[lxc-devel] [Lxc-users] Working LXC templates?

[Natanael Copa]

On Wed, 04 Sep 2013 09:40:49 -0400
"Michael H. Warfield" <mhw at WittsEnd.com> wrote:
 
> I do think it is an issue with the whole "distribution agnostic
> template" problem that may require some help from the distros or some
> innovative ideas of how we can bootstrap distros using distro agnostic
> tools (like stone knives and bear skins style install of the rootfs
> using nothing more than tar, gzip, gpg, and curl or wget).

This would be very nice. I have not had success with any templates
except the debian on Alpine Linux. Debian works because we build a
debootstrap package. Ubuntu template did not work because it uses
'arch' command which we don't have. (ok, should be trivial to implement
if we want it bad enough - and I haven't tested current git templates)

However, the alpine template in current git should work on any distro.

Here is what we do:
* download static apk-tools (package manager) and the package with the
  public keys used for package signature checking.

* unpack the the package manager and public keys package with tar.  The
  package format is basically .tar.gz with some files in the beginning
  with metadata, so the .apk files can be extracted with tar -zx.

* verify that the public keys are unmodified against a sha256 sum that
  is embedded in the template script.

* verify that the static binary is unmodified using the public key and
  openssl. The apk-tools-static package includes a signature for the
  static binary.

* use the verified static package manager to install a rootfs. The
  package manager will use the previously downloaded pub keys.

This should work on any x86/x86_64 distro with tar, gzip, openssl and
wget.


-nc
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20130904/6936312f/attachment.pgp>