[lxc-devel] [PATCH] download: Support nested containers in unpriv

Serge Hallyn serge.hallyn at ubuntu.com
Mon Feb 17 16:53:14 UTC 2014


Quoting Stéphane Graber (stgraber at ubuntu.com):
> This adds detection for the case where we are root in an unprivileged
> container and then run LXC from there. In this case, we want to download
> to the system location, ignore the missing uid/gid ranges and run
> templates that are userns-ready.
> 
> Signed-off-by: Stéphane Graber <stgraber at ubuntu.com>

Acked-by: Serge E. Hallyn <serge.hallyn at ubuntu.com>

> ---
>  templates/lxc-download.in | 61 ++++++++++++++++++++++++++++-------------------
>  1 file changed, 36 insertions(+), 25 deletions(-)
> 
> diff --git a/templates/lxc-download.in b/templates/lxc-download.in
> index c231161..6e3237d 100644
> --- a/templates/lxc-download.in
> +++ b/templates/lxc-download.in
> @@ -21,37 +21,38 @@
>  
>  set -eu
>  
> -LXC_TEMPLATE_CONFIG="@LXCTEMPLATECONFIG@"
> -LXC_HOOK_DIR="@LXCHOOKDIR@"
>  LOCALSTATEDIR="@LOCALSTATEDIR@"
> +LXC_HOOK_DIR="@LXCHOOKDIR@"
> +LXC_TEMPLATE_CONFIG="@LXCTEMPLATECONFIG@"
>  
>  # Defaults
> -DOWNLOAD_DIST=
> -DOWNLOAD_RELEASE=
>  DOWNLOAD_ARCH=
> -DOWNLOAD_VARIANT="default"
> -DOWNLOAD_SERVER="images.linuxcontainers.org"
> -DOWNLOAD_KEYID="0xBAEFF88C22F6E216"
> -DOWNLOAD_KEYSERVER="hkp://pool.sks-keyservers.net"
> -DOWNLOAD_VALIDATE="true"
> +DOWNLOAD_BUILD=
> +DOWNLOAD_COMPAT_LEVEL=1
> +DOWNLOAD_DIST=
>  DOWNLOAD_FLUSH_CACHE="false"
>  DOWNLOAD_FORCE_CACHE="false"
> +DOWNLOAD_INTERACTIVE="false"
> +DOWNLOAD_KEYID="0xBAEFF88C22F6E216"
> +DOWNLOAD_KEYSERVER="hkp://pool.sks-keyservers.net"
> +DOWNLOAD_LIST_IMAGES="false"
>  DOWNLOAD_MODE="system"
> -DOWNLOAD_USE_CACHE="false"
> -DOWNLOAD_URL=
> -DOWNLOAD_SHOW_HTTP_WARNING="true"
> -DOWNLOAD_SHOW_GPG_WARNING="true"
>  DOWNLOAD_READY_GPG="false"
> -DOWNLOAD_COMPAT_LEVEL=1
> -DOWNLOAD_LIST_IMAGES="false"
> -DOWNLOAD_BUILD=
> -DOWNLOAD_INTERACTIVE="false"
> +DOWNLOAD_RELEASE=
> +DOWNLOAD_SERVER="images.linuxcontainers.org"
> +DOWNLOAD_SHOW_GPG_WARNING="true"
> +DOWNLOAD_SHOW_HTTP_WARNING="true"
> +DOWNLOAD_TARGET="system"
> +DOWNLOAD_URL=
> +DOWNLOAD_USE_CACHE="false"
> +DOWNLOAD_VALIDATE="true"
> +DOWNLOAD_VARIANT="default"
>  
> +LXC_MAPPED_GID=
> +LXC_MAPPED_UID=
>  LXC_NAME=
>  LXC_PATH=
>  LXC_ROOTFS=
> -LXC_MAPPED_UID=
> -LXC_MAPPED_GID=
>  
>  # Deal with GPG over http proxy
>  if [ -n "${http_proxy:-}" ]; then
> @@ -141,6 +142,8 @@ gpg_validate() {
>  
>  in_userns() {
>      [ -e /proc/self/uid_map ] || { echo no; return; }
> +    [ "$(cat /proc/self/uid_map)" = "$(cat /proc/1/uid_map)" ] && \
> +        { echo host; return; }
>      [ "$(wc -l /proc/self/uid_map | awk '{ print $1 }')" -eq 1 ] || \
>          { echo yes; return; }
>      line=$(awk '{ print $1 " " $2 " " $3 }' /proc/self/uid_map)
> @@ -245,12 +248,20 @@ if [ -z "$LXC_NAME" ] || [ -z "$LXC_PATH" ] || [ -z "$LXC_ROOTFS" ]; then
>      exit 1
>  fi
>  
> -if [ "$(in_userns)" = "yes" ]; then
> -    if [ -z "$LXC_MAPPED_UID" ] || [ "$LXC_MAPPED_UID" = "-1" ]; then
> -        echo "ERROR: In a user namespace without a map." 1>&2
> -        exit 1
> +USERNS=$(in_userns)
> +
> +if [ "$USERNS" != "no" ]; then
> +    if [ "$USERNS" = "yes" ]; then
> +        if [ -z "$LXC_MAPPED_UID" ] || [ "$LXC_MAPPED_UID" = "-1" ]; then
> +            echo "ERROR: In a user namespace without a map." 1>&2
> +            exit 1
> +        fi
> +        DOWNLOAD_MODE="user"
> +        DOWNLOAD_TARGET="user"
> +    else
> +        DOWNLOAD_MODE="user"
> +        DOWNLOAD_TARGET="system"
>      fi
> -    DOWNLOAD_MODE="user"
>  fi
>  
>  if [ -z "$DOWNLOAD_DIST" ] || [ -z "$DOWNLOAD_RELEASE" ] || \
> @@ -337,7 +348,7 @@ if [ "$DOWNLOAD_LIST_IMAGES" = "true" ] || \
>  fi
>  
>  # Setup the cache
> -if [ "$DOWNLOAD_MODE" = "system" ]; then
> +if [ "$DOWNLOAD_TARGET" = "system" ]; then
>      LXC_CACHE_BASE="$LOCALSTATEDIR/cache/lxc/"
>  else
>      LXC_CACHE_BASE="$HOME/.cache/lxc/"
> -- 
> 1.9.rc1
> 
> _______________________________________________
> lxc-devel mailing list
> lxc-devel at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-devel


More information about the lxc-devel mailing list