[lxc-devel] [PATCH] download: Support nested containers in unpriv
Serge Hallyn
serge.hallyn at ubuntu.com
Mon Feb 17 16:53:14 UTC 2014
Quoting Stéphane Graber (stgraber at ubuntu.com):
> This adds detection for the case where we are root in an unprivileged
> container and then run LXC from there. In this case, we want to download
> to the system location, ignore the missing uid/gid ranges and run
> templates that are userns-ready.
>
> Signed-off-by: Stéphane Graber <stgraber at ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn at ubuntu.com>
> ---
> templates/lxc-download.in | 61 ++++++++++++++++++++++++++++-------------------
> 1 file changed, 36 insertions(+), 25 deletions(-)
>
> diff --git a/templates/lxc-download.in b/templates/lxc-download.in
> index c231161..6e3237d 100644
> --- a/templates/lxc-download.in
> +++ b/templates/lxc-download.in
> @@ -21,37 +21,38 @@
>
> set -eu
>
> -LXC_TEMPLATE_CONFIG="@LXCTEMPLATECONFIG@"
> -LXC_HOOK_DIR="@LXCHOOKDIR@"
> LOCALSTATEDIR="@LOCALSTATEDIR@"
> +LXC_HOOK_DIR="@LXCHOOKDIR@"
> +LXC_TEMPLATE_CONFIG="@LXCTEMPLATECONFIG@"
>
> # Defaults
> -DOWNLOAD_DIST=
> -DOWNLOAD_RELEASE=
> DOWNLOAD_ARCH=
> -DOWNLOAD_VARIANT="default"
> -DOWNLOAD_SERVER="images.linuxcontainers.org"
> -DOWNLOAD_KEYID="0xBAEFF88C22F6E216"
> -DOWNLOAD_KEYSERVER="hkp://pool.sks-keyservers.net"
> -DOWNLOAD_VALIDATE="true"
> +DOWNLOAD_BUILD=
> +DOWNLOAD_COMPAT_LEVEL=1
> +DOWNLOAD_DIST=
> DOWNLOAD_FLUSH_CACHE="false"
> DOWNLOAD_FORCE_CACHE="false"
> +DOWNLOAD_INTERACTIVE="false"
> +DOWNLOAD_KEYID="0xBAEFF88C22F6E216"
> +DOWNLOAD_KEYSERVER="hkp://pool.sks-keyservers.net"
> +DOWNLOAD_LIST_IMAGES="false"
> DOWNLOAD_MODE="system"
> -DOWNLOAD_USE_CACHE="false"
> -DOWNLOAD_URL=
> -DOWNLOAD_SHOW_HTTP_WARNING="true"
> -DOWNLOAD_SHOW_GPG_WARNING="true"
> DOWNLOAD_READY_GPG="false"
> -DOWNLOAD_COMPAT_LEVEL=1
> -DOWNLOAD_LIST_IMAGES="false"
> -DOWNLOAD_BUILD=
> -DOWNLOAD_INTERACTIVE="false"
> +DOWNLOAD_RELEASE=
> +DOWNLOAD_SERVER="images.linuxcontainers.org"
> +DOWNLOAD_SHOW_GPG_WARNING="true"
> +DOWNLOAD_SHOW_HTTP_WARNING="true"
> +DOWNLOAD_TARGET="system"
> +DOWNLOAD_URL=
> +DOWNLOAD_USE_CACHE="false"
> +DOWNLOAD_VALIDATE="true"
> +DOWNLOAD_VARIANT="default"
>
> +LXC_MAPPED_GID=
> +LXC_MAPPED_UID=
> LXC_NAME=
> LXC_PATH=
> LXC_ROOTFS=
> -LXC_MAPPED_UID=
> -LXC_MAPPED_GID=
>
> # Deal with GPG over http proxy
> if [ -n "${http_proxy:-}" ]; then
> @@ -141,6 +142,8 @@ gpg_validate() {
>
> in_userns() {
> [ -e /proc/self/uid_map ] || { echo no; return; }
> + [ "$(cat /proc/self/uid_map)" = "$(cat /proc/1/uid_map)" ] && \
> + { echo host; return; }
> [ "$(wc -l /proc/self/uid_map | awk '{ print $1 }')" -eq 1 ] || \
> { echo yes; return; }
> line=$(awk '{ print $1 " " $2 " " $3 }' /proc/self/uid_map)
> @@ -245,12 +248,20 @@ if [ -z "$LXC_NAME" ] || [ -z "$LXC_PATH" ] || [ -z "$LXC_ROOTFS" ]; then
> exit 1
> fi
>
> -if [ "$(in_userns)" = "yes" ]; then
> - if [ -z "$LXC_MAPPED_UID" ] || [ "$LXC_MAPPED_UID" = "-1" ]; then
> - echo "ERROR: In a user namespace without a map." 1>&2
> - exit 1
> +USERNS=$(in_userns)
> +
> +if [ "$USERNS" != "no" ]; then
> + if [ "$USERNS" = "yes" ]; then
> + if [ -z "$LXC_MAPPED_UID" ] || [ "$LXC_MAPPED_UID" = "-1" ]; then
> + echo "ERROR: In a user namespace without a map." 1>&2
> + exit 1
> + fi
> + DOWNLOAD_MODE="user"
> + DOWNLOAD_TARGET="user"
> + else
> + DOWNLOAD_MODE="user"
> + DOWNLOAD_TARGET="system"
> fi
> - DOWNLOAD_MODE="user"
> fi
>
> if [ -z "$DOWNLOAD_DIST" ] || [ -z "$DOWNLOAD_RELEASE" ] || \
> @@ -337,7 +348,7 @@ if [ "$DOWNLOAD_LIST_IMAGES" = "true" ] || \
> fi
>
> # Setup the cache
> -if [ "$DOWNLOAD_MODE" = "system" ]; then
> +if [ "$DOWNLOAD_TARGET" = "system" ]; then
> LXC_CACHE_BASE="$LOCALSTATEDIR/cache/lxc/"
> else
> LXC_CACHE_BASE="$HOME/.cache/lxc/"
> --
> 1.9.rc1
>
> _______________________________________________
> lxc-devel mailing list
> lxc-devel at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-devel
More information about the lxc-devel
mailing list