Skip to content

L
lxc
Unverified Commit 4328e9e3 by Christian Brauner
Options

lxc-oci: make shellcheck clean

Signed-off-by: 's avatarChristian Brauner <christian.brauner@ubuntu.com>
parent a488502d
Showing with 60 additions and 37 deletions
templates/lxc-oci.in
...@@ -21,14 +21,13 @@ ...@@ -21,14 +21,13 @@
# USA # USA
set -eu set -eu
# set -x # debug
# Make sure the usual locations are in PATH # Make sure the usual locations are in PATH
export PATH=$PATH:/usr/sbin:/usr/bin:/sbin:/bin export PATH=$PATH:/usr/sbin:/usr/bin:/sbin:/bin
# Check for required binaries # Check for required binaries
for bin in skopeo umoci jq; do for bin in skopeo umoci jq; do
if ! type $bin >/dev/null 2>&1; then if ! which $bin >/dev/null 2>&1; then
echo "ERROR: Missing required tool: $bin" 1>&2 echo "ERROR: Missing required tool: $bin" 1>&2
exit 1 exit 1
fi fi
...@@ -43,6 +42,7 @@ cleanup() { ...@@ -43,6 +42,7 @@ cleanup() {
if [ -d "${DOWNLOAD_TEMP}" ]; then if [ -d "${DOWNLOAD_TEMP}" ]; then
rm -Rf "${DOWNLOAD_TEMP}" rm -Rf "${DOWNLOAD_TEMP}"
fi fi
if [ -d "${LXC_ROOTFS}.tmp" ]; then if [ -d "${LXC_ROOTFS}.tmp" ]; then
rm -Rf "${LXC_ROOTFS}.tmp" rm -Rf "${LXC_ROOTFS}.tmp"
fi fi
...@@ -50,14 +50,19 @@ cleanup() { ...@@ -50,14 +50,19 @@ cleanup() {
in_userns() { in_userns() {
[ -e /proc/self/uid_map ] || { echo no; return; } [ -e /proc/self/uid_map ] || { echo no; return; }
while read line; do while read -r line; do
fields=$(echo $line | awk '{ print $1 " " $2 " " $3 }') fields="$(echo "$line" | awk '{ print $1 " " $2 " " $3 }')"
[ "$fields" = "0 0 4294967295" ] && { echo no; return; } || true if [ "${fields}" = "0 0 4294967295" ]; then
echo $fields | grep -q " 0 1$" && { echo userns-root; return; } || true echo no;
return;
fi
if echo "${fields}" | grep -q " 0 1$"; then
echo userns-root;
return;
fi
done < /proc/self/uid_map done < /proc/self/uid_map
[ "$(cat /proc/self/uid_map)" = "$(cat /proc/1/uid_map)" ] && \ [ "$(cat /proc/self/uid_map)" = "$(cat /proc/1/uid_map)" ] && { echo userns-root; return; }
{ echo userns-root; return; }
echo yes echo yes
} }
...@@ -65,26 +70,28 @@ getconfigpath() { ...@@ -65,26 +70,28 @@ getconfigpath() {
basedir="$1" basedir="$1"
q="$2" q="$2"
digest=`cat "${basedir}/index.json" | jq -c -r --arg q "$q" '.manifests[] | if .annotations."org.opencontainers.image.ref.name" == $q then .digest else empty end'` digest=$(jq -c -r --arg q "$q" '.manifests[] | if .annotations."org.opencontainers.image.ref.name" == $q then .digest else empty end' < "${basedir}/index.json")
if [ -z "${digest}" ]; then if [ -z "${digest}" ]; then
echo "$q not found in index.json" >&2 echo "$q not found in index.json" >&2
return return
fi fi
# Ok we have the image config digest, now get the config from that, # Ok we have the image config digest, now get the config from that
# shellcheck disable=SC2039
d=${digest:7} d=${digest:7}
cdigest=`cat "${basedir}/blobs/sha256/${d}" | jq -c -r '.config.digest'` cdigest=$(jq -c -r '.config.digest' < "${basedir}/blobs/sha256/${d}")
