3 # lxc template for debootstrapping in userns
6 # Brett Parker <iDunno@sommitrealweird.co.uk>
8 # This library is free software; you can redistribute it and/or
9 # modify it under the terms of the GNU Lesser General Public
10 # License as published by the Free Software Foundation; either
11 # version 2.1 of the License, or (at your option) any later version.
13 # This library is distributed in the hope that it will be useful,
14 # but WITHOUT ANY WARRANTY; without even the implied warranty of
15 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 # Lesser General Public License for more details.
18 # You should have received a copy of the GNU Lesser General Public
19 # License along with this library; if not, write to the Free Software
20 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
24 # Only support usage in userns.
26 [ "$arg" = "--" ] && break
27 if [ "$arg" = "--mapped-uid" -o "$arg" = "--mapped-gid" ]; then
32 if [ "$MAPPED" == "no" ]; then
33 echo "This template can only be used for unprivileged containers." 1>&2
34 echo "You might want the \"debian\" template instead." 1|&2
37 # Make sure the usual locations are in PATH
38 export PATH=/usr/sbin:/usr/bin:/sbin:/bin:$PATH
39 export GREP_OPTIONS=""
43 LXC debootstrap in user namespace for unprivileged containers
46 [ -h | --help ]: Print this help message and exit.
49 [ -r | --release <release> ]: The debian release, e.g. jessie or stretch.
52 [ -m | --mirror <mirrorurl> ]: The debian mirror to user
57 options=$(getopt -o r:m:h -l release:,mirror:,help,mapped-uid:,mapped-gid:,name:,path:,rootfs: -- "$@")
64 eval set -- "$options"
66 DEBIAN_MIRROR="http://mirror.mythic-beasts.com/debian/"
67 DEBIAN_RELEASE="jessie"
69 disable_initscripts() {
70 cat <<EOF > "${LXC_ROOTFS}/usr/sbin/policy-rc.d"
75 chmod 755 "${LXC_ROOTFS}/usr/sbin/policy-rc.d"
78 enable_initscripts() {
79 if [ -e "${LXC_ROOTFS}/usr/sbin/policy-rc.d" ]; then
80 rm "${LXC_ROOTFS}/usr/sbin/policy-rc.d"
86 -h|--help) usage && exit 1;;
87 -r|--release) DEBIAN_RELEASE="$2"; shift 2;;
88 -m|--mirror) DEBIAN_MIRROR="$2"; shift 2;;
89 --mapped-uid) MAPPED_UID="$2"; shift 2;;
90 --mapped-gid) MAPPED_GID="$2"; shift 2;;
91 --name) LXC_NAME="$2"; shift 2;;
92 --path) LXC_PATH="$2"; shift 2;;
93 --rootfs) LXC_ROOTFS="$2"; shift 2;;
98 # rewrite the default config file
100 sed -i -e "/lxc./{w ${LXC_PATH}/config-auto" -e "d}" "${LXC_PATH}/config"
101 sed -i -e '4,$d' "${LXC_PATH}/config"
103 cat <<EOF >> "${LXC_PATH}/config"
106 lxc.include = /usr/share/lxc/config/debian.common.conf
107 lxc.include = /usr/share/lxc/config/debian.userns.conf
110 lxc.utsname = $LXC_NAME
112 # Automatic configuration
115 # add back in the auto foo
116 cat "${LXC_PATH}/config-auto" >> "${LXC_PATH}/config"
117 rm "${LXC_PATH}/config-auto"
119 mkdir "${LXC_PATH}/bin"
120 cat <<EOF > "${LXC_PATH}/bin/mknod"
126 chmod 755 "${LXC_PATH}/bin/mknod"
128 export PATH="${LXC_PATH}/bin:$PATH"
130 debootstrap --foreign --include debian-archive-keyring,ifupdown,isc-dhcp-client,locales,openssh-server $DEBIAN_RELEASE "${LXC_ROOTFS}" $DEBIAN_MIRROR
132 # now totally skip that check in the new root, because it sucks.
133 sed -i -e 's#check_sane_mount () {#check_sane_mount () {\n\treturn 0#;' "${LXC_ROOTFS}/debootstrap/functions"
135 # and stop it from bothering to try to setup proc
136 sed -i -e 's#setup_proc () {#setup_proc () {\n\treturn 0#;' "${LXC_ROOTFS}/debootstrap/functions"
138 keyring_dpkg=$(sed -ne "/^debian-archive-keyring/ { s#.* ##; p; }" "${LXC_ROOTFS}/debootstrap/debpaths")
139 # and unpack debian-archive-keyring, because we'll need that
140 (cd "${LXC_ROOTFS}" && dpkg-deb -x ".$keyring_dpkg" .)
142 # replace the tar containing devices with something that doesn't contain any
143 (cd "$LXC_ROOTFS/debootstrap" && rm devices.tar.gz && tar czvf devices.tar.gz --files-from=/dev/null)
145 # and mount a shitload of things for fun and profit...
