download: Support nested containers in unpriv

This adds detection for the case where we are root in an unprivileged container and then run LXC from there. In this case, we want to download to the system location, ignore the missing uid/gid ranges and run templates that are userns-ready. Signed-off-by: Stéphane Graber <stgraber@ubuntu.com> Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

download: Support nested containers in unpriv
f74e080c · Stéphane Graber · a7242d9a · f74e080c
Commit f74e080c authored Feb 17, 2014 by Stéphane Graber
Hide whitespace changes
Inline Side-by-side

Showing with 36 additions and 27 deletions

lxc-download.in templates/lxc-download.in +36 -27

No files found.
--- a/templates/lxc-download.in
+++ b/templates/lxc-download.in
@@ -21,37 +21,38 @@
 set -eu
-LXC_TEMPLATE_CONFIG="@LXCTEMPLATECONFIG@"
-LXC_HOOK_DIR="@LXCHOOKDIR@"
 LOCALSTATEDIR="@LOCALSTATEDIR@"
+LXC_HOOK_DIR="@LXCHOOKDIR@"
+LXC_TEMPLATE_CONFIG="@LXCTEMPLATECONFIG@"
 # Defaults
-DOWNLOAD_DIST=
-DOWNLOAD_RELEASE=
 DOWNLOAD_ARCH=
-DOWNLOAD_VARIANT="default"
+DOWNLOAD_BUILD=
-DOWNLOAD_SERVER="images.linuxcontainers.org"
+DOWNLOAD_COMPAT_LEVEL=1
-DOWNLOAD_KEYID="0xBAEFF88C22F6E216"
+DOWNLOAD_DIST=
-DOWNLOAD_KEYSERVER="hkp://pool.sks-keyservers.net"
-DOWNLOAD_VALIDATE="true"
 DOWNLOAD_FLUSH_CACHE="false"
 DOWNLOAD_FORCE_CACHE="false"
+DOWNLOAD_INTERACTIVE="false"
+DOWNLOAD_KEYID="0xBAEFF88C22F6E216"
+DOWNLOAD_KEYSERVER="hkp://pool.sks-keyservers.net"
+DOWNLOAD_LIST_IMAGES="false"
 DOWNLOAD_MODE="system"
-DOWNLOAD_USE_CACHE="false"
-DOWNLOAD_URL=
-DOWNLOAD_SHOW_HTTP_WARNING="true"
-DOWNLOAD_SHOW_GPG_WARNING="true"
 DOWNLOAD_READY_GPG="false"
-DOWNLOAD_COMPAT_LEVEL=1
+DOWNLOAD_RELEASE=
-DOWNLOAD_LIST_IMAGES="false"
+DOWNLOAD_SERVER="images.linuxcontainers.org"
-DOWNLOAD_BUILD=
+DOWNLOAD_SHOW_GPG_WARNING="true"
-DOWNLOAD_INTERACTIVE="false"
+DOWNLOAD_SHOW_HTTP_WARNING="true"
+DOWNLOAD_TARGET="system"
+DOWNLOAD_URL=
+DOWNLOAD_USE_CACHE="false"
+DOWNLOAD_VALIDATE="true"
+DOWNLOAD_VARIANT="default"
+LXC_MAPPED_GID=
+LXC_MAPPED_UID=
 LXC_NAME=
 LXC_PATH=
 LXC_ROOTFS=
-LXC_MAPPED_UID=
-LXC_MAPPED_GID=
 # Deal with GPG over http proxy
 if [ -n "${http_proxy:-}" ]; then
@@ -141,10 +142,10 @@ gpg_validate() {
 in_userns() {
    [ -e /proc/self/uid_map ] || { echo no; return; }
-    [ "$(wc -l /proc/self/uid_map | awk '{ print $1 }')" -eq 1 ] || \
-        { echo yes; return; }
    line=$(awk '{ print $1 " " $2 " " $3 }' /proc/self/uid_map)
    [ "$line" = "0 0 4294967295" ] && { echo no; return; }
+    [ "$(cat /proc/self/uid_map)" = "$(cat /proc/1/uid_map)" ] && \
+        { echo userns-root; return; }
    echo yes
 }
@@ -245,12 +246,20 @@ if [ -z "$LXC_NAME" ] || [ -z "$LXC_PATH" ] || [ -z "$LXC_ROOTFS" ]; then
    exit 1
 fi
-if [ "$(in_userns)" = "yes" ]; then
+USERNS=$(in_userns)
-    if [ -z "$LXC_MAPPED_UID" ] || [ "$LXC_MAPPED_UID" = "-1" ]; then
-        echo "ERROR: In a user namespace without a map." 1>&2
+if [ "$USERNS" != "no" ]; then
-        exit 1
+    if [ "$USERNS" = "yes" ]; then
+        if [ -z "$LXC_MAPPED_UID" ] || [ "$LXC_MAPPED_UID" = "-1" ]; then
+            echo "ERROR: In a user namespace without a map." 1>&2
+            exit 1
+        fi
+        DOWNLOAD_MODE="user"
+        DOWNLOAD_TARGET="user"
+    else
+        DOWNLOAD_MODE="user"
+        DOWNLOAD_TARGET="system"
    fi
-    DOWNLOAD_MODE="user"
 fi
 if [ -z "$DOWNLOAD_DIST" ] || [ -z "$DOWNLOAD_RELEASE" ] || \
@@ -337,7 +346,7 @@ if [ "$DOWNLOAD_LIST_IMAGES" = "true" ] || \
 fi
 # Setup the cache
-if [ "$DOWNLOAD_MODE" = "system" ]; then
+if [ "$DOWNLOAD_TARGET" = "system" ]; then
    LXC_CACHE_BASE="$LOCALSTATEDIR/cache/lxc/"
 else
    LXC_CACHE_BASE="$HOME/.cache/lxc/"