if [ -z "${cdigest}" ]; then if [ -z "${cdigest}" ]; then
echo "container config not found" >&2 echo "container config not found" >&2
return return
fi fi
# shellcheck disable=SC2039
d2=${cdigest:7} d2=${cdigest:7}
echo "${basedir}/blobs/sha256/${d2}" echo "${basedir}/blobs/sha256/${d2}"
return return
} }
# get entrypoint from oci image. Use sh if unspecified # Get entrypoint from oci image. Use sh if unspecified
getep() { getep() {
if [ "$#" -eq 0 ]; then if [ "$#" -eq 0 ]; then
echo "/bin/sh" echo "/bin/sh"
...@@ -93,8 +100,8 @@ getep() { ...@@ -93,8 +100,8 @@ getep() {
configpath="$1" configpath="$1"
ep=`cat "${configpath}" | jq -c -r '.config.Entrypoint[]?'` ep=$(jq -c -r '.config.Entrypoint[]?'< "${configpath}")
cmd=`cat "${configpath}" | jq -c -r '.config.Cmd[]?'` cmd=$(jq -c -r '.config.Cmd[]?' < "${configpath}")
if [ -z "${ep}" ]; then if [ -z "${ep}" ]; then
ep="${cmd}" ep="${cmd}"
if [ -z "${ep}" ]; then if [ -z "${ep}" ]; then
...@@ -104,7 +111,7 @@ getep() { ...@@ -104,7 +111,7 @@ getep() {
ep="${ep} ${cmd}" ep="${ep} ${cmd}"
fi fi
echo ${ep} echo "${ep}"
return return
} }
...@@ -116,7 +123,7 @@ getenv() { ...@@ -116,7 +123,7 @@ getenv() {
configpath="$1" configpath="$1"
env=`cat "${configpath}" | jq -c -r '.config.Env[]'` env=$(jq -c -r '.config.Env[]'< "${configpath}")
echo "${env}" echo "${env}"
return return
...@@ -134,10 +141,11 @@ getuidgid() { ...@@ -134,10 +141,11 @@ getuidgid() {
configpath="$1" configpath="$1"
uidgid=`cat "${configpath}" | jq -c -r '.config.User // "0:0"'` uidgid=$(jq -c -r '.config.User // "0:0"' < "${configpath}")
# shellcheck disable=SC2039
uidgid=(${uidgid//:/ }) uidgid=(${uidgid//:/ })
printf '%d %d' ${uidgid[0]:-0} ${uidgid[1]:-0} 2>/dev/null || true printf '%d %d' "${uidgid[0]:-0}" "${uidgid[1]:-0}" 2>/dev/null || true
return return
} }
...@@ -150,7 +158,7 @@ getcwd() { ...@@ -150,7 +158,7 @@ getcwd() {
configpath="$1" configpath="$1"
cwd=`cat "${configpath}" | jq -c -r '.config.WorkingDir // "/"'` cwd=$(jq -c -r '.config.WorkingDir // "/"' < "${configpath}")
echo "${cwd}" echo "${cwd}"
return return
...@@ -176,15 +184,11 @@ LXC internal arguments (do not pass manually!): ...@@ -176,15 +184,11 @@ LXC internal arguments (do not pass manually!):
[ --rootfs <rootfs> ]: The path to the container's rootfs [ --rootfs <rootfs> ]: The path to the container's rootfs
[ --mapped-uid <map> ]: A uid map (user namespaces) [ --mapped-uid <map> ]: A uid map (user namespaces)
[ --mapped-gid <map> ]: A gid map (user namespaces) [ --mapped-gid <map> ]: A gid map (user namespaces)
EOF EOF
return 0 return 0
} }
options=$(getopt -o u:h -l help,url:,username:,password:,no-cache,dhcp,\ if ! options=$(getopt -o u:h -l help,url:,username:,password:,no-cache,dhcp,name:,path:,rootfs:,mapped-uid:,mapped-gid: -- "$@"); then
name:,path:,rootfs:,mapped-uid:,mapped-gid: -- "$@")
if [ $? -ne 0 ]; then
usage usage
exit 1 exit 1
fi fi
...@@ -221,7 +225,7 @@ done ...@@ -221,7 +225,7 @@ done
