage() {
46     cat <<EOF
47 LXC debootstrap in user namespace for unprivileged containers
48
49 Special arguments:
50 [ -h | --help ]: Print this help message and exit.
51
52 Required arguments:
53 [ -r | --release <release> ]: The debian release, e.g. jessie or stretch.
54
55 Optional arguments:
56 [ -m | --mirror <mirrorurl> ]: The debian mirror to user
57 [ -n | --network <networkspec> ]: How to configure networking
58
59 Network spec:
60   <type>[,options]
61
62   type is one of:
63     dhcp4: v4 dhcp will be enabled.
64     dhcp6: v6 dhcp will be enabled.
65     dhcp: v4 and v6 dhcp will be enabled.
66     static: no dhcp will be enabled
67
68   options:
69     this is a , seperated list, and sets up static assignments for v4 or v6,
70     regardless of type.
71     The order of arguments is
72       staticv4/staticnetmask
73       staticv6/staticv6netmask
74       gateway
75       v6gateway
76
77   examples:
78
79     --network dhcp4 (default)
80     --network dhcp6 (v6 dhcp)
81     --network dhcp  (v4 and v6 dhcp)
82     --network dhcp4,,2001:db8:1234:5678::1/64 (dhcp4 and static v6 address)
83     --network static,,2001:db8:1234:5678::5/64,,fe80::1 (static v6)
84     --network static,192.0.2.15/24,,192.0.2.1 (static v4)
85
86 EOF
87     return 0
88 }
89
90 options=$(getopt -o r:m:n:h -l release:,mirror:,network:,help,mapped-uid:,mapped-gid:,name:,path:,rootfs: -- "$@")
91
92 if [ $? -ne 0 ]; then
93     usage
94     exit 1
95 fi
96
97 eval set -- "$options"
98
99 DEBIAN_MIRROR_DEFAULT="http://mirror.sommitrealweird.co.uk/debian/"
100 DEBIAN_MIRROR=$DEBIAN_MIRROR_DEFAULT
101 DEBIAN_RELEASE="jessie"
102 NETWORK_CONFIG=""
103
104 disable_initscripts() {
105     cat <<EOF > "${LXC_ROOTFS}/usr/sbin/policy-rc.d"
106 #!/bin/sh
107
108 exit 101
109 EOF
110     chmod 755 "${LXC_ROOTFS}/usr/sbin/policy-rc.d"
111 }
112
113 enable_initscripts() {
114     if [ -e "${LXC_ROOTFS}/usr/sbin/policy-rc.d" ]; then
115         rm "${LXC_ROOTFS}/usr/sbin/policy-rc.d"
116     fi
117 }
118
119 while :; do
120     case "$1" in
121         -h|--help)      usage && exit 1;;
122         -r|--release)   DEBIAN_RELEASE="$2"; shift 2;;
123         -m|--mirror)    DEBIAN_MIRROR="$2"; shift 2;;
124         -n|--network)   NETWORK_CONFIG="$2"; shift 2;;
125         --mapped-uid)   MAPPED_UID="$2"; shift 2;;
126         --mapped-gid)   MAPPED_GID="$2"; shift 2;;
127         --name)         LXC_NAME="$2"; shift 2;;
128         --path)         LXC_PATH="$2"; shift 2;;
129         --rootfs)       LXC_ROOTFS="$2"; shift 2;;
130         *)              break;;
131     esac
132 done
133
134 if [ "$DEBIAN_RELEASE" == "squeeze" ] || [ "$DEBIAN_RELEASE" == "lenny" ] || [ "$DEBIAN_RELEASE" == "etch" ]; then
135     if [ "$DEBIAN_MIRROR" == "$DEBIAN_MIRROR_DEFAULT" ]; then
136         DEBIAN_MIRROR="http://archive.debian.org/debian/"
137     fi
138 fi
139
140 INTERFACE_DEFAULTS="auto eth0
141 iface eth0 inet dhcp"
142
143 generate_network_config() {
144     if [ "$NETWORK_CONFIG" == "" ]; then
145         echo "$INTERFACE_DEFAULTS"
146         return 0
147     fi
148
149     ETH0_HEADER="auto eth0"
150     ETH0_IPV4=""
151     ETH0_IPV6=""
152
153     echo "auto eth0"
154     # see if there's a type
155     network_type=${NETWORK_CONFIG/,*}
156     other_params=${NETWORK_CONFIG#*,}
157
158     v4_configured=no
159     v6_configured=no
160
161     if [ "$network_type" == "dhcp" ]; then
162         ETH0_IPV4="iface eth0 inet dhcp"
163         ETH0_IPV6="iface eth0 inet6 dhcp"
164         v4_configured=yes
165         v6_configured=yes
166     elif [ "$network_type" == "dhcp4" ]; then
167         ETH0_IPV4="iface eth0 inet dhcp"
168         v4_configured=yes
169     elif [ "$network_type" == "dhcp6" ]; then
170         ETH0_IPV6="iface eth0 inet6 dhcp"
171         v6_configured=yes
172     elif [ "$network_type" != "static" ]; then
173         echo "Unknown network type: $network_type" 1>&2
174         echo 1>&2
175         usage 1>&2
176         exit 1
177     fi
178
179     [ "$network_type" == "$other_params" ] && return 0
180
181     v4_static=${other_params/,*}
182     other_params=${other_params#*,}
183
