]> git.sommitrealweird.co.uk Git - lxc-debian-unprivileged.git/blob - templates/lxc-debian-unprivileged
a5128bf99c5ce15c6185395431c18144a2c1e6b3
[lxc-debian-unprivileged.git] / templates / lxc-debian-unprivileged
1 #!/bin/bash
2
3 # lxc template for debootstrapping in userns
4
5 # Authors:
6 # Brett Parker <iDunno@sommitrealweird.co.uk>
7
8 # This library is free software; you can redistribute it and/or
9 # modify it under the terms of the GNU Lesser General Public
10 # License as published by the Free Software Foundation; either
11 # version 2.1 of the License, or (at your option) any later version.
12
13 # This library is distributed in the hope that it will be useful,
14 # but WITHOUT ANY WARRANTY; without even the implied warranty of
15 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
16 # Lesser General Public License for more details.
17
18 # You should have received a copy of the GNU Lesser General Public
19 # License along with this library; if not, write to the Free Software
20 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
21
22 MAPPED=no
23
24 # Only support usage in userns.
25 for arg in "$@"; do
26     [ "$arg" = "--" ] && break
27     if [ "$arg" = "--mapped-uid" -o "$arg" = "--mapped-gid" ]; then
28         MAPPED=yes
29     fi
30 done
31
32 if [ "$MAPPED" == "no" ]; then
33     echo "This template can only be used for unprivileged containers." 1>&2
34     echo "You might want the \"debian\" template instead." 1>&2
35     exit 1
36 fi
37
38 set -e
39 set -u
40
41 # Make sure the usual locations are in PATH
42 export PATH=/usr/sbin:/usr/bin:/sbin:/bin:$PATH
43 export GREP_OPTIONS=""
44
45 usage() {
46     cat <<EOF
47 LXC debootstrap in user namespace for unprivileged containers
48
49 Special arguments:
50 [ -h | --help ]: Print this help message and exit.
51
52 Required arguments:
53 [ -r | --release <release> ]: The debian release, e.g. jessie or stretch.
54
55 Optional arguments:
56 [ -m | --mirror <mirrorurl> ]: The debian mirror to user
57 [ -n | --network <networkspec> ]: How to configure networking
58
59 Network spec:
60   <type>[,options]
61
62   type is one of:
63     dhcp4: v4 dhcp will be enabled.
64     dhcp6: v6 dhcp will be enabled.
65     dhcp: v4 and v6 dhcp will be enabled.
66     static: no dhcp will be enabled
67
68   options:
69     this is a , seperated list, and sets up static assignments for v4 or v6,
70     regardless of type.
71     The order of arguments is
72       staticv4/staticnetmask
73       staticv6/staticv6netmask
74       gateway
75       v6gateway
76
77   examples:
78
79     --network dhcp4 (default)
80     --network dhcp6 (v6 dhcp)
81     --network dhcp  (v4 and v6 dhcp)
82     --network dhcp4,,2001:db8:1234:5678::1/64 (dhcp4 and static v6 address)
83     --network static,,2001:db8:1234:5678::5/64,,fe80::1 (static v6)
84     --network static,192.0.2.15/24,,192.0.2.1 (static v4)
85
86 EOF
87     return 0
88 }
89
90 options=$(getopt -o r:m:n:h -l release:,mirror:,network:,help,mapped-uid:,mapped-gid:,name:,path:,rootfs: -- "$@")
91
92 if [ $? -ne 0 ]; then
93     usage
94     exit 1
95 fi
96
97 eval set -- "$options"
98
99 DEBIAN_MIRROR="http://mirror.mythic-beasts.com/debian/"
100 DEBIAN_RELEASE="jessie"
101 NETWORK_CONFIG=""
102
103 disable_initscripts() {
104     cat <<EOF > "${LXC_ROOTFS}/usr/sbin/policy-rc.d"
105 #!/bin/sh
106
107 exit 101
108 EOF
109     chmod 755 "${LXC_ROOTFS}/usr/sbin/policy-rc.d"
110 }
111
112 enable_initscripts() {
113     if [ -e "${LXC_ROOTFS}/usr/sbin/policy-rc.d" ]; then
114         rm "${LXC_ROOTFS}/usr/sbin/policy-rc.d"
115     fi
116 }
117
118 while :; do
119     case "$1" in
120         -h|--help)      usage && exit 1;;
121         -r|--release)   DEBIAN_RELEASE="$2"; shift 2;;
122         -m|--mirror)    DEBIAN_MIRROR="$2"; shift 2;;
123         -n|--network)   NETWORK_CONFIG="$2"; shift 2;;
124         --mapped-uid)   MAPPED_UID="$2"; shift 2;;
125         --mapped-gid)   MAPPED_GID="$2"; shift 2;;
126         --name)         LXC_NAME="$2"; shift 2;;
127         --path)         LXC_PATH="$2"; shift 2;;
128         --rootfs)       LXC_ROOTFS="$2"; shift 2;;
129         *)              break;;
130     esac
131 done
132
133 INTERFACE_DEFAULTS="auto eth0
134 iface eth0 inet dhcp"
135
136 generate_network_config() {
137     if [ "$NETWORK_CONFIG" == "" ]; then
138         echo "$INTERFACE_DEFAULTS"
139         return 0
140     fi
141
142     echo "auto eth0"
143     # see if there's a type
144     network_type=${NETWORK_CONFIG/,*}
145     other_params=${NETWORK_CONFIG#*,}
146
147     v4_configured=no
148     v6_configured=no
149
150     if [ "$network_type" == "dhcp" ]; then
151         echo "iface eth0 inet dhcp"
152         echo "iface eth0 inet6 dhcp"
153         v4_configured=yes
154         v6_configured=yes
155     elif [ "$network_type" == "dhcp4" ]; then
156         echo "iface eth0 inet dhcp"
157         v4_configured=yes
158     elif [ "$network_type" == "dhcp6" ]; then
159         echo "iface eth0 inet6 dhcp"
160         v6_configured=yes
161     elif [ "$network_type" != "static" ]; then
162         echo "Unknown network type: $network_type" 1>&2
163         echo 1>&2
164         usage 1>&2
165         exit 1
166     fi
167
168     [ "$network_type" == "$other_params" ] && return 0
169
170     v4_static=${other_params/,*}
171     other_params=${other_params#*,}
172
173     if [ "$v4_static" != "" ]; then
174         if [ "$v4_configured" == "yes" ]; then
175             echo "Both v4 DHCP and Static - giving up." 1>&2
176             echo 1>&2
177             usage 1>&2
178             exit 1
179         fi
180     fi
181
182     if [ "$v4_static" == "$other_params" ]; then
183         if [ "$v4_static" != "" ]; then
184             echo "iface eth0 inet static"
185             echo "  address $v4_static"
186         fi
187     fi
188
189     v6_static=${other_params/,*}
190     other_params=${other_params#*,}
191
192     if [ "$v6_static" != "" ]; then
193         if [ "$v6_configured" == "yes" ]; then
194             echo "Both v6 DHCP and Static - giving up." 1>&2
195             echo 1>&2
196             usage 1>&2
197             exit 1
198         fi
199     fi
200
201     if [ "$v6_static" == "$other_params" ]; then
202         if [ "$v4_static" ]; then
203             echo "iface eth0 inet static"
204             echo "  address $v4_static"
205             echo
206         fi
207
208         echo "iface eth0 inet6 static"
209         echo "  address $v6_static"
210
211         return 0
212     fi
213
214     v4_gateway=${other_params/,*}
215     other_params=${other_params#*,}
216
217     if [ "$v4_gateway" == "$other_params" ]; then
218         if [ "$v4_static" != "" ]; then
219             echo "iface eth0 inet static"
220             echo "  address $v4_static"
221             [ "$v4_gateway" != "" ] && echo "  gateway $v4_gateway"
222
223             if [ "$v6_static" != "" ]; then
224                 echo "iface eth0 inet6 static"
225                 echo "  address $v6_static"
226             fi
