[lxc-devel] [PATCH] Add example hooks from Ubuntu package

Stéphane Graber stgraber at ubuntu.com
Tue Feb 19 20:44:19 UTC 2013 

We've been shipping those two hooks for a while in Ubuntu.
Yesterday I reworked them to use the new environment variables and
avoid hardcoding any path that we have available as a variable.

I tested both to work on Ubuntu 13.04 but they should work just as well
on any distro shipping with the cgroup hierarchy in /sys/fs/cgroup and
with ecryptfs available.

Those are intended as example and distros are free to drop them, they
should however be working without any change required, at least on Ubuntu.

Signed-off-by: Stéphane Graber <stgraber at ubuntu.com>
---
 Makefile.am             |  4 ++--
 configure.ac            |  3 +++
 hooks/Makefile.am       |  5 +++++
 hooks/mountcgroups      | 42 +++++++++++++++++++++++++++++++++++++++++
 hooks/mountecryptfsroot | 50 +++++++++++++++++++++++++++++++++++++++++++++++++
 5 files changed, 102 insertions(+), 2 deletions(-)
 create mode 100644 hooks/Makefile.am
 create mode 100755 hooks/mountcgroups
 create mode 100755 hooks/mountecryptfsroot

diff --git a/Makefile.am b/Makefile.am
index 53473ee..7ebef9d 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -2,8 +2,8 @@
 
 ACLOCAL_AMFLAGS = -I config
 
-SUBDIRS = config src templates doc
-DIST_SUBDIRS = config src templates doc
+SUBDIRS = config src templates doc hooks
+DIST_SUBDIRS = config src templates doc hooks
 EXTRA_DIST = autogen.sh lxc.spec CONTRIBUTING MAINTAINERS ChangeLog
 RPMARGS =
 
diff --git a/configure.ac b/configure.ac
index 6e406bd..a133d16 100644
--- a/configure.ac
+++ b/configure.ac
@@ -219,6 +219,7 @@ AS_AC_EXPAND(LXCPATH, "$with_config_path")
 AS_AC_EXPAND(LXC_GLOBAL_CONF, "$with_global_conf")
 AS_AC_EXPAND(LXCROOTFSMOUNT, "$with_rootfs_path")
 AS_AC_EXPAND(LXCTEMPLATEDIR, "$datadir/lxc/templates")
+AS_AC_EXPAND(LXCHOOKDIR, "$datadir/lxc/hooks")
 AS_AC_EXPAND(LXCINITDIR, "$libexecdir")
 AS_AC_EXPAND(LOGPATH, "$with_log_path")
 
@@ -350,6 +351,8 @@ AC_CONFIG_FILES([
 	doc/examples/lxc-veth.conf
 	doc/examples/lxc-complex.conf
 
