[lxc-devel] [PATCH] templates: Refuse to run unprivileged
Stéphane Graber
stgraber at ubuntu.com
Tue Feb 4 16:17:01 UTC 2014
Only the download and ubuntu-cloud templates work with unprivileged
containers, for all others, detect --mapped-uid and error out as early
as possible, recommending the use of the download template.
Signed-off-by: Stéphane Graber <stgraber at ubuntu.com>
---
templates/lxc-alpine.in | 9 +++++++++
templates/lxc-altlinux.in | 9 +++++++++
templates/lxc-archlinux.in | 9 +++++++++
templates/lxc-busybox.in | 9 +++++++++
templates/lxc-centos.in | 9 +++++++++
templates/lxc-cirros.in | 10 ++++++++++
templates/lxc-debian.in | 9 +++++++++
templates/lxc-fedora.in | 9 +++++++++
templates/lxc-gentoo.in | 9 +++++++++
templates/lxc-openmandriva.in | 9 +++++++++
templates/lxc-opensuse.in | 9 +++++++++
templates/lxc-oracle.in | 9 +++++++++
templates/lxc-plamo.in | 9 +++++++++
templates/lxc-sshd.in | 9 +++++++++
templates/lxc-ubuntu.in | 9 +++++++++
15 files changed, 136 insertions(+)
diff --git a/templates/lxc-alpine.in b/templates/lxc-alpine.in
index 70da08d..232f54b 100644
--- a/templates/lxc-alpine.in
+++ b/templates/lxc-alpine.in
@@ -1,5 +1,14 @@
#!/bin/bash
+# Detect use under userns (unsupported)
+for arg in $*; do
+ if [ "$arg" == "--mapped-uid" ]; then
+ echo "This template can't be used for unprivileged containers." 1>&2
+ echo "You may want to try the \"download\" template instead." 1>&2
+ exit 1
+ fi
+done
+
key_sha256sums="9c102bcc376af1498d549b77bdbfa815ae86faa1d2d82f040e616b18ef2df2d4 alpine-devel at lists.alpinelinux.org-4a6a0840.rsa.pub
2adcf7ce224f476330b5360ca5edb92fd0bf91c92d83292ed028d7c4e26333ab alpine-devel at lists.alpinelinux.org-4d07755e.rsa.pub"
diff --git a/templates/lxc-altlinux.in b/templates/lxc-altlinux.in
index 1a586d8..385465c 100644
--- a/templates/lxc-altlinux.in
+++ b/templates/lxc-altlinux.in
@@ -24,6 +24,15 @@
# License along with this library; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
+# Detect use under userns (unsupported)
+for arg in $*; do
+ if [ "$arg" == "--mapped-uid" ]; then
+ echo "This template can't be used for unprivileged containers." 1>&2
+ echo "You may want to try the \"download\" template instead." 1>&2
+ exit 1
+ fi
+done
+
#Configurations
arch=$(uname -m)
cache_base=@LOCALSTATEDIR@/cache/lxc/altlinux/$arch
diff --git a/templates/lxc-archlinux.in b/templates/lxc-archlinux.in
index 82c4fcb..d394816 100755
--- a/templates/lxc-archlinux.in
+++ b/templates/lxc-archlinux.in
@@ -25,6 +25,15 @@
# License along with this library; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
+# Detect use under userns (unsupported)
+for arg in $*; do
+ if [ "$arg" == "--mapped-uid" ]; then
+ echo "This template can't be used for unprivileged containers." 1>&2
+ echo "You may want to try the \"download\" template instead." 1>&2
+ exit 1
+ fi
+done
+
# defaults
arch=$(uname -m)
lxc_network_type="veth"
diff --git a/templates/lxc-busybox.in b/templates/lxc-busybox.in
index 3568c0c..f4aa6c4 100644
--- a/templates/lxc-busybox.in
+++ b/templates/lxc-busybox.in
@@ -20,6 +20,15 @@
# License along with this library; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
+# Detect use under userns (unsupported)
+for arg in $*; do
+ if [ "$arg" == "--mapped-uid" ]; then
+ echo "This template can't be used for unprivileged containers." 1>&2
+ echo "You may want to try the \"download\" template instead." 1>&2
+ exit 1
+ fi
+done
+
am_in_userns() {
[ -e /proc/self/uid_map ] || { echo no; return; }
[ "$(wc -l /proc/self/uid_map | awk '{ print $1 }')" -eq 1 ] || { echo yes; return; }