146 for file in /var/lib/lxcfs/proc/*; do
147 fname="$(basename $file)"
148 touch "${LXC_ROOTFS}/proc/$fname"
149 mount -n -o bind "$file" "${LXC_ROOTFS}/proc/$fname"
152 for dev in null random urandom; do
153 touch "${LXC_ROOTFS}/dev/$dev"
154 mount -n -o bind /dev/$dev "${LXC_ROOTFS}/dev/$dev"
157 # set /proc/cmdline to something
158 echo "debootstrapping" > "${LXC_ROOTFS}/proc/cmdline"
160 # and disable initscripts
163 # and run the second stage
164 chroot "${LXC_ROOTFS}" /debootstrap/debootstrap --second-stage
166 # make sure that initscripts are still disabled
172 if [ ! -z "$LANG" ]; then
177 cat >> "${LXC_ROOTFS}/etc/locale.gen" <<EOF
181 chroot "${LXC_ROOTFS}" /usr/sbin/locale-gen $lang $enc
182 chroot "${LXC_ROOTFS}" /usr/sbin/update-locale LANG=$LANG
185 if [ -f /etc/timezone ]; then
186 cat /etc/timezone > "${LXC_ROOTFS}/etc/timezone"
187 elif [ -f /etc/sysconfig/clock ]; then
188 . /etc/sysconfig/clock
189 echo $ZONE > "${LXC_ROOTFS}/etc/timezone"
191 chroot "${LXC_ROOTFS}" dpkg-reconfigure -f noninteractive tzdata
194 NETWORK_FILE=/etc/network/interfaces
195 if [ -e "${LXC_ROOTFS}/etc/network/interfaces.d" ]; then
196 NETWORK_FILE=/etc/network/interfaces.d/eth0
199 # remove some interesting breakages in pam for unpriv foo
200 sed -i -e 's#^\(session.*required.*pam_loginuid.so\)#\#\1#;' "${LXC_ROOTFS}"/etc/pam.d/*
203 echo $LXC_NAME > "${LXC_ROOTFS}/etc/hostname"
206 cat <<EOF > "${LXC_ROOTFS}/etc/apt/sources.list"
207 deb $DEBIAN_MIRROR $DEBIAN_RELEASE main
208 deb http://security.debian.org/ $DEBIAN_RELEASE/updates main
211 # disable bits of systemd that we hates
212 chroot "${LXC_ROOTFS}" /usr/sbin/update-rc.d -f checkroot.sh disable > /dev/null 2>&1
213 chroot "${LXC_ROOTFS}" /usr/sbin/update-rc.d -f umountfs disable > /dev/null 2>&1
214 chroot "${LXC_ROOTFS}" /usr/sbin/update-rc.d -f hwclock.sh disable > /dev/null 2>&1
215 chroot "${LXC_ROOTFS}" /usr/sbin/update-rc.d -f hwclockfirst.sh disable > /dev/null 2>&1
217 if [ -e "${LXC_ROOTFS}/etc/systemd/system/" ]; then
218 touch "${LXC_ROOTFS}/etc/systemd/system/systemd-setup-dgram-qlen.service"
219 touch "${LXC_ROOTFS}/etc/systemd/system/dev-hugepages.mount"
220 touch "${LXC_ROOTFS}/etc/systemd/system/udev.service"
221 touch "${LXC_ROOTFS}/etc/systemd/system/systemd-udevd.service"
222 chroot "${LXC_ROOTFS}" systemctl set-default multi-user.target
223 chroot "${LXC_ROOTFS}" ln -s /lib/systemd/system/halt.target /etc/systemd/system/sigpwr.target
226 if [ -e "${LXC_ROOTFS}/lib/systemd/system/systemd-journald-audit.socket" ]; then
227 touch "${LXC_ROOTFS}/etc/systemd/system/systemd-journald-audit.socket"
230 cat <<EOF >> "${LXC_ROOTFS}${NETWORK_FILE}"
235 # and update to the latest security
236 chroot "${LXC_ROOTFS}" apt-get update
237 chroot "${LXC_ROOTFS}" apt-get -y upgrade
239 # if we're all good here, unmount things and clean up
240 [ -e "${LXC_ROOTFS}/usr/sbin/policy-rc.d" ] && rm "${LXC_ROOTFS}/usr/sbin/policy-rc.d"
241 rm "${LXC_ROOTFS}/proc/cmdline"
243 for dev in null random urandom; do
244 umount "${LXC_ROOTFS}/dev/$dev"
245 rm "${LXC_ROOTFS}/dev/$dev"
248 for file in /var/lib/lxcfs/proc/*; do
249 fname="$(basename $file)"
250 umount "${LXC_ROOTFS}/proc/$fname"
251 rm "${LXC_ROOTFS}/proc/$fname"
256 rm -r "${LXC_PATH}/bin"