Skip to content

L
lxc
Commit 6e42a5ea by Stéphane Graber Committed by GitHub
Options

Merge pull request #1465 from geaaru/lxc-sabayon-unpriv

[lxc-sabayon] Disable _unprivileged_shift_owner for create unprivileg…
parents bb2f4389 3d288bbe
Showing with 28 additions and 9 deletions
config/templates/sabayon.common.conf.in
...@@ -54,6 +54,8 @@ lxc.cgroup.devices.allow = c 1:9 rwm ...@@ -54,6 +54,8 @@ lxc.cgroup.devices.allow = c 1:9 rwm
#lxc.cgroup.devices.allow = c 10:228 rwm #lxc.cgroup.devices.allow = c 10:228 rwm
## kvm ## kvm
#lxc.cgroup.devices.allow = c 10:232 rwm #lxc.cgroup.devices.allow = c 10:232 rwm
## /dev/mem
#lxc.cgroup.devices.allow = c 1:1 rwm
# If something doesn't work, try to comment this out. # If something doesn't work, try to comment this out.
# Dropping sys_admin disables container root from doing a lot of things # Dropping sys_admin disables container root from doing a lot of things
......
templates/lxc-sabayon.in
...@@ -66,6 +66,7 @@ rootfs= ...@@ -66,6 +66,7 @@ rootfs=
unprivileged=false unprivileged=false
mapped_uid= mapped_uid=
mapped_gid= mapped_gid=
flush_owner=false
#======================== Helper Functions ========================# #======================== Helper Functions ========================#
...@@ -81,12 +82,15 @@ Template options: ...@@ -81,12 +82,15 @@ Template options:
-d, --debug Run this script in a debug mode (set -x and wget w/o -q). -d, --debug Run this script in a debug mode (set -x and wget w/o -q).
-m URL --mirror=URL The Sabayon mirror to use; defaults to random mirror. -m URL --mirror=URL The Sabayon mirror to use; defaults to random mirror.
-u, --unprivileged Tuning of rootfs for unprivileged containers. -u, --unprivileged Tuning of rootfs for unprivileged containers.
Are needed --mapped-gid and --mapped-uid options.
-r, --release Identify release to use. Default is DAILY. -r, --release Identify release to use. Default is DAILY.
--mapped-gid Group Id to use on unprivileged container --mapped-gid Group Id to use on unprivileged container
(based of value present on file /etc/subgid). (based of value present on file /etc/subgid).
--mapped-uid User Id to use on unprivileged container --mapped-uid User Id to use on unprivileged container
(based of value present on file /etc/subuid) (based of value present on file /etc/subuid)
--flush-owner Only for directly creation of unprivileged containers
through lxc-create command. Execute fuidshift command.
Require --mapped-gid,--mapped-uid and --unprivileged
options.
Environment variables: Environment variables:
RELEASE Release version of Sabayon. Default is ${RELEASE}. RELEASE Release version of Sabayon. Default is ${RELEASE}.
...@@ -281,13 +285,18 @@ configure_container() { ...@@ -281,13 +285,18 @@ configure_container() {
local unprivileged_options="" local unprivileged_options=""
if [[ $unprivileged && $unprivileged == true ]] ; then if [[ $unprivileged && $unprivileged == true ]] ; then
unprivileged_options=" if [[ $flush_owner == true ]] ; then
unprivileged_options="
lxc.id_map = u 0 ${mapped_uid} 65536 lxc.id_map = u 0 ${mapped_uid} 65536
lxc.id_map = g 0 ${mapped_gid} 65536 lxc.id_map = g 0 ${mapped_gid} 65536
"
fi
unprivileged_options="
$unprivileged_options
# Include common configuration. # Include common configuration.
lxc.include = $LXC_TEMPLATE_CONFIG/sabayon.userns.conf lxc.include = $LXC_TEMPLATE_CONFIG/sabayon.userns.conf
" "
else else
...@@ -332,7 +341,7 @@ parse_cmdline() { ...@@ -332,7 +341,7 @@ parse_cmdline() {
# Parse command options. # Parse command options.
local short_options="a:dm:n:p:r:hu" local short_options="a:dm:n:p:r:hu"
local long_options="arch:,debug,mirror:,name:,path:,release:,rootfs:,mapped-uid:,mapped-gid:,help" local long_options="arch:,debug,mirror:,name:,path:,release:,rootfs:,mapped-uid:,mapped-gid:,flush-owner,help"
options=$(getopt -u -q -a -o "$short_options" -l "$long_options" -- "$@") options=$(getopt -u -q -a -o "$short_options" -l "$long_options" -- "$@")
...@@ -383,6 +392,9 @@ parse_cmdline() { ...@@ -383,6 +392,9 @@ parse_cmdline() {
mapped_gid=$2 mapped_gid=$2
shift shift
;; ;;
--flush-owner)
flush_owner=true
;;
--) --)
break break
;; ;;
...@@ -415,12 +427,15 @@ parse_cmdline() { ...@@ -415,12 +427,15 @@ parse_cmdline() {
arch=$(parse_arch "$arch") \ arch=$(parse_arch "$arch") \
|| die 1 "Unsupported architecture: $arch" || die 1 "Unsupported architecture: $arch"
[[ $unprivileged && $unprivileged == true && -z "$mapped_uid" ]] && \ [[ $unprivileged == true && $flush_owner == true &&-z "$mapped_uid" ]] && \
die 1 'Missing required option --mapped-uid with --unprivileged option' die 1 'Missing required option --mapped-uid with --unprivileged option'
[[ $unprivileged && $unprivileged == true && -z "$mapped_gid" ]] && \ [[ $unprivileged == true && $flush_owner == true && -z "$mapped_gid" ]] && \
die 1 'Missing required option --mapped-gid with --unprivileged option' die 1 'Missing required option --mapped-gid with --unprivileged option'
[[ $flush_owner == true && $unprivileged == false ]] && \
die 1 'flush-owner require --unprivileged option'
return 0 return 0
} }
...@@ -441,7 +456,7 @@ main () { ...@@ -441,7 +456,7 @@ main () {
DEBUG="$debug" DEBUG="$debug"
MIRROR_URL="${mirror_url:-$(random_mirror_url)}" MIRROR_URL="${mirror_url:-$(random_mirror_url)}"
einfo "Use arch = $arch, mirror_url = $MIRROR_URL, path = $path, name = $name, release = $release, unprivileged = $unprivileged, rootfs = $rootfs, mapped_uid = $mapped_uid, mapped_gid = $mapped_gid" einfo "Use arch = $arch, mirror_url = $MIRROR_URL, path = $path, name = $name, release = $release, unprivileged = $unprivileged, rootfs = $rootfs, mapped_uid = $mapped_uid, mapped_gid = $mapped_gid, flush_owner = $flush_owner"
[ "$debug" = 'yes' ] && set -x [ "$debug" = 'yes' ] && set -x
...@@ -463,9 +478,11 @@ main () { ...@@ -463,9 +478,11 @@ main () {
systemd_container_tuning systemd_container_tuning
# Fix container for unprivileged mode. # Fix container for unprivileged mode.
if [[ $unprivileged && $unprivileged == true ]] ; then if [[ $unprivileged == true ]] ; then
unprivileged_rootfs unprivileged_rootfs
unprivileged_shift_owner if [[ $flush_owner == true ]] ; then
unprivileged_shift_owner
fi
fi fi
return 0 return 0
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment