From ae52d4962a8f3015e88c06028ab981be33153e29 Mon Sep 17 00:00:00 2001 From: MasterofJOKers Date: Wed, 28 Jun 2023 23:42:40 +0200 Subject: [PATCH] lxc: Move remap-uid-and-gid-for-lv to fuidshift Instead of my custom-baked implementation, that doesn't support file system ACLs and is quite slow, we switch to `fuidshift` from the `lxd-tools` Debian package. --- lxc/remap-uid-and-gid-for-lv | 62 ++++++++---------------------------- 1 file changed, 14 insertions(+), 48 deletions(-) diff --git a/lxc/remap-uid-and-gid-for-lv b/lxc/remap-uid-and-gid-for-lv index bf24784..fbabe50 100755 --- a/lxc/remap-uid-and-gid-for-lv +++ b/lxc/remap-uid-and-gid-for-lv @@ -1,9 +1,8 @@ #!/bin/sh -# Remap all files uid/gid to a new range +# Remap all files uid/gid to a new range using fuidshift +# +# This is a wrapper around `fuidshift` from `lxd-tools` Debian package for my use-case of LVM based root disks. # -# This is an inferior version of `fuidshift` from the `lxd-tools` Debian package, as it only handles uid/gid and -# doesn't handle ACLs and thus journalctl's files and by that hinders updating systemd inside the container. It's also -# quite slow. usage () { echo "remap-uid-and-gid []" @@ -11,8 +10,13 @@ usage () { exit 1 } +if [ "$(which fuidshift)" = "" ]; then + echo "fuidshift binary not found. Please install lxd-tools package." + exit 1 +fi + CONTAINER_NAME="${1}" -if [ "${CONTAINER_NAME}" = "" ]; then +if [ "${CONTAINER_NAME}" = "" ] || [ "${CONTAINER_NAME}" = "--help" ] || [ "${CONTAINER_NAME}" = "-h" ]; then usage fi @@ -33,51 +37,13 @@ if mount | grep -qF " on /mnt"; then fi mount "${TARGET_LV}" /mnt -cd /mnt - -ROOT_USER_ID=$(get-lxc-idmap-config u $CONTAINER_NAME | cut -d ' ' -f 5) -ROOT_GROUP_ID=$(get-lxc-idmap-config g $CONTAINER_NAME | cut -d ' ' -f 5) - -printf "uid: %s gid: %s\n" $ROOT_USER_ID $ROOT_GROUP_ID - -# We ignore links here, because they might not point to a valid location and would make our program fail. They are also -# owned by whoever mounted the filesystem it seems, so don't need a chown. -# Funny enough, the above statement is not true. I see symlinks in the container that are not owned by a valid user -# inside the container ... -# chown -# -h, --no-dereference -# affect symbolic links instead of any referenced file (useful only on systems -# that can change the ownership of a symlink) -# -# --from=CURRENT_OWNER:CURRENT_GROUP -# change the owner and/or group of each file only if its current owner and/or -# group match those specified here. Either may be omitted, in which case a -# match is not required for the omitted attribute -# -find . -xdev -printf "%U %G %p\n" | \ - while read F; do - U=$(echo $F | cut -d ' ' -f 1) - if [ ${U} -lt ${ROOT_USER_ID} ] || [ ${U} -gt $(( ${ROOT_USER_ID} + 65535 )) ]; then - NEW_U=$(( ${U} + ${ROOT_USER_ID} )) - else - NEW_U=${U} - fi - - G=$(echo $F | cut -d ' ' -f 2) - if [ ${G} -lt ${ROOT_GROUP_ID} ] || [ ${G} -gt $(( ${ROOT_GROUP_ID} + 65535 )) ]; then - NEW_G=$(( ${G} + ${ROOT_GROUP_ID} )) - else - NEW_G=${G} - fi - if [ "${U}" = "${NEW_U}" ] && [ "${G}" = "${NEW_G}" ]; then - continue - fi +# we get e.g. lxc.idmap = u 0 1000000 65535 and want u:0:1000000:65535 +USER_NAMESPACE=$(get-lxc-idmap-config u $CONTAINER_NAME | sed -r -e 's/.*= (.*)/\1/' -e 's/ /:/g') +GROUP_NAMESPACE=$(get-lxc-idmap-config g $CONTAINER_NAME | sed -r -e 's/.*= (.*)/\1/' -e 's/ /:/g') - P=$(echo $F | cut -d ' ' -f 3-) - printf "chown --no-dereference %s:%s %s\n" ${NEW_U} ${NEW_G} "${P}" - # chown --no-dereference ${NEW_U}:${NEW_G} "${P}" - done +printf "fuidshift %s %s %s\n" /mnt $USER_NAMESPACE $GROUP_NAMESPACE +# fuidshift /mnt $USER_NAMESPACE $GROUP_NAMESPACE cd / umount /mnt