Add lxc-debian-userns LXC template script
This script can be used as LXC template to install a Debian into a directory using `mmdebstrap`. It's intended use is to create a container filesystem with appropriate uids/gids for use in an unprivileged container. The script assumes that it runs as root and only changes the userns to install Debian.
This commit is contained in:
parent
845e3fe30e
commit
b5243aaa2b
|
@ -0,0 +1,153 @@
|
||||||
|
#!/bin/sh
|
||||||
|
|
||||||
|
usage() (
|
||||||
|
cat <<-EOF
|
||||||
|
Template specific options can be passed to lxc-create after a '--' like this:
|
||||||
|
|
||||||
|
lxc-create --name=NAME [-lxc-create-options] -- [-template-options]
|
||||||
|
|
||||||
|
Usage: ${1} -h|--help --path=<path> --name=<name> --rootfs=<rootfs>
|
||||||
|
--uidmap=<uidmap> --gidmap=<gidmap>
|
||||||
|
--mirror=<mirror> [--security-mirror=<security mirror>]
|
||||||
|
[--release=<release>]
|
||||||
|
[--auth-key=<keyfile>]
|
||||||
|
|
||||||
|
Options :
|
||||||
|
|
||||||
|
-h, --help print this help text
|
||||||
|
--path=PATH directory where config of this VM will be kept
|
||||||
|
--name=NAME hostname name of the container
|
||||||
|
--rootfs=ROOTFS directory where the root filesystem can be accessed
|
||||||
|
--uidmap=UIDMAP Map of user ids for the userns. Format u:0:1000000:65535
|
||||||
|
See lxc-usernsexec (1) for format details.
|
||||||
|
--gidmap=GIDMAP Map of group ids for the userns. Format g:0:1000000:65535
|
||||||
|
See lxc-usernsexec (1) for format details.
|
||||||
|
--auth-key=KEYFILE SSH public key to inject into the container as the root user.
|
||||||
|
--release=RELEASE Debian release. Defaults to "stable"
|
||||||
|
--mirror=MIRROR Debian mirror to use during installation.
|
||||||
|
--security-mirror=SECURITY_MIRROR
|
||||||
|
Debian mirror to use for security updates.
|
||||||
|
|
||||||
|
This template uses mmdebstrap to install Debian in a userns into a directory as provided by lxc-create via the
|
||||||
|
--rootfs option. It's intended use is to create a filesystem for unprivileged containers started as root.
|
||||||
|
EOF
|
||||||
|
return 0
|
||||||
|
)
|
||||||
|
|
||||||
|
|
||||||
|
check_required_binary() (
|
||||||
|
prog="${1}"
|
||||||
|
bin="${2}"
|
||||||
|
if ! which ${bin} > /dev/null; then
|
||||||
|
printf "error: Need '%s' executable in PATH to execute this template.\n\n" ${bin}
|
||||||
|
usage "${prog}"
|
||||||
|
return 1
|
||||||
|
fi
|
||||||
|
return 0
|
||||||
|
)
|
||||||
|
|
||||||
|
|
||||||
|
check_required_arg() (
|
||||||
|
prog="${1}"
|
||||||
|
value="${2}"
|
||||||
|
opt="${3}"
|
||||||
|
if [ "${value}" = "" ]; then
|
||||||
|
printf "error: %s is a required option!\n\n" "${opt}"
|
||||||
|
usage "${prog}"
|
||||||
|
return 1
|
||||||
|
fi
|
||||||
|
return 0
|
||||||
|
)
|
||||||
|
|
||||||
|
|
||||||
|
parse_args() {
|
||||||
|
prog="${0}"
|
||||||
|
shift
|
||||||
|
|
||||||
|
options=$(getopt -o h -l help,path:,name:,rootfs:,mirror:,security-mirror:,auth-key:,release:,uidmap:,gidmap: -- "${@}")
|
||||||
|
if [ $? -ne 0 ]; then
|
||||||
|
usage "${prog}"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
# printf "%s\n" "${options}"
|
||||||
|
|
||||||
|
eval set -- "${options}"
|
||||||
|
|
||||||
|
while true; do
|
||||||
|
case "${1}" in
|
||||||
|
-h|--help) usage "${prog}" && exit 1;;
|
||||||
|
--) shift 1; break;;
|
||||||
|
--path) path=${2}; shift 2;;
|
||||||
|
--name) name=${2}; shift 2;;
|
||||||
|
--rootfs) rootfs=${2}; shift 2;;
|
||||||
|
--release) release=${2}; shift 2;;
|
||||||
|
--mirror) mirror=${2}; shift 2;;
|
||||||
|
--security-mirror) security_mirror=${2}; shift 2;;
|
||||||
|
--auth-key) auth_key=${2}; shift 2;;
|
||||||
|
--uidmap) uidmap=${2}; shift 2;;
|
||||||
|
--gidmap) gidmap=${2}; shift 2;;
|
||||||
|
*) echo "programming error: found unknown opt ${1}"; exit 1; break;;
|
||||||
|
esac
|
||||||
|
done
|
||||||
|
|
||||||
|
# check required args
|
||||||
|
check_required_arg "${prog}" "${path}" "--path" || exit 1
|
||||||
|
check_required_arg "${prog}" "${name}" "--name" || exit 1
|
||||||
|
check_required_arg "${prog}" "${rootfs}" "--rootfs" || exit 1
|
||||||
|
check_required_arg "${prog}" "${mirror}" "--mirror" || exit 1
|
||||||
|
check_required_arg "${prog}" "${uidmap}" "--uidmap" || exit 1
|
||||||
|
check_required_arg "${prog}" "${gidmap}" "--gidmap" || exit 1
|
||||||
|
|
||||||
|
# set defaults where necessary
|
||||||
|
release=${release:-stable}
|
||||||
|
|
||||||
|
if ! [ -d "${rootfs}" ]; then
|
||||||
|
printf "error: --rootfs must point to a valid directory. Got '%s'\n\n" "${rootfs}"
|
||||||
|
usage "${prog}"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ "${auth_key}" != "" ] && ! [ -f "${auth_key}" ]; then
|
||||||
|
printf "error: --auth-key must point to a valid file. Got '%s'\n\n" "${auth_key}"
|
||||||
|
usage "${prog}"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
chown_mountpoint() (
|
||||||
|
# uses $rootfs, $uidmap, $gidmap
|
||||||
|
root_user_in_ns=$(echo $uidmap | cut -d : -f 3)
|
||||||
|
root_group_in_ns=$(echo $gidmap | cut -d : -f 3)
|
||||||
|
echo "Found root user ${root_user_in_ns} and group ${root_group_in_ns}"
|
||||||
|
chown ${root_user_in_ns}:${root_group_in_ns} "${rootfs}"
|
||||||
|
return 0
|
||||||
|
)
|
||||||
|
|
||||||
|
|
||||||
|
install_debian() (
|
||||||
|
# uses $rootfs, $name, $release, $uidmap, $gidmap, $mirror, $security_mirror, $auth_key
|
||||||
|
set -x
|
||||||
|
|
||||||
|
lxc-usernsexec -m ${uidmap} -m ${gidmap} -- \
|
||||||
|
lxc-unshare -s 'MOUNT|PID|UTSNAME|IPC' -- \
|
||||||
|
mmdebstrap \
|
||||||
|
--variant minbase \
|
||||||
|
--mode unshare \
|
||||||
|
--include 'init ifupdown locales dialog isc-dhcp-client netbase net-tools iproute2 openssh-server python3 vim' \
|
||||||
|
--customize-hook 'echo '${name}' > $1/etc/hostname' \
|
||||||
|
--customize-hook 'cp /etc/timezone $1/etc/timezone' \
|
||||||
|
${auth_key:+--customize-hook 'mkdir -p $1/root/.ssh' --customize-hook 'cat '${auth_key}' > $1/root/.ssh/authorized_keys'} \
|
||||||
|
$release "${rootfs}" \
|
||||||
|
"${mirror}" ${security_mirror:+"deb ${security_mirror} ${release}-security main contrib non-free"}
|
||||||
|
)
|
||||||
|
|
||||||
|
|
||||||
|
parse_args "${0}" "${@}"
|
||||||
|
|
||||||
|
check_required_binary "${0}" mmdebstrap || exit 1
|
||||||
|
check_required_binary "${0}" lxc-usernsexec || exit 1
|
||||||
|
|
||||||
|
chown_mountpoint || exit 1
|
||||||
|
|
||||||
|
install_debian
|
Loading…
Reference in New Issue