diff --git a/templates/lxc-centos.in b/templates/lxc-centos.in
index f5f6e53..1fce0e3 100644
--- a/templates/lxc-centos.in
+++ b/templates/lxc-centos.in
@@ -72,6 +72,15 @@ lxc_network_link=lxcbr0
# This may be in /etc/os-release or /etc/system-release-cpe. We
# should be able to use EITHER. Give preference to /etc/os-release for now.
+# Detect use under userns (unsupported)
+for arg in $*; do
+ if [ "$arg" == "--mapped-uid" ]; then
+ echo "This template can't be used for unprivileged containers." 1>&2
+ echo "You may want to try the \"download\" template instead." 1>&2
+ exit 1
+ fi
+done
+
if [ -e /etc/os-release ]
then
# This is a shell friendly configuration file. We can just source it.
diff --git a/templates/lxc-cirros.in b/templates/lxc-cirros.in
index 2550956..519013f 100644
--- a/templates/lxc-cirros.in
+++ b/templates/lxc-cirros.in
@@ -20,6 +20,16 @@
# You should have received a copy of the GNU General Public License along
# with this program; if not, write to the Free Software Foundation, Inc.,
# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+
+# Detect use under userns (unsupported)
+for arg in $*; do
+ if [ "$arg" == "--mapped-uid" ]; then
+ echo "This template can't be used for unprivileged containers." 1>&2
+ echo "You may want to try the \"download\" template instead." 1>&2
+ exit 1
+ fi
+done
+
VERBOSITY=0
DOWNLOAD_URL="http://download.cirros-cloud.net/"
CACHE_D="@LOCALSTATEDIR@/cache/lxc/cirros"
diff --git a/templates/lxc-debian.in b/templates/lxc-debian.in
index 5d41396..376e30d 100644
--- a/templates/lxc-debian.in
+++ b/templates/lxc-debian.in
@@ -20,6 +20,15 @@
# License along with this library; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
+# Detect use under userns (unsupported)
+for arg in $*; do
+ if [ "$arg" == "--mapped-uid" ]; then
+ echo "This template can't be used for unprivileged containers." 1>&2
+ echo "You may want to try the \"download\" template instead." 1>&2
+ exit 1
+ fi
+done
+
MIRROR=${MIRROR:-http://cdn.debian.net/debian}
LOCALSTATEDIR="@LOCALSTATEDIR@"
LXC_TEMPLATE_CONFIG="@LXCTEMPLATECONFIG@"
diff --git a/templates/lxc-fedora.in b/templates/lxc-fedora.in
index 2230b5c..b8a2339 100644
--- a/templates/lxc-fedora.in
+++ b/templates/lxc-fedora.in
@@ -72,6 +72,15 @@ lxc_network_link=lxcbr0
# This may be in /etc/os-release or /etc/system-release-cpe. We
# should be able to use EITHER. Give preference to /etc/os-release for now.
+# Detect use under userns (unsupported)
+for arg in $*; do
+ if [ "$arg" == "--mapped-uid" ]; then
+ echo "This template can't be used for unprivileged containers." 1>&2
+ echo "You may want to try the \"download\" template instead." 1>&2
+ exit 1
+ fi
+done
+
if [ -e /etc/os-release ]
