[lxc-devel] [PATCH] Add example hooks from Ubuntu package

Serge Hallyn serge.hallyn at ubuntu.com
Tue Feb 19 21:31:29 UTC 2013


Quoting Stéphane Graber (stgraber at ubuntu.com):
> We've been shipping those two hooks for a while in Ubuntu.
> Yesterday I reworked them to use the new environment variables and
> avoid hardcoding any path that we have available as a variable.
> 
> I tested both to work on Ubuntu 13.04 but they should work just as well
> on any distro shipping with the cgroup hierarchy in /sys/fs/cgroup and
> with ecryptfs available.
> 
> Those are intended as example and distros are free to drop them, they
> should however be working without any change required, at least on Ubuntu.
> 
> Signed-off-by: Stéphane Graber <stgraber at ubuntu.com>

Acked-by: Serge Hallyn <serge.hallyn at ubuntu.com>

> ---
>  Makefile.am             |  4 ++--
>  configure.ac            |  3 +++
>  hooks/Makefile.am       |  5 +++++
>  hooks/mountcgroups      | 42 +++++++++++++++++++++++++++++++++++++++++
>  hooks/mountecryptfsroot | 50 +++++++++++++++++++++++++++++++++++++++++++++++++
>  5 files changed, 102 insertions(+), 2 deletions(-)
>  create mode 100644 hooks/Makefile.am
>  create mode 100755 hooks/mountcgroups
>  create mode 100755 hooks/mountecryptfsroot
> 
> diff --git a/Makefile.am b/Makefile.am
> index 53473ee..7ebef9d 100644
> --- a/Makefile.am
> +++ b/Makefile.am
> @@ -2,8 +2,8 @@
>  
>  ACLOCAL_AMFLAGS = -I config
>  
> -SUBDIRS = config src templates doc
> -DIST_SUBDIRS = config src templates doc
> +SUBDIRS = config src templates doc hooks
> +DIST_SUBDIRS = config src templates doc hooks
>  EXTRA_DIST = autogen.sh lxc.spec CONTRIBUTING MAINTAINERS ChangeLog
>  RPMARGS =
>  
> diff --git a/configure.ac b/configure.ac
> index 6e406bd..a133d16 100644
> --- a/configure.ac
> +++ b/configure.ac
> @@ -219,6 +219,7 @@ AS_AC_EXPAND(LXCPATH, "$with_config_path")
>  AS_AC_EXPAND(LXC_GLOBAL_CONF, "$with_global_conf")
>  AS_AC_EXPAND(LXCROOTFSMOUNT, "$with_rootfs_path")
>  AS_AC_EXPAND(LXCTEMPLATEDIR, "$datadir/lxc/templates")
> +AS_AC_EXPAND(LXCHOOKDIR, "$datadir/lxc/hooks")
>  AS_AC_EXPAND(LXCINITDIR, "$libexecdir")
>  AS_AC_EXPAND(LOGPATH, "$with_log_path")
>  
> @@ -350,6 +351,8 @@ AC_CONFIG_FILES([
>  	doc/examples/lxc-veth.conf
>  	doc/examples/lxc-complex.conf
>  
> +	hooks/Makefile
> +
>  	templates/Makefile
>  	templates/lxc-lenny
>  	templates/lxc-debian
> diff --git a/hooks/Makefile.am b/hooks/Makefile.am
> new file mode 100644
> index 0000000..4fc20ac
> --- /dev/null
> +++ b/hooks/Makefile.am
> @@ -0,0 +1,5 @@
> +hooksdir=@LXCHOOKDIR@
> +
> +hooks_SCRIPTS = \
> +	mountcgroups \
> +	mountecryptfsroot
> diff --git a/hooks/mountcgroups b/hooks/mountcgroups
> new file mode 100755
> index 0000000..8250ae9
> --- /dev/null
> +++ b/hooks/mountcgroups
> @@ -0,0 +1,42 @@
> +#!/bin/bash
> +
> +# (C) Copyright Canonical 2011,2012
> +
> +# This library is free software; you can redistribute it and/or
> +# modify it under the terms of the GNU Lesser General Public
> +# License as published by the Free Software Foundation; either
> +# version 2.1 of the License, or (at your option) any later version.
> +
> +# This library is distributed in the hope that it will be useful,
> +# but WITHOUT ANY WARRANTY; without even the implied warranty of
> +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
> +# Lesser General Public License for more details.
> +
> +# You should have received a copy of the GNU Lesser General Public
> +# License along with this library; if not, write to the Free Software
> +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
> +
> +#
> +# This is an example hook to mount all mounted cgroups in the
> +# container.  Only the container's own cgroup (not parents) will be
> +# accessible to the container.  You can enable this by adding
