templates: Refuse to run unprivileged

Only the download and ubuntu-cloud templates work with unprivileged containers, for all others, detect --mapped-uid and error out as early as possible, recommending the use of the download template. Signed-off-by: Stéphane Graber <stgraber@ubuntu.com> Acked-by: Serge Hallyn <serge.hallyn@ubuntu.com>

templates: Refuse to run unprivileged
8ec981fc · Stéphane Graber · 3a6ef65a · 8ec981fc · 8ec981fc · 8ec981fc
Commit 8ec981fc authored Feb 04, 2014 by Stéphane Graber
15 changed files
--- a/templates/lxc-alpine.in
+++ b/templates/lxc-alpine.in
 #!/bin/bash
+# Detect use under userns (unsupported)
+for arg in $*; do
+    if [ "$arg" == "--mapped-uid" ]; then
+        echo "This template can't be used for unprivileged containers." 1>&2
+        echo "You may want to try the \"download\" template instead." 1>&2
+        exit 1
+    fi
+done
 key_sha256sums="9c102bcc376af1498d549b77bdbfa815ae86faa1d2d82f040e616b18ef2df2d4  alpine-devel@lists.alpinelinux.org-4a6a0840.rsa.pub
 2adcf7ce224f476330b5360ca5edb92fd0bf91c92d83292ed028d7c4e26333ab  alpine-devel@lists.alpinelinux.org-4d07755e.rsa.pub"

--- a/templates/lxc-altlinux.in
+++ b/templates/lxc-altlinux.in
@@ -24,6 +24,15 @@
 # License along with this library; if not, write to the Free Software
 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
+# Detect use under userns (unsupported)
+for arg in $*; do
+    if [ "$arg" == "--mapped-uid" ]; then
+        echo "This template can't be used for unprivileged containers." 1>&2
+        echo "You may want to try the \"download\" template instead." 1>&2
+        exit 1
+    fi
+done
 #Configurations
 arch=$(uname -m)
 cache_base=@LOCALSTATEDIR@/cache/lxc/altlinux/$arch

--- a/templates/lxc-archlinux.in
+++ b/templates/lxc-archlinux.in
@@ -25,6 +25,15 @@
 # License along with this library; if not, write to the Free Software
 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
+# Detect use under userns (unsupported)
+for arg in $*; do
+    if [ "$arg" == "--mapped-uid" ]; then
+        echo "This template can't be used for unprivileged containers." 1>&2
+        echo "You may want to try the \"download\" template instead." 1>&2
+        exit 1
+    fi
+done
 # defaults
 arch=$(uname -m)
 lxc_network_type="veth"

--- a/templates/lxc-busybox.in
+++ b/templates/lxc-busybox.in
@@ -20,6 +20,15 @@
 # License along with this library; if not, write to the Free Software
 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
+# Detect use under userns (unsupported)
+for arg in $*; do
+    if [ "$arg" == "--mapped-uid" ]; then
+        echo "This template can't be used for unprivileged containers." 1>&2
+        echo "You may want to try the \"download\" template instead." 1>&2
+        exit 1
+    fi
+done
 am_in_userns() {
    [ -e /proc/self/uid_map ] || { echo no; return; }
    [ "$(wc -l /proc/self/uid_map | awk '{ print $1 }')" -eq 1 ] || { echo yes; return; }

--- a/templates/lxc-centos.in
+++ b/templates/lxc-centos.in
@@ -72,6 +72,15 @@ lxc_network_link=lxcbr0
 # This may be in /etc/os-release or /etc/system-release-cpe.  We
 # should be able to use EITHER.  Give preference to /etc/os-release for now.
+# Detect use under userns (unsupported)
+for arg in $*; do
+    if [ "$arg" == "--mapped-uid" ]; then
+        echo "This template can't be used for unprivileged containers." 1>&2
+        echo "You may want to try the \"download\" template instead." 1>&2
+        exit 1
+    fi
+done
 if [ -e /etc/os-release ]
 then
 # This is a shell friendly configuration file.  We can just source it.

--- a/templates/lxc-cirros.in
+++ b/templates/lxc-cirros.in
@@ -20,6 +20,16 @@
 # You should have received a copy of the GNU General Public License along
 # with this program; if not, write to the Free Software Foundation, Inc.,
 # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+# Detect use under userns (unsupported)
+for arg in $*; do
+    if [ "$arg" == "--mapped-uid" ]; then
+        echo "This template can't be used for unprivileged containers." 1>&2
+        echo "You may want to try the \"download\" template instead." 1>&2
+        exit 1
+    fi
+done
 VERBOSITY=0
 DOWNLOAD_URL="http://download.cirros-cloud.net/"
 CACHE_D="@LOCALSTATEDIR@/cache/lxc/cirros"

--- a/templates/lxc-debian.in
+++ b/templates/lxc-debian.in
@@ -20,6 +20,15 @@
 # License along with this library; if not, write to the Free Software
 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
+# Detect use under userns (unsupported)
+for arg in $*; do
+    if [ "$arg" == "--mapped-uid" ]; then
+        echo "This template can't be used for unprivileged containers." 1>&2
+        echo "You may want to try the \"download\" template instead." 1>&2
+        exit 1
+    fi
+done
 MIRROR=${MIRROR:-http://cdn.debian.net/debian}
 LOCALSTATEDIR="@LOCALSTATEDIR@"
 LXC_TEMPLATE_CONFIG="@LXCTEMPLATECONFIG@"

--- a/templates/lxc-fedora.in
+++ b/templates/lxc-fedora.in
@@ -72,6 +72,15 @@ lxc_network_link=lxcbr0
 # This may be in /etc/os-release or /etc/system-release-cpe.  We
 # should be able to use EITHER.  Give preference to /etc/os-release for now.
+# Detect use under userns (unsupported)
+for arg in $*; do
+    if [ "$arg" == "--mapped-uid" ]; then
+        echo "This template can't be used for unprivileged containers." 1>&2
+        echo "You may want to try the \"download\" template instead." 1>&2
+        exit 1
+    fi
+done
 if [ -e /etc/os-release ]
 then
 # This is a shell friendly configuration file.  We can just source it.

--- a/templates/lxc-gentoo.in
+++ b/templates/lxc-gentoo.in
@@ -13,6 +13,15 @@
 # - ready to use cache
 #
+# Detect use under userns (unsupported)
+for arg in $*; do
+    if [ "$arg" == "--mapped-uid" ]; then
+        echo "This template can't be used for unprivileged containers." 1>&2
+        echo "You may want to try the \"download\" template instead." 1>&2
+        exit 1
+    fi
+done
 # Ensure strict root's umask doesen't render the VM unusable
 umask 022

--- a/templates/lxc-openmandriva.in
+++ b/templates/lxc-openmandriva.in
@@ -26,6 +26,15 @@
 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
 #
+# Detect use under userns (unsupported)
+for arg in $*; do
+    if [ "$arg" == "--mapped-uid" ]; then
+        echo "This template can't be used for unprivileged containers." 1>&2
+        echo "You may want to try the \"download\" template instead." 1>&2
+        exit 1
+    fi
+done
 #Configurations
 #distro=cooker
 hostarch=$(uname -m)

--- a/templates/lxc-opensuse.in
+++ b/templates/lxc-opensuse.in
@@ -25,6 +25,15 @@
 # License along with this library; if not, write to the Free Software
 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
+# Detect use under userns (unsupported)
+for arg in $*; do
+    if [ "$arg" == "--mapped-uid" ]; then
+        echo "This template can't be used for unprivileged containers." 1>&2
+        echo "You may want to try the \"download\" template instead." 1>&2
+        exit 1
+    fi
+done
 DISTRO=12.3
 configure_opensuse()

--- a/templates/lxc-oracle.in
+++ b/templates/lxc-oracle.in
@@ -27,6 +27,15 @@
 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
 #
+# Detect use under userns (unsupported)
+for arg in $*; do
+    if [ "$arg" == "--mapped-uid" ]; then
+        echo "This template can't be used for unprivileged containers." 1>&2
+        echo "You may want to try the \"download\" template instead." 1>&2
+        exit 1
+    fi
+done
 # use virbr0 that is setup by default by libvirtd
 lxc_network_type=veth
 lxc_network_link=virbr0

--- a/templates/lxc-plamo.in
+++ b/templates/lxc-plamo.in
@@ -28,6 +28,15 @@
 # ref. https://github.com/Ponce/lxc-slackware/blob/master/lxc-slackware
 #      lxc-ubuntu script
+# Detect use under userns (unsupported)
+for arg in $*; do
+    if [ "$arg" == "--mapped-uid" ]; then
+        echo "This template can't be used for unprivileged containers." 1>&2
+        echo "You may want to try the \"download\" template instead." 1>&2
+        exit 1
+    fi
+done
 [ -r /etc/default/lxc ] && . /etc/default/lxc
 DLSCHEME=${DLSCHEME:-"http"}

--- a/templates/lxc-sshd.in
+++ b/templates/lxc-sshd.in
@@ -20,6 +20,15 @@
 # License along with this library; if not, write to the Free Software
 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
+# Detect use under userns (unsupported)
+for arg in $*; do
+    if [ "$arg" == "--mapped-uid" ]; then
+        echo "This template can't be used for unprivileged containers." 1>&2
+        echo "You may want to try the \"download\" template instead." 1>&2
+        exit 1
+    fi
+done
 install_sshd()
 {
    rootfs=$1

--- a/templates/lxc-ubuntu.in
+++ b/templates/lxc-ubuntu.in
@@ -24,6 +24,15 @@
 #  License along with this library; if not, write to the Free Software
 #  Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
+# Detect use under userns (unsupported)
+for arg in $*; do
+    if [ "$arg" == "--mapped-uid" ]; then
+        echo "This template can't be used for unprivileged containers." 1>&2
+        echo "You may want to try the \"download\" template instead." 1>&2
+        exit 1
+    fi
+done
 set -e
 LOCALSTATEDIR="@LOCALSTATEDIR@"