+	hooks/Makefile
+
 	templates/Makefile
 	templates/lxc-lenny
 	templates/lxc-debian
diff --git a/hooks/Makefile.am b/hooks/Makefile.am
new file mode 100644
index 0000000..4fc20ac
--- /dev/null
+++ b/hooks/Makefile.am
@@ -0,0 +1,5 @@
+hooksdir=@LXCHOOKDIR@
+
+hooks_SCRIPTS = \
+	mountcgroups \
+	mountecryptfsroot
diff --git a/hooks/mountcgroups b/hooks/mountcgroups
new file mode 100755
index 0000000..8250ae9
--- /dev/null
+++ b/hooks/mountcgroups
@@ -0,0 +1,42 @@
+#!/bin/bash
+
+# (C) Copyright Canonical 2011,2012
+
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2.1 of the License, or (at your option) any later version.
+
+# This library is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# Lesser General Public License for more details.
+
+# You should have received a copy of the GNU Lesser General Public
+# License along with this library; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+
+#
+# This is an example hook to mount all mounted cgroups in the
+# container.  Only the container's own cgroup (not parents) will be
+# accessible to the container.  You can enable this by adding
+# lxc.hook.mount = /usr/share/lxc/hooks/mountcgroups
+# to your container's configuration file.
+
+set -e
+
+c=$1
+d=/sys/fs/cgroup
+d2=$LXC_ROOTFS_MOUNT/${d}
+if [ ! -d "$d" ]; then
+    exit 0
+fi
+
+mount -n -t tmpfs tmpfs ${d2}
+
+for dir in `/bin/ls $d`; do
+    mkdir -p "${d}/${dir}/lxc/${c}/${c}.real"
+    echo 1 > "${d}/${dir}/lxc/${c}/${c}.real/tasks"
+    mkdir -p ${d2}/${dir}
+    mount -n --bind "${d}/${dir}/lxc/${c}/${c}.real" "${d2}/${dir}"
+done
diff --git a/hooks/mountecryptfsroot b/hooks/mountecryptfsroot
new file mode 100755
index 0000000..f3cb0fb
--- /dev/null
+++ b/hooks/mountecryptfsroot
@@ -0,0 +1,50 @@
+#!/bin/sh
+
+# (C) Copyright Canonical 2011-2013
+
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2.1 of the License, or (at your option) any later version.
+
+# This library is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# Lesser General Public License for more details.
+
+# You should have received a copy of the GNU Lesser General Public
+# License along with this library; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+
+# This hook can be used to mount an ecryptfs filesystem as a container's
+# rootfs.
+# To use this hook, assuming your container is called q1,
+#  1. add 'lxc.hook.pre-mount = /usr/share/lxc/hooks/mountecryptfsroot' to
+#     the container's configuration file
+#  2. Create /var/lib/lxc/q1/ecryptfs-root
+#     a. mkdir /var/lib/lxc/q1/ecryptfs-root
+#  3. convert your container's root filesystem to be ecryptfs-backed.  Assuming
+#     your container is called 'q1', do
+#     a. c=q1
+#     b. mv /var/lib/lxc/$c/rootfs /var/lib/lxc/$c/rootfs.plain
+#     c. mkdir /var/lib/lxc/$c/rootfs{,.crypt}
+#     d. sig=`echo none | ecryptfs-add-passphrase | grep -v Passphrase | cut -d[ -f 2 | cut -d] -f 1`
+#     e. echo $sig > /var/lib/lxc/$c/sig
+#     f. mount -t ecryptfs -o ecryptfs_cipher=aes,ecryptfs_key_bytes=16,ecryptfs_passthrough=n,ecryptfs_enable_filename_crypto=n,ecryptfs_sig=${sig},sig=${sig},verbosity=0 /var/lib/lxc/$c/rootfs.crypt /var/lib/lxc/$c/rootfs
+#     g. rsync -va /var/lib/lxc/$c/rootfs.plain/ /var/lib/lxc/$c/rootfs/
+#     h. umount /var/lib/lxc/$c/rootfs
+#     i. rm -rf /var/lib/lxc/$c/rootfs.plain
+#  4. Now you can start your container by adding the passphrase to your
+#     in-kernel keyring using 'ecryptfs-add-passphrase', then starting your
+#     container as normal.
+#     a. echo none | ecryptfs-add-passphrase
+#     b. lxc-start -n q1
+#  Note that you may well want to use a wrapped passhrase (see the ecryptfs-wrap-passphrase(1) manual page).
+
+set -e
+ecryptfs_crypt=$(echo $LXC_ROOTFS_PATH | sed 's/rootfs$/rootfs.crypt/')
+sigfile=$(echo $LXC_CONFIG_FILE | sed 's/config$/sig/')
+
+sig=`cat $sigfile`
+mount -n -t ecryptfs -o ecryptfs_cipher=aes,ecryptfs_key_bytes=16,ecryptfs_passthrough=n,ecryptfs_enable_filename_crypto=n,ecryptfs_sig=${sig},sig=${sig},verbosity=0 $ecryptfs_crypt $LXC_ROOTFS_PATH
+exit 0
-- 
1.8.1.2

More information about the lxc-devel mailing list