> +# lxc.hook.mount = /usr/share/lxc/hooks/mountcgroups
> +# to your container's configuration file.
> +
> +set -e
> +
> +c=$1
> +d=/sys/fs/cgroup
> +d2=$LXC_ROOTFS_MOUNT/${d}
> +if [ ! -d "$d" ]; then
> +    exit 0
> +fi
> +
> +mount -n -t tmpfs tmpfs ${d2}
> +
> +for dir in `/bin/ls $d`; do
> +    mkdir -p "${d}/${dir}/lxc/${c}/${c}.real"
> +    echo 1 > "${d}/${dir}/lxc/${c}/${c}.real/tasks"
> +    mkdir -p ${d2}/${dir}
> +    mount -n --bind "${d}/${dir}/lxc/${c}/${c}.real" "${d2}/${dir}"
> +done
> diff --git a/hooks/mountecryptfsroot b/hooks/mountecryptfsroot
> new file mode 100755
> index 0000000..f3cb0fb
> --- /dev/null
> +++ b/hooks/mountecryptfsroot
> @@ -0,0 +1,50 @@
> +#!/bin/sh
> +
> +# (C) Copyright Canonical 2011-2013
> +
> +# This library is free software; you can redistribute it and/or
> +# modify it under the terms of the GNU Lesser General Public
> +# License as published by the Free Software Foundation; either
> +# version 2.1 of the License, or (at your option) any later version.
> +
> +# This library is distributed in the hope that it will be useful,
> +# but WITHOUT ANY WARRANTY; without even the implied warranty of
> +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
> +# Lesser General Public License for more details.
> +
> +# You should have received a copy of the GNU Lesser General Public
> +# License along with this library; if not, write to the Free Software
> +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
> +
> +# This hook can be used to mount an ecryptfs filesystem as a container's
> +# rootfs.
> +# To use this hook, assuming your container is called q1,
> +#  1. add 'lxc.hook.pre-mount = /usr/share/lxc/hooks/mountecryptfsroot' to
> +#     the container's configuration file
> +#  2. Create /var/lib/lxc/q1/ecryptfs-root
> +#     a. mkdir /var/lib/lxc/q1/ecryptfs-root
> +#  3. convert your container's root filesystem to be ecryptfs-backed.  Assuming
> +#     your container is called 'q1', do
> +#     a. c=q1
> +#     b. mv /var/lib/lxc/$c/rootfs /var/lib/lxc/$c/rootfs.plain
> +#     c. mkdir /var/lib/lxc/$c/rootfs{,.crypt}
> +#     d. sig=`echo none | ecryptfs-add-passphrase | grep -v Passphrase | cut -d[ -f 2 | cut -d] -f 1`
> +#     e. echo $sig > /var/lib/lxc/$c/sig
> +#     f. mount -t ecryptfs -o ecryptfs_cipher=aes,ecryptfs_key_bytes=16,ecryptfs_passthrough=n,ecryptfs_enable_filename_crypto=n,ecryptfs_sig=${sig},sig=${sig},verbosity=0 /var/lib/lxc/$c/rootfs.crypt /var/lib/lxc/$c/rootfs
> +#     g. rsync -va /var/lib/lxc/$c/rootfs.plain/ /var/lib/lxc/$c/rootfs/
> +#     h. umount /var/lib/lxc/$c/rootfs
> +#     i. rm -rf /var/lib/lxc/$c/rootfs.plain
> +#  4. Now you can start your container by adding the passphrase to your
> +#     in-kernel keyring using 'ecryptfs-add-passphrase', then starting your
> +#     container as normal.
> +#     a. echo none | ecryptfs-add-passphrase
> +#     b. lxc-start -n q1
> +#  Note that you may well want to use a wrapped passhrase (see the ecryptfs-wrap-passphrase(1) manual page).
> +
> +set -e
> +ecryptfs_crypt=$(echo $LXC_ROOTFS_PATH | sed 's/rootfs$/rootfs.crypt/')
> +sigfile=$(echo $LXC_CONFIG_FILE | sed 's/config$/sig/')
> +
> +sig=`cat $sigfile`
> +mount -n -t ecryptfs -o ecryptfs_cipher=aes,ecryptfs_key_bytes=16,ecryptfs_passthrough=n,ecryptfs_enable_filename_crypto=n,ecryptfs_sig=${sig},sig=${sig},verbosity=0 $ecryptfs_crypt $LXC_ROOTFS_PATH
> +exit 0
> -- 
> 1.8.1.2
> 
> 
> ------------------------------------------------------------------------------
> Everyone hates slow websites. So do we.
> Make your web apps faster with AppDynamics
> Download AppDynamics Lite for free today:
> http://p.sf.net/sfu/appdyn_d2d_feb
> _______________________________________________
> Lxc-devel mailing list
> Lxc-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/lxc-devel




More information about the lxc-devel mailing list