then
# This is a shell friendly configuration file. We can just source it.
diff --git a/templates/lxc-gentoo.in b/templates/lxc-gentoo.in
index 0fd392e..dff146e 100644
--- a/templates/lxc-gentoo.in
+++ b/templates/lxc-gentoo.in
@@ -13,6 +13,15 @@
# - ready to use cache
#
+# Detect use under userns (unsupported)
+for arg in $*; do
+ if [ "$arg" == "--mapped-uid" ]; then
+ echo "This template can't be used for unprivileged containers." 1>&2
+ echo "You may want to try the \"download\" template instead." 1>&2
+ exit 1
+ fi
+done
+
# Ensure strict root's umask doesen't render the VM unusable
umask 022
diff --git a/templates/lxc-openmandriva.in b/templates/lxc-openmandriva.in
index eddaad0..e5d2b1c 100644
--- a/templates/lxc-openmandriva.in
+++ b/templates/lxc-openmandriva.in
@@ -26,6 +26,15 @@
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
#
+# Detect use under userns (unsupported)
+for arg in $*; do
+ if [ "$arg" == "--mapped-uid" ]; then
+ echo "This template can't be used for unprivileged containers." 1>&2
+ echo "You may want to try the \"download\" template instead." 1>&2
+ exit 1
+ fi
+done
+
#Configurations
#distro=cooker
hostarch=$(uname -m)
diff --git a/templates/lxc-opensuse.in b/templates/lxc-opensuse.in
index 89ae8bd..fb21864 100644
--- a/templates/lxc-opensuse.in
+++ b/templates/lxc-opensuse.in
@@ -25,6 +25,15 @@
# License along with this library; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
+# Detect use under userns (unsupported)
+for arg in $*; do
+ if [ "$arg" == "--mapped-uid" ]; then
+ echo "This template can't be used for unprivileged containers." 1>&2
+ echo "You may want to try the \"download\" template instead." 1>&2
+ exit 1
+ fi
+done
+
DISTRO=12.3
configure_opensuse()
diff --git a/templates/lxc-oracle.in b/templates/lxc-oracle.in
index 40fe5c0..c114ad8 100644
--- a/templates/lxc-oracle.in
+++ b/templates/lxc-oracle.in
@@ -27,6 +27,15 @@
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
#
+# Detect use under userns (unsupported)
+for arg in $*; do
+ if [ "$arg" == "--mapped-uid" ]; then
+ echo "This template can't be used for unprivileged containers." 1>&2
+ echo "You may want to try the \"download\" template instead." 1>&2
+ exit 1
+ fi
+done
+
# use virbr0 that is setup by default by libvirtd
lxc_network_type=veth
lxc_network_link=virbr0
diff --git a/templates/lxc-plamo.in b/templates/lxc-plamo.in
index dd8d29b..e9f681e 100644
--- a/templates/lxc-plamo.in
+++ b/templates/lxc-plamo.in
@@ -28,6 +28,15 @@
# ref. https://github.com/Ponce/lxc-slackware/blob/master/lxc-slackware
# lxc-ubuntu script
+# Detect use under userns (unsupported)
+for arg in $*; do
+ if [ "$arg" == "--mapped-uid" ]; then
+ echo "This template can't be used for unprivileged containers." 1>&2
+ echo "You may want to try the \"download\" template instead." 1>&2
+ exit 1
+ fi
+done
+
[ -r /etc/default/lxc ] && . /etc/default/lxc
DLSCHEME=${DLSCHEME:-"http"}
diff --git a/templates/lxc-sshd.in b/templates/lxc-sshd.in
index 74467bb..397a388 100644
--- a/templates/lxc-sshd.in
+++ b/templates/lxc-sshd.in
@@ -20,6 +20,15 @@
# License along with this library; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
+# Detect use under userns (unsupported)
+for arg in $*; do
+ if [ "$arg" == "--mapped-uid" ]; then
+ echo "This template can't be used for unprivileged containers." 1>&2
+ echo "You may want to try the \"download\" template instead." 1>&2
+ exit 1
+ fi
+done
+
install_sshd()
{
rootfs=$1
diff --git a/templates/lxc-ubuntu.in b/templates/lxc-ubuntu.in
index 88e7c9c..b7f9777 100644
--- a/templates/lxc-ubuntu.in
+++ b/templates/lxc-ubuntu.in
@@ -24,6 +24,15 @@
# License along with this library; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
+# Detect use under userns (unsupported)
+for arg in $*; do
+ if [ "$arg" == "--mapped-uid" ]; then
+ echo "This template can't be used for unprivileged containers." 1>&2
+ echo "You may want to try the \"download\" template instead." 1>&2
+ exit 1
+ fi
+done
+
set -e
LOCALSTATEDIR="@LOCALSTATEDIR@"
--
1.9.rc1
More information about the lxc-devel
mailing list