227
228             return 0
229         fi
230
231         if [ "$v4_configured" == "yes" ]; then
232             echo "DHCP and static gateway not supported, giving up." 1>&2
233             echo 1>&2
234             usage 1>&2
235             exit 1
236         fi
237     fi
238
239     v6_gateway=${other_params/,*}
240
241     if [ "$v4_static" != "" ]; then
242         echo "iface eth0 inet static"
243         echo "  address $v4_static"
244         [ "$v4_gateway" != "" ] && echo "  gateway $v4_gateway"
245         echo
246     fi
247
248     if [ "$v6_static" != "" ]; then
249         echo "iface eth0 inet6 static"
250         echo "  address $v6_static"
251         [ "$v6_gateway" != "" ] && echo "  gateway $v6_gateway"
252     fi
253
254     return 0
255 }
256
257 INTERFACE_DETAILS="$(generate_network_config)"
258
259 # rewrite the default config file
260
261 sed -i -e "/lxc./{w ${LXC_PATH}/config-auto" -e "d}" "${LXC_PATH}/config"
262 sed -i -e '4,$d' "${LXC_PATH}/config"
263
264 cat <<EOF >> "${LXC_PATH}/config"
265
266 # Useful includes
267 lxc.include = /usr/share/lxc/config/debian.common.conf
268 lxc.include = /usr/share/lxc/config/debian.userns.conf
269
270 # Set our hostname
271 lxc.utsname = $LXC_NAME
272
273 # Automatic configuration
274 EOF
275
276 # add back in the auto foo
277 cat "${LXC_PATH}/config-auto" >> "${LXC_PATH}/config"
278 rm "${LXC_PATH}/config-auto"
279
280 mkdir "${LXC_PATH}/bin"
281 cat <<EOF > "${LXC_PATH}/bin/mknod"
282 #!/bin/sh
283
284 exec touch "\$1"
285 EOF
286
287 chmod 755 "${LXC_PATH}/bin/mknod"
288
289 export PATH="${LXC_PATH}/bin:$PATH"
290
291 debootstrap --foreign --include debian-archive-keyring,ifupdown,isc-dhcp-client,locales,openssh-server $DEBIAN_RELEASE "${LXC_ROOTFS}" $DEBIAN_MIRROR
292
293 # now totally skip that check in the new root, because it sucks.
294 sed -i -e 's#check_sane_mount () {#check_sane_mount () {\n\treturn 0#;' "${LXC_ROOTFS}/debootstrap/functions"
295
296 # and stop it from bothering to try to setup proc
297 sed -i -e 's#setup_proc () {#setup_proc () {\n\treturn 0#;' "${LXC_ROOTFS}/debootstrap/functions"
298
299 keyring_dpkg=$(sed -ne "/^debian-archive-keyring/ { s#.* ##; p; }" "${LXC_ROOTFS}/debootstrap/debpaths")
300 # and unpack debian-archive-keyring, because we'll need that
301 (cd "${LXC_ROOTFS}" && dpkg-deb -x ".$keyring_dpkg" .)
302
303 # replace the tar containing devices with something that doesn't contain any
304 (cd "$LXC_ROOTFS/debootstrap" && rm devices.tar.gz && tar czvf devices.tar.gz --files-from=/dev/null)
305
306 # and mount a shitload of things for fun and profit...
307 for file in /var/lib/lxcfs/proc/*; do
308     fname="$(basename $file)"
309     touch "${LXC_ROOTFS}/proc/$fname"
310     mount -n -o bind "$file" "${LXC_ROOTFS}/proc/$fname"
311 done
312
313 for dev in null random urandom; do
314     touch "${LXC_ROOTFS}/dev/$dev"
315     mount -n -o bind /dev/$dev "${LXC_ROOTFS}/dev/$dev"
316 done
317
318 # set /proc/cmdline to something
319 echo "debootstrapping" > "${LXC_ROOTFS}/proc/cmdline"
320
321 # and disable initscripts
322 disable_initscripts
323
324 # and run the second stage
325 chroot "${LXC_ROOTFS}" /debootstrap/debootstrap --second-stage
326
327 # make sure that initscripts are still disabled
328 disable_initscripts
329
330 # configure locales
331 lang=en_GB.UTF-8
332 enc=UTF-8
333 if [ ! -z "$LANG" ]; then
334     lang=${LANG}
335     enc=${LANG#*.}
336 fi
337
338 cat >> "${LXC_ROOTFS}/etc/locale.gen" <<EOF
339 $lang $enc
340 EOF
341
342 chroot "${LXC_ROOTFS}" /usr/sbin/locale-gen $lang $enc
343 chroot "${LXC_ROOTFS}" /usr/sbin/update-locale LANG=$LANG
344
345 # configure timezone
346 if [ -f /etc/timezone ]; then
347     cat /etc/timezone > "${LXC_ROOTFS}/etc/timezone"
348 elif [ -f /etc/sysconfig/clock ]; then
349     . /etc/sysconfig/clock
350     echo $ZONE > "${LXC_ROOTFS}/etc/timezone"
351 fi
352 chroot "${LXC_ROOTFS}" dpkg-reconfigure -f noninteractive tzdata
353
354 # "setup" networking
355 NETWORK_FILE=/etc/network/interfaces
356 if [ -e "${LXC_ROOTFS}/etc/network/interfaces.d" ]; then
357     NETWORK_FILE=/etc/network/interfaces.d/eth0
358 fi
359
360 # remove some interesting breakages in pam for unpriv foo
361 sed -i -e 's#^\(session.*required.*pam_loginuid.so\)#\#\1#;' "${LXC_ROOTFS}"/etc/pam.d/*
362
363 # set the hostname
364 echo $LXC_NAME > "${LXC_ROOTFS}/etc/hostname"
365
366 SECURITY=""
367 if [ "$DEBIAN_RELEASE" != "sid" ] && [ "$DEBIAN_RELEASE" != "unstable" ]; then
368     SECURITY="deb http://security.debian.org/ $DEBIAN_RELEASE/updates main"
369 fi
370
371 # setup sources.list
372 cat <<EOF > "${LXC_ROOTFS}/etc/apt/sources.list"
373 deb $DEBIAN_MIRROR $DEBIAN_RELEASE main
374 $SECURITY
375 EOF
376
377 # disable bits of systemd / initrd that break things
378 chroot "${LXC_ROOTFS}" /usr/sbin/update-rc.d -f checkroot.sh disable > /dev/null 2>&1 || true
379 chroot "${LXC_ROOTFS}" /usr/sbin/update-rc.d -f umountfs disable > /dev/null 2>&1 || true
380 chroot "${LXC_ROOTFS}" /usr/sbin/update-rc.d -f hwclock.sh disable > /dev/null 2>&1 || true
381 chroot "${LXC_ROOTFS}" /usr/sbin/update-rc.d -f hwclockfirst.sh disable > /dev/null 2>&1 || true
382
383 if [ -e "${LXC_ROOTFS}/etc/systemd/system/" ]; then
384     touch "${LXC_ROOTFS}/etc/systemd/system/systemd-setup-dgram-qlen.service"
385     touch "${LXC_ROOTFS}/etc/systemd/system/dev-hugepages.mount"
386     touch "${LXC_ROOTFS}/etc/systemd/system/udev.service"
387     touch "${LXC_ROOTFS}/etc/systemd/system/systemd-udevd.service"
388     chroot "${LXC_ROOTFS}" systemctl set-default multi-user.target
389     chroot "${LXC_ROOTFS}" ln -s /lib/systemd/system/halt.target /etc/systemd/system/sigpwr.target
390 fi
391
392 if [ -e "${LXC_ROOTFS}/lib/systemd/system/systemd-journald-audit.socket" ]; then
393     touch "${LXC_ROOTFS}/etc/systemd/system/systemd-journald-audit.socket"
394 fi
395
396 echo "$INTERFACE_DETAILS" >> "${LXC_ROOTFS}${NETWORK_FILE}"
397
398 # and update to the latest security
399 chroot "${LXC_ROOTFS}" apt-get update
400 chroot "${LXC_ROOTFS}" apt-get -y upgrade
401
402 # if we're all good here, unmount things and clean up
403 [ -e "${LXC_ROOTFS}/usr/sbin/policy-rc.d" ] && rm "${LXC_ROOTFS}/usr/sbin/policy-rc.d"
404 rm "${LXC_ROOTFS}/proc/cmdline"
405
406 for dev in null random urandom; do
407     umount "${LXC_ROOTFS}/dev/$dev"
408     rm "${LXC_ROOTFS}/dev/$dev"
409 done
410
411 for file in /var/lib/lxcfs/proc/*; do
412     fname="$(basename $file)"
413     umount "${LXC_ROOTFS}/proc/$fname"
414     rm "${LXC_ROOTFS}/proc/$fname"
415 done
416
417 enable_initscripts
418
419 rm -r "${LXC_PATH}/bin"
420
421 cat <<EOF
422
423 You have successfully created a new debian container, ${LXC_NAME} running ${DEBIAN_RELEASE}.
424
425 You should start the new container, and use:
426
427   lxc-attach -n ${LXC_NAME} -- su -
428
429 To create a user account / set the root password.
430
431 Note, by default, it's likely only to be the console that can login as root, so that'd be:
432
433   lxc-console -n ${LXC_NAME} -t 0
434
435 EOF
436
437 exit 0