[lxc-devel] [PATCH] templates: Refuse to run unprivileged
Serge Hallyn
serge.hallyn at ubuntu.com
Tue Feb 4 18:57:26 UTC 2014
Quoting Stéphane Graber (stgraber at ubuntu.com):
> Only the download and ubuntu-cloud templates work with unprivileged
> containers, for all others, detect --mapped-uid and error out as early
> as possible, recommending the use of the download template.
>
> Signed-off-by: Stéphane Graber <stgraber at ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn at ubuntu.com>
> ---
> templates/lxc-alpine.in | 9 +++++++++
> templates/lxc-altlinux.in | 9 +++++++++
> templates/lxc-archlinux.in | 9 +++++++++
> templates/lxc-busybox.in | 9 +++++++++
> templates/lxc-centos.in | 9 +++++++++
> templates/lxc-cirros.in | 10 ++++++++++
> templates/lxc-debian.in | 9 +++++++++
> templates/lxc-fedora.in | 9 +++++++++
> templates/lxc-gentoo.in | 9 +++++++++
> templates/lxc-openmandriva.in | 9 +++++++++
> templates/lxc-opensuse.in | 9 +++++++++
> templates/lxc-oracle.in | 9 +++++++++
> templates/lxc-plamo.in | 9 +++++++++
> templates/lxc-sshd.in | 9 +++++++++
> templates/lxc-ubuntu.in | 9 +++++++++
> 15 files changed, 136 insertions(+)
>
> diff --git a/templates/lxc-alpine.in b/templates/lxc-alpine.in
> index 70da08d..232f54b 100644
> --- a/templates/lxc-alpine.in
> +++ b/templates/lxc-alpine.in
> @@ -1,5 +1,14 @@
> #!/bin/bash
>
> +# Detect use under userns (unsupported)
> +for arg in $*; do
> + if [ "$arg" == "--mapped-uid" ]; then
> + echo "This template can't be used for unprivileged containers." 1>&2
> + echo "You may want to try the \"download\" template instead." 1>&2
> + exit 1
> + fi
> +done
> +
> key_sha256sums="9c102bcc376af1498d549b77bdbfa815ae86faa1d2d82f040e616b18ef2df2d4 alpine-devel at lists.alpinelinux.org-4a6a0840.rsa.pub
> 2adcf7ce224f476330b5360ca5edb92fd0bf91c92d83292ed028d7c4e26333ab alpine-devel at lists.alpinelinux.org-4d07755e.rsa.pub"
>
> diff --git a/templates/lxc-altlinux.in b/templates/lxc-altlinux.in
> index 1a586d8..385465c 100644
> --- a/templates/lxc-altlinux.in
> +++ b/templates/lxc-altlinux.in
> @@ -24,6 +24,15 @@
> # License along with this library; if not, write to the Free Software
> # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
>
> +# Detect use under userns (unsupported)
> +for arg in $*; do
> + if [ "$arg" == "--mapped-uid" ]; then
> + echo "This template can't be used for unprivileged containers." 1>&2
> + echo "You may want to try the \"download\" template instead." 1>&2
> + exit 1
> + fi
> +done
> +
> #Configurations
> arch=$(uname -m)
> cache_base=@LOCALSTATEDIR@/cache/lxc/altlinux/$arch
> diff --git a/templates/lxc-archlinux.in b/templates/lxc-archlinux.in
> index 82c4fcb..d394816 100755
> --- a/templates/lxc-archlinux.in
> +++ b/templates/lxc-archlinux.in
> @@ -25,6 +25,15 @@
> # License along with this library; if not, write to the Free Software
> # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
>
> +# Detect use under userns (unsupported)
> +for arg in $*; do
> + if [ "$arg" == "--mapped-uid" ]; then
> + echo "This template can't be used for unprivileged containers." 1>&2
> + echo "You may want to try the \"download\" template instead." 1>&2
> + exit 1
> + fi
> +done
> +
> # defaults
> arch=$(uname -m)
> lxc_network_type="veth"
> diff --git a/templates/lxc-busybox.in b/templates/lxc-busybox.in
> index 3568c0c..f4aa6c4 100644
> --- a/templates/lxc-busybox.in
> +++ b/templates/lxc-busybox.in
> @@ -20,6 +20,15 @@
> # License along with this library; if not, write to the Free Software
> # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
>
> +# Detect use under userns (unsupported)
> +for arg in $*; do
> + if [ "$arg" == "--mapped-uid" ]; then
> + echo "This template can't be used for unprivileged containers." 1>&2
> + echo "You may want to try the \"download\" template instead." 1>&2
> + exit 1
> + fi
> +done
> +
> am_in_userns() {
> [ -e /proc/self/uid_map ] || { echo no; return; }
> [ "$(wc -l /proc/self/uid_map | awk '{ print $1 }')" -eq 1 ] || { echo yes; return; }
> diff --git a/templates/lxc-centos.in b/templates/lxc-centos.in
> index f5f6e53..1fce0e3 100644
> --- a/templates/lxc-centos.in
> +++ b/templates/lxc-centos.in
> @@ -72,6 +72,15 @@ lxc_network_link=lxcbr0
> # This may be in /etc/os-release or /etc/system-release-cpe. We
> # should be able to use EITHER. Give preference to /etc/os-release for now.
>
> +# Detect use under userns (unsupported)
> +for arg in $*; do
> + if [ "$arg" == "--mapped-uid" ]; then
> + echo "This template can't be used for unprivileged containers." 1>&2
> + echo "You may want to try the \"download\" template instead." 1>&2
> + exit 1
> + fi
> +done
> +
> if [ -e /etc/os-release ]
> then
> # This is a shell friendly configuration file. We can just source it.
> diff --git a/templates/lxc-cirros.in b/templates/lxc-cirros.in
> index 2550956..519013f 100644
> --- a/templates/lxc-cirros.in
> +++ b/templates/lxc-cirros.in
> @@ -20,6 +20,16 @@
> # You should have received a copy of the GNU General Public License along
> # with this program; if not, write to the Free Software Foundation, Inc.,
> # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
> +
> +# Detect use under userns (unsupported)
> +for arg in $*; do
> + if [ "$arg" == "--mapped-uid" ]; then
> + echo "This template can't be used for unprivileged containers." 1>&2
> + echo "You may want to try the \"download\" template instead." 1>&2
> + exit 1
> + fi
> +done
> +
> VERBOSITY=0
> DOWNLOAD_URL="http://download.cirros-cloud.net/"
> CACHE_D="@LOCALSTATEDIR@/cache/lxc/cirros"
> diff --git a/templates/lxc-debian.in b/templates/lxc-debian.in
> index 5d41396..376e30d 100644
> --- a/templates/lxc-debian.in
> +++ b/templates/lxc-debian.in
> @@ -20,6 +20,15 @@
> # License along with this library; if not, write to the Free Software
> # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
>
> +# Detect use under userns (unsupported)
> +for arg in $*; do
> + if [ "$arg" == "--mapped-uid" ]; then
> + echo "This template can't be used for unprivileged containers." 1>&2
> + echo "You may want to try the \"download\" template instead." 1>&2
> + exit 1
> + fi
> +done
> +
> MIRROR=${MIRROR:-http://cdn.debian.net/debian}
> LOCALSTATEDIR="@LOCALSTATEDIR@"
> LXC_TEMPLATE_CONFIG="@LXCTEMPLATECONFIG@"
> diff --git a/templates/lxc-fedora.in b/templates/lxc-fedora.in
> index 2230b5c..b8a2339 100644
> --- a/templates/lxc-fedora.in
> +++ b/templates/lxc-fedora.in
> @@ -72,6 +72,15 @@ lxc_network_link=lxcbr0
> # This may be in /etc/os-release or /etc/system-release-cpe. We
> # should be able to use EITHER. Give preference to /etc/os-release for now.
>
> +# Detect use under userns (unsupported)
> +for arg in $*; do
> + if [ "$arg" == "--mapped-uid" ]; then
> + echo "This template can't be used for unprivileged containers." 1>&2
> + echo "You may want to try the \"download\" template instead." 1>&2
> + exit 1
> + fi
> +done
> +
> if [ -e /etc/os-release ]
> then
> # This is a shell friendly configuration file. We can just source it.
> diff --git a/templates/lxc-gentoo.in b/templates/lxc-gentoo.in
> index 0fd392e..dff146e 100644
> --- a/templates/lxc-gentoo.in
> +++ b/templates/lxc-gentoo.in
> @@ -13,6 +13,15 @@
> # - ready to use cache
> #
>
> +# Detect use under userns (unsupported)
> +for arg in $*; do
> + if [ "$arg" == "--mapped-uid" ]; then
> + echo "This template can't be used for unprivileged containers." 1>&2
> + echo "You may want to try the \"download\" template instead." 1>&2
> + exit 1
> + fi
> +done
> +
> # Ensure strict root's umask doesen't render the VM unusable
> umask 022
>
> diff --git a/templates/lxc-openmandriva.in b/templates/lxc-openmandriva.in
> index eddaad0..e5d2b1c 100644
> --- a/templates/lxc-openmandriva.in
> +++ b/templates/lxc-openmandriva.in
> @@ -26,6 +26,15 @@
> # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
> #
>
> +# Detect use under userns (unsupported)
> +for arg in $*; do
> + if [ "$arg" == "--mapped-uid" ]; then
> + echo "This template can't be used for unprivileged containers." 1>&2
> + echo "You may want to try the \"download\" template instead." 1>&2
> + exit 1
> + fi
> +done
> +
> #Configurations
> #distro=cooker
> hostarch=$(uname -m)
> diff --git a/templates/lxc-opensuse.in b/templates/lxc-opensuse.in
> index 89ae8bd..fb21864 100644
> --- a/templates/lxc-opensuse.in
> +++ b/templates/lxc-opensuse.in
> @@ -25,6 +25,15 @@
> # License along with this library; if not, write to the Free Software
> # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
>
> +# Detect use under userns (unsupported)
> +for arg in $*; do
> + if [ "$arg" == "--mapped-uid" ]; then
> + echo "This template can't be used for unprivileged containers." 1>&2
> + echo "You may want to try the \"download\" template instead." 1>&2
> + exit 1
> + fi
> +done
> +
> DISTRO=12.3
>
> configure_opensuse()
> diff --git a/templates/lxc-oracle.in b/templates/lxc-oracle.in
> index 40fe5c0..c114ad8 100644
> --- a/templates/lxc-oracle.in
> +++ b/templates/lxc-oracle.in
> @@ -27,6 +27,15 @@
> # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
> #
>
> +# Detect use under userns (unsupported)
> +for arg in $*; do
> + if [ "$arg" == "--mapped-uid" ]; then
> + echo "This template can't be used for unprivileged containers." 1>&2
> + echo "You may want to try the \"download\" template instead." 1>&2
> + exit 1
> + fi
> +done
> +
> # use virbr0 that is setup by default by libvirtd
> lxc_network_type=veth
> lxc_network_link=virbr0
> diff --git a/templates/lxc-plamo.in b/templates/lxc-plamo.in
> index dd8d29b..e9f681e 100644
> --- a/templates/lxc-plamo.in
> +++ b/templates/lxc-plamo.in
> @@ -28,6 +28,15 @@
> # ref. https://github.com/Ponce/lxc-slackware/blob/master/lxc-slackware
> # lxc-ubuntu script
>
> +# Detect use under userns (unsupported)
> +for arg in $*; do
> + if [ "$arg" == "--mapped-uid" ]; then
> + echo "This template can't be used for unprivileged containers." 1>&2
> + echo "You may want to try the \"download\" template instead." 1>&2
> + exit 1
> + fi
> +done
> +
> [ -r /etc/default/lxc ] && . /etc/default/lxc
>
> DLSCHEME=${DLSCHEME:-"http"}
> diff --git a/templates/lxc-sshd.in b/templates/lxc-sshd.in
> index 74467bb..397a388 100644
> --- a/templates/lxc-sshd.in
> +++ b/templates/lxc-sshd.in
> @@ -20,6 +20,15 @@
> # License along with this library; if not, write to the Free Software
> # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
>
> +# Detect use under userns (unsupported)
> +for arg in $*; do
> + if [ "$arg" == "--mapped-uid" ]; then
> + echo "This template can't be used for unprivileged containers." 1>&2
> + echo "You may want to try the \"download\" template instead." 1>&2
> + exit 1
> + fi
> +done
> +
> install_sshd()
> {
> rootfs=$1
> diff --git a/templates/lxc-ubuntu.in b/templates/lxc-ubuntu.in
> index 88e7c9c..b7f9777 100644
> --- a/templates/lxc-ubuntu.in
> +++ b/templates/lxc-ubuntu.in
> @@ -24,6 +24,15 @@
> # License along with this library; if not, write to the Free Software
> # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
>
> +# Detect use under userns (unsupported)
> +for arg in $*; do
> + if [ "$arg" == "--mapped-uid" ]; then
> + echo "This template can't be used for unprivileged containers." 1>&2
> + echo "You may want to try the \"download\" template instead." 1>&2
> + exit 1
> + fi
> +done
> +
> set -e
>
> LOCALSTATEDIR="@LOCALSTATEDIR@"
> --
> 1.9.rc1
>
> _______________________________________________
> lxc-devel mailing list
> lxc-devel at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-devel
More information about the lxc-devel
mailing list