lxc: Move remap-uid-and-gid-for-lv to fuidshift
Instead of my custom-baked implementation, that doesn't support file system ACLs and is quite slow, we switch to `fuidshift` from the `lxd-tools` Debian package.
This commit is contained in:
parent
ec3618d5f7
commit
ae52d4962a
|
|
@ -1,9 +1,8 @@
|
|||
#!/bin/sh
|
||||
# Remap all files uid/gid to a new range
|
||||
# Remap all files uid/gid to a new range using fuidshift
|
||||
#
|
||||
# This is a wrapper around `fuidshift` from `lxd-tools` Debian package for my use-case of LVM based root disks.
|
||||
#
|
||||
# This is an inferior version of `fuidshift` from the `lxd-tools` Debian package, as it only handles uid/gid and
|
||||
# doesn't handle ACLs and thus journalctl's files and by that hinders updating systemd inside the container. It's also
|
||||
# quite slow.
|
||||
|
||||
usage () {
|
||||
echo "remap-uid-and-gid <container-name> [<target-lv>]"
|
||||
|
|
@ -11,8 +10,13 @@ usage () {
|
|||
exit 1
|
||||
}
|
||||
|
||||
if [ "$(which fuidshift)" = "" ]; then
|
||||
echo "fuidshift binary not found. Please install lxd-tools package."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
CONTAINER_NAME="${1}"
|
||||
if [ "${CONTAINER_NAME}" = "" ]; then
|
||||
if [ "${CONTAINER_NAME}" = "" ] || [ "${CONTAINER_NAME}" = "--help" ] || [ "${CONTAINER_NAME}" = "-h" ]; then
|
||||
usage
|
||||
fi
|
||||
|
||||
|
|
@ -33,51 +37,13 @@ if mount | grep -qF " on /mnt"; then
|
|||
fi
|
||||
|
||||
mount "${TARGET_LV}" /mnt
|
||||
cd /mnt
|
||||
|
||||
ROOT_USER_ID=$(get-lxc-idmap-config u $CONTAINER_NAME | cut -d ' ' -f 5)
|
||||
ROOT_GROUP_ID=$(get-lxc-idmap-config g $CONTAINER_NAME | cut -d ' ' -f 5)
|
||||
# we get e.g. lxc.idmap = u 0 1000000 65535 and want u:0:1000000:65535
|
||||
USER_NAMESPACE=$(get-lxc-idmap-config u $CONTAINER_NAME | sed -r -e 's/.*= (.*)/\1/' -e 's/ /:/g')
|
||||
GROUP_NAMESPACE=$(get-lxc-idmap-config g $CONTAINER_NAME | sed -r -e 's/.*= (.*)/\1/' -e 's/ /:/g')
|
||||
|
||||
printf "uid: %s gid: %s\n" $ROOT_USER_ID $ROOT_GROUP_ID
|
||||
|
||||
# We ignore links here, because they might not point to a valid location and would make our program fail. They are also
|
||||
# owned by whoever mounted the filesystem it seems, so don't need a chown.
|
||||
# Funny enough, the above statement is not true. I see symlinks in the container that are not owned by a valid user
|
||||
# inside the container ...
|
||||
# chown
|
||||
# -h, --no-dereference
|
||||
# affect symbolic links instead of any referenced file (useful only on systems
|
||||
# that can change the ownership of a symlink)
|
||||
#
|
||||
# --from=CURRENT_OWNER:CURRENT_GROUP
|
||||
# change the owner and/or group of each file only if its current owner and/or
|
||||
# group match those specified here. Either may be omitted, in which case a
|
||||
# match is not required for the omitted attribute
|
||||
#
|
||||
find . -xdev -printf "%U %G %p\n" | \
|
||||
while read F; do
|
||||
U=$(echo $F | cut -d ' ' -f 1)
|
||||
if [ ${U} -lt ${ROOT_USER_ID} ] || [ ${U} -gt $(( ${ROOT_USER_ID} + 65535 )) ]; then
|
||||
NEW_U=$(( ${U} + ${ROOT_USER_ID} ))
|
||||
else
|
||||
NEW_U=${U}
|
||||
fi
|
||||
|
||||
G=$(echo $F | cut -d ' ' -f 2)
|
||||
if [ ${G} -lt ${ROOT_GROUP_ID} ] || [ ${G} -gt $(( ${ROOT_GROUP_ID} + 65535 )) ]; then
|
||||
NEW_G=$(( ${G} + ${ROOT_GROUP_ID} ))
|
||||
else
|
||||
NEW_G=${G}
|
||||
fi
|
||||
|
||||
if [ "${U}" = "${NEW_U}" ] && [ "${G}" = "${NEW_G}" ]; then
|
||||
continue
|
||||
fi
|
||||
|
||||
P=$(echo $F | cut -d ' ' -f 3-)
|
||||
printf "chown --no-dereference %s:%s %s\n" ${NEW_U} ${NEW_G} "${P}"
|
||||
# chown --no-dereference ${NEW_U}:${NEW_G} "${P}"
|
||||
done
|
||||
printf "fuidshift %s %s %s\n" /mnt $USER_NAMESPACE $GROUP_NAMESPACE
|
||||
# fuidshift /mnt $USER_NAMESPACE $GROUP_NAMESPACE
|
||||
|
||||
cd /
|
||||
umount /mnt
|
||||
|
|
|
|||
Loading…
Reference in New Issue