# Check that we have all variables we need # Check that we have all variables we need
if [ -z "$LXC_NAME" ] || [ -z "$LXC_PATH" ] || [ -z "$LXC_ROOTFS" ]; then if [ -z "$LXC_NAME" ] || [ -z "$LXC_PATH" ] || [ -z "$LXC_ROOTFS" ]; then
echo "ERROR: Not running through LXC." 1>&2 echo "ERROR: Not running through LXC" 1>&2
exit 1 exit 1
fi fi
...@@ -246,7 +250,7 @@ USERNS=$(in_userns) ...@@ -246,7 +250,7 @@ USERNS=$(in_userns)
if [ "$USERNS" = "yes" ]; then if [ "$USERNS" = "yes" ]; then
if [ -z "$LXC_MAPPED_UID" ] || [ "$LXC_MAPPED_UID" = "-1" ]; then if [ -z "$LXC_MAPPED_UID" ] || [ "$LXC_MAPPED_UID" = "-1" ]; then
echo "ERROR: In a user namespace without a map." 1>&2 echo "ERROR: In a user namespace without a map" 1>&2
exit 1 exit 1
fi fi
fi fi
...@@ -264,46 +268,62 @@ fi ...@@ -264,46 +268,62 @@ fi
# Trap all exit signals # Trap all exit signals
trap cleanup EXIT HUP INT TERM trap cleanup EXIT HUP INT TERM
if ! type mktemp >/dev/null 2>&1; then if ! which mktemp >/dev/null 2>&1; then
DOWNLOAD_TEMP="${DOWNLOAD_BASE}/lxc-oci.$$" DOWNLOAD_TEMP="${DOWNLOAD_BASE}/lxc-oci.$$"
mkdir -p $DOWNLOAD_TEMP mkdir -p "${DOWNLOAD_TEMP}"
else else
DOWNLOAD_TEMP=$(mktemp -d -p "${DOWNLOAD_BASE}") DOWNLOAD_TEMP=$(mktemp -d -p "${DOWNLOAD_BASE}")
fi fi
# Download the image # Download the image
# shellcheck disable=SC2039
skopeo_args=("") skopeo_args=("")
if [ -n "$OCI_USERNAME" ]; then if [ -n "$OCI_USERNAME" ]; then
CREDENTIALS="${OCI_USERNAME}" CREDENTIALS="${OCI_USERNAME}"
if [ -n "$OCI_PASSWORD" ]; then if [ -n "$OCI_PASSWORD" ]; then
CREDENTIALS="${CREDENTIALS}:${OCI_PASSWORD}" CREDENTIALS="${CREDENTIALS}:${OCI_PASSWORD}"
fi fi
# shellcheck disable=SC2039
skopeo_args+=(--src-creds "${CREDENTIALS}") skopeo_args+=(--src-creds "${CREDENTIALS}")
fi fi
if [ "${OCI_USE_CACHE}" = "true" ]; then if [ "${OCI_USE_CACHE}" = "true" ]; then
# shellcheck disable=SC2039
# shellcheck disable=SC2068
skopeo_args+=(--dest-shared-blob-dir "${DOWNLOAD_BASE}") skopeo_args+=(--dest-shared-blob-dir "${DOWNLOAD_BASE}")
# shellcheck disable=SC2039
# shellcheck disable=SC2068
skopeo copy ${skopeo_args[@]} "${OCI_URL}" "oci:${DOWNLOAD_TEMP}:latest" skopeo copy ${skopeo_args[@]} "${OCI_URL}" "oci:${DOWNLOAD_TEMP}:latest"
ln -s "${DOWNLOAD_BASE}/sha256" "${DOWNLOAD_TEMP}/blobs/sha256" ln -s "${DOWNLOAD_BASE}/sha256" "${DOWNLOAD_TEMP}/blobs/sha256"
else else
# shellcheck disable=SC2039
# shellcheck disable=SC2068
skopeo copy ${skopeo_args[@]} "${OCI_URL}" "oci:${DOWNLOAD_TEMP}:latest" skopeo copy ${skopeo_args[@]} "${OCI_URL}" "oci:${DOWNLOAD_TEMP}:latest"
fi fi
echo "Unpacking the rootfs" echo "Unpacking the rootfs"
# shellcheck disable=SC2039
umoci_args=("") umoci_args=("")
if [ -n "$LXC_MAPPED_UID" ] && [ "$LXC_MAPPED_UID" != "-1" ]; then if [ -n "$LXC_MAPPED_UID" ] && [ "$LXC_MAPPED_UID" != "-1" ]; then
# shellcheck disable=SC2039
umoci_args+=(--rootless) umoci_args+=(--rootless)
fi fi
# shellcheck disable=SC2039
# shellcheck disable=SC2068
umoci unpack ${umoci_args[@]} --image "${DOWNLOAD_TEMP}:latest" "${LXC_ROOTFS}.tmp" umoci unpack ${umoci_args[@]} --image "${DOWNLOAD_TEMP}:latest" "${LXC_ROOTFS}.tmp"