184     if [ "$v4_static" != "" ]; then
185         if [ "$v4_configured" == "yes" ]; then
186             echo "Both v4 DHCP and Static - giving up." 1>&2
187             echo 1>&2
188             usage 1>&2
189             exit 1
190         fi
191     fi
192
193     if [ "$v4_static" == "$other_params" ]; then
194         if [ "$v4_static" != "" ]; then
195             echo "iface eth0 inet static"
196             echo "  address $v4_static"
197         fi
198     fi
199
200     v6_static=${other_params/,*}
201     other_params=${other_params#*,}
202
203     if [ "$v6_static" != "" ]; then
204         if [ "$v6_configured" == "yes" ]; then
205             echo "Both v6 DHCP and Static - giving up." 1>&2
206             echo 1>&2
207             usage 1>&2
208             exit 1
209         fi
210     fi
211
212     if [ "$v6_static" == "$other_params" ]; then
213         if [ "$v4_static" ]; then
214             echo "iface eth0 inet static"
215             echo "  address $v4_static"
216             echo
217         fi
218
219         echo "iface eth0 inet6 static"
220         echo "  address $v6_static"
221
222         return 0
223     fi
224
225     v4_gateway=${other_params/,*}
226     other_params=${other_params#*,}
227
228     if [ "$v4_gateway" == "$other_params" ]; then
229         if [ "$v4_static" != "" ]; then
230             echo "iface eth0 inet static"
231             echo "  address $v4_static"
232             [ "$v4_gateway" != "" ] && echo "  gateway $v4_gateway"
233
234             if [ "$v6_static" != "" ]; then
235                 echo "iface eth0 inet6 static"
236                 echo "  address $v6_static"
237             fi
238
239             return 0
240         fi
241
242         if [ "$v4_configured" == "yes" ]; then
243             echo "DHCP and static gateway not supported, giving up." 1>&2
244             echo 1>&2
245             usage 1>&2
246             exit 1
247         fi
248     fi
249
250     v6_gateway=${other_params/,*}
251
252     if [ "$v4_static" != "" ]; then
253         echo "iface eth0 inet static"
254         echo "  address $v4_static"
255         [ "$v4_gateway" != "" ] && echo "  gateway $v4_gateway"
256         echo
257     fi
258
259     if [ "$v6_static" != "" ]; then
260         echo "iface eth0 inet6 static"
261         echo "  address $v6_static"
262         [ "$v6_gateway" != "" ] && echo "  gateway $v6_gateway"
263     fi
264
265     return 0
266 }
267
268 INTERFACE_DETAILS="$(generate_network_config)"
269
270 # rewrite the default config file
271
272 sed -i -e "/lxc./{w ${LXC_PATH}/config-auto" -e "d}" "${LXC_PATH}/config"
273 sed -i -e '4,$d' "${LXC_PATH}/config"
274
275 cat <<EOF >> "${LXC_PATH}/config"
276
277 # Useful includes
278 lxc.include = /usr/share/lxc/config/debian.common.conf
279 lxc.include = /usr/share/lxc/config/debian.userns.conf
280
281 # Set hostname
282 lxc.uts.name = $LXC_NAME
283
284 # Automatic configuration
285 EOF
286
287 # add back in the auto foo
288 cat "${LXC_PATH}/config-auto" >> "${LXC_PATH}/config"
289 rm "${LXC_PATH}/config-auto"
290
291 mkdir "${LXC_PATH}/bin"
292 cat <<EOF > "${LXC_PATH}/bin/mknod"
293 #!/bin/sh
294
295 # look for the first argument that looks like a path
296 for i do
297     case \$i in
298         /*)
299             exec touch "\$i"
300             ;;
301     esac
302 done
303
304 EOF
305
306 chmod 755 "${LXC_PATH}/bin/mknod"
307
308 export PATH="${LXC_PATH}/bin:$PATH"
309
310 DEBOOTSTRAPOPTIONS=""
311 STANDARDPACKAGES="debian-archive-keyring,ifupdown,isc-dhcp-client,locales,openssh-server"
312
313 if [ "$DEBIAN_RELEASE" == "squeeze" ] || [ "$DEBIAN_RELEASE" == "lenny" ] || [ "$DEBIAN_RELEASE" == "etch" ]; then
314     DEBOOTSTRAPOPTIONS="--no-check-gpg"
315 fi
316
317 if [ "$DEBIAN_RELEASE" == "lenny" ] || [ "$DEBIAN_RELEASE" == "etch" ]; then
318     STANDARDPACKAGES="debian-archive-keyring,ifupdown,locales,openssh-server"
319 fi
320
321 debootstrap $DEBOOTSTRAPOPTIONS --foreign --include "${STANDARDPACKAGES}" $DEBIAN_RELEASE "${LXC_ROOTFS}" $DEBIAN_MIRROR
322
323 echo "DEBOOTSTRAP STAGE 1 COMPLETE"
324
325 # now totally skip that check in the new root, because it sucks.
326 sed -i -e 's#check_sane_mount () {#check_sane_mount () {\n\treturn 0#;' "${LXC_ROOTFS}/debootstrap/functions"
327
328 # and stop it from bothering to try to setup proc
329 sed -i -e 's#setup_proc () {#setup_proc () {\n\treturn 0#;' "${LXC_ROOTFS}/debootstrap/functions"
330
331 keyring_dpkg=$(sed -ne "/^debian-archive-keyring/ { s#.* ##; p; }" "${LXC_ROOTFS}/debootstrap/debpaths")
332 # and unpack debian-archive-keyring, because we'll need that
333 (cd "${LXC_ROOTFS}" && dpkg-deb -x ".$keyring_dpkg" .)
334
335 # replace the tar containing devices with something that doesn't contain any
336 if [ -e "$LXC_ROOTFS/debootstrap/devices.tar.gz" ]; then
337     (cd "$LXC_ROOTFS/debootstrap" && rm devices.tar.gz && tar czvf devices.tar.gz --files-from=/dev/null)
338 fi
339
340 # if squeeze, which is totally out of date, then ignore release file expired
341 if [ "$DEBIAN_RELEASE" == "squeeze" ]; then
342     echo 'Acquire::Check-Valid-Until "0";' > ${LXC_ROOTFS}/etc/apt/apt.conf.d/squeeze.conf
343 fi
344
345 # and mount a shedload of things for fun and profit...
346 for file in /var/lib/lxcfs/proc/*; do
347     fname="$(basename $file)"
348     touch "${LXC_ROOTFS}/proc/$fname"
349     mount -n -o bind "$file" "${LXC_ROOTFS}/proc/$fname"
350 done
351
352 for dev in null random urandom; do
353     touch "${LXC_ROOTFS}/dev/$dev"
354     mount -n -o bind /dev/$dev "${LXC_ROOTFS}/dev/$dev"
355 done
356
357 # set /proc/cmdline to something
358 echo "debootstrapping" > "${LXC_ROOTFS}/proc/cmdline"
359
360 # and disable initscripts
361 disable_initscripts
362
363 # and run the second stage
364 chroot "${LXC_ROOTFS}" /debootstrap/debootstrap --second-stage
365
366 # make sure that initscripts are still disabled
367 disable_initscripts
368
369 # configure locales
370 lang=en_GB.UTF-8
371 enc=UTF-8
372 if [ ! -z "$LANG" ]; then
373     lang=${LANG}
374     enc=${LANG#*.}
375 fi
376
377 cat >> "${LXC_ROOTFS}/etc/locale.gen" <<EOF
378 $lang $enc
379 EOF
380
381 chroot "${LXC_ROOTFS}" /usr/sbin/locale-gen $lang $enc
382 chroot "${LXC_ROOTFS}" /usr/sbin/update-locale LANG=$LANG
383
384 # configure timezone
385 if [ -f /etc/timezone ]; then
386     cat /etc/timezone > "${LXC_ROOTFS}/etc/timezone"
387 elif [ -f /etc/sysconfig/clock ]; then
388     . /etc/sysconfig/clock
389     echo $ZONE > "${LXC_ROOTFS}/etc/timezone"
390 fi
391 chroot "${LXC_ROOTFS}" dpkg-reconfigure -f noninteractive tzdata
392
393 # "setup" networking
394 NETWORK_FILE=/etc/network/interfaces
395 if [ -e "${LXC_ROOTFS}/etc/network/interfaces.d" ]; then
396     NETWORK_FILE=/etc/network/interfaces.d/eth0
397 fi
398
399 # remove some interesting breakages in pam for unpriv foo
400 sed -i -e 's#^\(session.*required.*pam_loginuid.so\)#\#\1#;' "${LXC_ROOTFS}"/etc/pam.d/*
401
402 # set the hostname
403 echo $LXC_NAME > "${LXC_ROOTFS}/etc/hostname"
404
405 SECURITY=""
406 if [ "$DEBIAN_RELEASE" != "sid" ] && [ "$DEBIAN_RELEASE" != "unstable" ]; then
407     SECURITY="deb http://security.debian.org/ $DEBIAN_RELEASE/updates main"
408 fi
409
410 if [ "$DEBIAN_RELEASE" == "squeeze" ]; then
411     SECURITY="deb http://archive.debian.org/debian/ squeeze-lts main"
412 fi
413
414 if [ "$DEBIAN_RELEASE" == "lenny" ] || [ "$DEBIAN_RELEASE" == "etch" ]; then
415     SECURITY=""
416 fi
417
418 # setup sources.list
419 cat <<EOF > "${LXC_ROOTFS}/etc/apt/sources.list"
420 deb $DEBIAN_MIRROR $DEBIAN_RELEASE main
421 $SECURITY
422 EOF
423
424 # disable bits of systemd / initrd that break things
425 chroot "${LXC_ROOTFS}" /usr/sbin/update-rc.d -f checkroot.sh disable > /dev/null 2>&1 || true
426 chroot "${LXC_ROOTFS}" /usr/sbin/update-rc.d -f umountfs disable > /dev/null 2>&1 || true
427 chroot "${LXC_ROOTFS}" /usr/sbin/update-rc.d -f hwclock.sh disable > /dev/null 2>&1 || true
428 chroot "${LXC_ROOTFS}" /usr/sbin/update-rc.d -f hwclockfirst.sh disable > /dev/null 2>&1 || true
429
430 if [ -e "${LXC_ROOTFS}/etc/systemd/system/" ]; then
431     touch "${LXC_ROOTFS}/etc/systemd/system/systemd-setup-dgram-qlen.service"
432     touch "${LXC_ROOTFS}/etc/systemd/system/dev-hugepages.mount"
433     touch "${LXC_ROOTFS}/etc/systemd/system/udev.service"
434     touch "${LXC_ROOTFS}/etc/systemd/system/systemd-udevd.service"
435     chroot "${LXC_ROOTFS}" systemctl set-default multi-user.target || true
436     chroot "${LXC_ROOTFS}" ln -s /lib/systemd/system/halt.target /etc/systemd/system/sigpwr.target
437 fi
438
439 if [ -e "${LXC_ROOTFS}/lib/systemd/system/systemd-journald-audit.socket" ]; then
440     touch "${LXC_ROOTFS}/etc/systemd/system/systemd-journald-audit.socket"
441 fi
442
443 echo "$INTERFACE_DETAILS" >> "${LXC_ROOTFS}${NETWORK_FILE}"
444
445 # and update to the latest security
446 chroot "${LXC_ROOTFS}" apt-get update
447 chroot "${LXC_ROOTFS}" apt-get -y upgrade
448
449 # if we're all good here, unmount things and clean up
450 [ -e "${LXC_ROOTFS}/usr/sbin/policy-rc.d" ] && rm "${LXC_ROOTFS}/usr/sbin/policy-rc.d"
451 rm "${LXC_ROOTFS}/proc/cmdline"
452
453 for dev in null random urandom; do
454     umount "${LXC_ROOTFS}/dev/$dev"
455     rm "${LXC_ROOTFS}/dev/$dev"
456 done
457
458 for file in /var/lib/lxcfs/proc/*; do
459     fname="$(basename $file)"
460     umount "${LXC_ROOTFS}/proc/$fname"
461     rm "${LXC_ROOTFS}/proc/$fname"
462 done
463
464 enable_initscripts
465
466 rm -r "${LXC_PATH}/bin"
467
468 cat <<EOF
469
470 You have successfully created a new debian container, ${LXC_NAME} running ${DEBIAN_RELEASE}.
471
472 You should start the new container, and use:
473
474   lxc-attach -n ${LXC_NAME} -- su -
475
476 To create a user account / set the root password.
477
478 Note, by default, it's likely only to be the console that can login as root, so that'd be:
479
480   lxc-console -n ${LXC_NAME} -t 0
481
482 EOF
483
484 exit 0