rmdir "${LXC_ROOTFS}" rmdir "${LXC_ROOTFS}"
mv "${LXC_ROOTFS}.tmp/rootfs" "${LXC_ROOTFS}" mv "${LXC_ROOTFS}.tmp/rootfs" "${LXC_ROOTFS}"
OCI_CONF_FILE=$(getconfigpath ${DOWNLOAD_TEMP} latest) OCI_CONF_FILE=$(getconfigpath "${DOWNLOAD_TEMP}" latest)
LXC_CONF_FILE="${LXC_PATH}/config" LXC_CONF_FILE="${LXC_PATH}/config"
entrypoint=$(getep ${OCI_CONF_FILE}) entrypoint=$(getep "${OCI_CONF_FILE}")
echo "lxc.execute.cmd = '${entrypoint}'" >> "${LXC_CONF_FILE}" echo "lxc.execute.cmd = '${entrypoint}'" >> "${LXC_CONF_FILE}"
echo "lxc.mount.auto = proc:mixed sys:mixed cgroup:mixed" >> "${LXC_CONF_FILE}" echo "lxc.mount.auto = proc:mixed sys:mixed cgroup:mixed" >> "${LXC_CONF_FILE}"
environment=$(getenv ${OCI_CONF_FILE}) environment=$(getenv "${OCI_CONF_FILE}")
# shellcheck disable=SC2039
while read -r line; do while read -r line; do
echo "lxc.environment = ${line}" >> "${LXC_CONF_FILE}" echo "lxc.environment = ${line}" >> "${LXC_CONF_FILE}"
done <<< "${environment}" done <<< "${environment}"
...@@ -327,12 +347,12 @@ fi ...@@ -327,12 +347,12 @@ fi
echo "lxc.uts.name = ${LXC_NAME}" >> "${LXC_CONF_FILE}" echo "lxc.uts.name = ${LXC_NAME}" >> "${LXC_CONF_FILE}"
# set the hostname # set the hostname
cat <<EOF > ${LXC_ROOTFS}/etc/hostname cat <<EOF > "${LXC_ROOTFS}/etc/hostname"
${LXC_NAME} ${LXC_NAME}
EOF EOF
# set minimal hosts # set minimal hosts
cat <<EOF > ${LXC_ROOTFS}/etc/hosts cat <<EOF > "${LXC_ROOTFS}/etc/hosts"
127.0.0.1 localhost 127.0.0.1 localhost
127.0.1.1 ${LXC_NAME} 127.0.1.1 ${LXC_NAME}
::1 localhost ip6-localhost ip6-loopback ::1 localhost ip6-localhost ip6-loopback
...@@ -342,18 +362,21 @@ ff02::1 ip6-allnodes ...@@ -342,18 +362,21 @@ ff02::1 ip6-allnodes
ff02::2 ip6-allrouters ff02::2 ip6-allrouters
EOF EOF
uidgid=($(getuidgid ${OCI_CONF_FILE})) # shellcheck disable=SC2039
uidgid=($(getuidgid "${OCI_CONF_FILE}"))
# shellcheck disable=SC2039
echo "lxc.init.uid = ${uidgid[0]}" >> "${LXC_CONF_FILE}" echo "lxc.init.uid = ${uidgid[0]}" >> "${LXC_CONF_FILE}"
# shellcheck disable=SC2039
echo "lxc.init.gid = ${uidgid[1]}" >> "${LXC_CONF_FILE}" echo "lxc.init.gid = ${uidgid[1]}" >> "${LXC_CONF_FILE}"
cwd=$(getcwd ${OCI_CONF_FILE}) cwd=$(getcwd "${OCI_CONF_FILE}")
echo "lxc.init.cwd = ${cwd}" >> "${LXC_CONF_FILE}" echo "lxc.init.cwd = ${cwd}" >> "${LXC_CONF_FILE}"
if [ -n "$LXC_MAPPED_UID" ] && [ "$LXC_MAPPED_UID" != "-1" ]; then if [ -n "$LXC_MAPPED_UID" ] && [ "$LXC_MAPPED_UID" != "-1" ]; then
chown $LXC_MAPPED_UID $LXC_PATH/config $LXC_PATH/fstab >/dev/null 2>&1 || true chown "$LXC_MAPPED_UID" "$LXC_PATH/config" "$LXC_PATH/fstab" > /dev/null 2>&1 || true
fi fi
if [ -n "$LXC_MAPPED_GID" ] && [ "$LXC_MAPPED_GID" != "-1" ]; then if [ -n "$LXC_MAPPED_GID" ] && [ "$LXC_MAPPED_GID" != "-1" ]; then
chgrp $LXC_MAPPED_GID $LXC_PATH/config $LXC_PATH/fstab >/dev/null 2>&1 || true chgrp "$LXC_MAPPED_GID" "$LXC_PATH/config" "$LXC_PATH/fstab" > /dev/null 2>&1 || true
fi fi
exit 0 exit 0
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment