[lxc-devel] [lxc/master] Improve lxc-oci.in

flx42 on Github lxc-bot at linuxcontainers.org
Thu Nov 23 02:06:53 UTC 2017 

A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 484 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20171123/17ae673b/attachment.bin>
-------------- next part --------------
From 51c80577e0def5cd1be761fa03fe21dce5859754 Mon Sep 17 00:00:00 2001
From: Felix Abecassis <fabecassis at nvidia.com>
Date: Tue, 21 Nov 2017 13:49:25 -0800
Subject: [PATCH 1/7] lxc-oci: support unprivileged umoci unpacking

Signed-off-by: Felix Abecassis <fabecassis at nvidia.com>
---
 templates/lxc-oci.in | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/templates/lxc-oci.in b/templates/lxc-oci.in
index 4c4d10393..dac3eebec 100755
--- a/templates/lxc-oci.in
+++ b/templates/lxc-oci.in
@@ -190,7 +190,11 @@ skopeo copy "${OCI_URL}" "oci:${DOWNLOAD_TEMP}:latest"
 # Unpack the rootfs
 echo "Unpacking the rootfs"
 
-umoci unpack --image "${DOWNLOAD_TEMP}:latest" "${LXC_ROOTFS}.tmp"
+umoci_args=("")
+if [ -n "$LXC_MAPPED_UID" ] && [ "$LXC_MAPPED_UID" != "-1" ]; then
+    umoci_args+=(--rootless)
+fi
+umoci unpack ${umoci_args[@]} --image "${DOWNLOAD_TEMP}:latest" "${LXC_ROOTFS}.tmp"
 rmdir "${LXC_ROOTFS}"
 mv "${LXC_ROOTFS}.tmp/rootfs" "${LXC_ROOTFS}"
 entrypoint=$(getep ${DOWNLOAD_TEMP} latest)

From bc2c91ae99b4104f49827baeab32a71b5aa21d50 Mon Sep 17 00:00:00 2001
From: Felix Abecassis <fabecassis at nvidia.com>
Date: Tue, 21 Nov 2017 13:49:30 -0800
Subject: [PATCH 2/7] lxc-oci: write /etc/hostname

Signed-off-by: Felix Abecassis <fabecassis at nvidia.com>
---
 templates/lxc-oci.in | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/templates/lxc-oci.in b/templates/lxc-oci.in
index dac3eebec..3a52acd9d 100755
--- a/templates/lxc-oci.in
+++ b/templates/lxc-oci.in
@@ -204,7 +204,11 @@ LXC_CONF_FILE="${LXC_PATH}/config"
 echo "lxc.execute.cmd = '${entrypoint}'" >> "${LXC_CONF_FILE}"
 echo "lxc.mount.auto = proc:mixed sys:mixed cgroup:mixed" >> "${LXC_CONF_FILE}"
 
-echo "lxc.uts.name = ${LXC_NAME}" >> ${LXC_PATH}/config
+echo "lxc.uts.name = ${LXC_NAME}" >> "${LXC_CONF_FILE}"
+# set the hostname
+cat <<EOF > ${LXC_ROOTFS}/etc/hostname
+${LXC_NAME}
+EOF
 
 if [ -n "$LXC_MAPPED_UID" ] && [ "$LXC_MAPPED_UID" != "-1" ]; then
     chown $LXC_MAPPED_UID $LXC_PATH/config $LXC_PATH/fstab >/dev/null 2>&1 || true

From b5236550572a1289d407c9703e5d42309333c0e0 Mon Sep 17 00:00:00 2001
From: Felix Abecassis <fabecassis at nvidia.com>
Date: Tue, 21 Nov 2017 13:49:33 -0800
Subject: [PATCH 3/7] lxc-oci: write /etc/hosts

Signed-off-by: Felix Abecassis <fabecassis at nvidia.com>
---
 templates/lxc-oci.in | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/templates/lxc-oci.in b/templates/lxc-oci.in
index 3a52acd9d..b26f16088 100755
--- a/templates/lxc-oci.in
+++ b/templates/lxc-oci.in
@@ -210,6 +210,12 @@ cat <<EOF > ${LXC_ROOTFS}/etc/hostname
 ${LXC_NAME}
 EOF
 
+# set minimal hosts
+cat <<EOF > ${LXC_ROOTFS}/etc/hosts
+127.0.0.1   localhost
+127.0.1.1   ${LXC_NAME}
+EOF
+
 if [ -n "$LXC_MAPPED_UID" ] && [ "$LXC_MAPPED_UID" != "-1" ]; then
     chown $LXC_MAPPED_UID $LXC_PATH/config $LXC_PATH/fstab >/dev/null 2>&1 || true
 fi

From ce59e4ca3185105a76da400139786ac5e9289c69 Mon Sep 17 00:00:00 2001
From: Felix Abecassis <fabecassis at nvidia.com>
Date: Wed, 22 Nov 2017 16:00:53 -0800
Subject: [PATCH 4/7] lxc-oci: add utility function to retrieve the path of the
 config file

Signed-off-by: Felix Abecassis <fabecassis at nvidia.com>
---
 templates/lxc-oci.in | 27 ++++++++++++++++++---------
 1 file changed, 18 insertions(+), 9 deletions(-)

diff --git a/templates/lxc-oci.in b/templates/lxc-oci.in
index b26f16088..13decc740 100755
--- a/templates/lxc-oci.in
+++ b/templates/lxc-oci.in
@@ -54,17 +54,13 @@ in_userns() {
     echo yes
 }
 
-# get entrypoint from oci image.  Use sh if unspecified
-# TODO - we can get other things like resource limits here
-getep() {
+getconfigpath() {
 	basedir="$1"
 	q="$2"
 
-
 	digest=`cat "${basedir}/index.json" | jq --arg q "$q" '.manifests[] | if .annotations."org.opencontainers.image.ref.name" == $q then .digest else null end' | sed -e 's/"//g'`
 	if [ -z "${digest}" ]; then
 		echo "$q not found in index.json" >&2
-		echo "/bin/sh"
 		return
 	fi
 
@@ -73,13 +69,25 @@ getep() {
 	cdigest=`cat "${basedir}/blobs/sha256/${d}" | jq '.config.digest' | sed -e 's/"//g'`
 	if [ -z "${cdigest}" ]; then
 		echo "container config not found" >&2
-		echo "/bin/sh"
 		return
 	fi
 
 	d2=${cdigest:7}
-	ep=`cat "${basedir}/blobs/sha256/${d2}" | jq -c '.config.Entrypoint' | sed -e 's/^\[//; s/\]$//; s/","/" "/'`
-	cmd=`cat "${basedir}/blobs/sha256/${d2}" | jq -c '.config.Cmd' | sed -e 's/^\[//; s/\]$//; s/","/" "/'`
+	echo "${basedir}/blobs/sha256/${d2}"
+	return
+}
+
+# get entrypoint from oci image.  Use sh if unspecified
+getep() {
+	if [ "$#" -eq 0 ]; then
+		echo "/bin/sh"
+		return
+	fi
+
+	configpath="$1"
+
+	ep=`cat "${configpath}" | jq -c '.config.Entrypoint' | sed -e 's/^\[//; s/\]$//; s/","/" "/'`
+	cmd=`cat "${configpath}" | jq -c '.config.Cmd' | sed -e 's/^\[//; s/\]$//; s/","/" "/'`
 	if [ "${ep}" = "null" ]; then
 		ep="${cmd}"
 		if [ "${ep}" = "null" ]; then
@@ -197,10 +205,11 @@ fi
 umoci unpack ${umoci_args[@]} --image "${DOWNLOAD_TEMP}:latest" "${LXC_ROOTFS}.tmp"
 rmdir "${LXC_ROOTFS}"
 mv "${LXC_ROOTFS}.tmp/rootfs" "${LXC_ROOTFS}"
-entrypoint=$(getep ${DOWNLOAD_TEMP} latest)
 rm -rf "${LXC_ROOTFS}.tmp"
 
+OCI_CONF_FILE=$(getconfigpath ${DOWNLOAD_TEMP} latest)
 LXC_CONF_FILE="${LXC_PATH}/config"
+entrypoint=$(getep ${OCI_CONF_FILE})
 echo "lxc.execute.cmd = '${entrypoint}'" >> "${LXC_CONF_FILE}"
 echo "lxc.mount.auto = proc:mixed sys:mixed cgroup:mixed" >> "${LXC_CONF_FILE}"
 

From 996202e74ad7e421d7e16b9fb7ba2083c139a69b Mon Sep 17 00:00:00 2001
From: Felix Abecassis <fabecassis at nvidia.com>
Date: Tue, 21 Nov 2017 13:49:36 -0800
Subject: [PATCH 5/7] lxc-oci: import the environment variables

Signed-off-by: Felix Abecassis <fabecassis at nvidia.com>
---
 templates/lxc-oci.in | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/templates/lxc-oci.in b/templates/lxc-oci.in
index 13decc740..c06c62a67 100755
--- a/templates/lxc-oci.in
+++ b/templates/lxc-oci.in
@@ -105,6 +105,21 @@ getep() {
 	return
 }
 
+# get environment from oci image.
+getenv() {
+	if [ "$#" -eq 0 ]; then
+		return
+	fi
+
+	configpath="$1"
+
+	cat "${configpath}" > /tmp/config
+	env=`cat "${configpath}" | jq -c '.config.Env[]'`
+
+	echo "${env}"
+	return
+}
+
 usage() {
     cat <<EOF
 LXC container template for OCI images
@@ -213,6 +228,11 @@ entrypoint=$(getep ${OCI_CONF_FILE})
 echo "lxc.execute.cmd = '${entrypoint}'" >> "${LXC_CONF_FILE}"
 echo "lxc.mount.auto = proc:mixed sys:mixed cgroup:mixed" >> "${LXC_CONF_FILE}"
 
+environment=$(getenv ${OCI_CONF_FILE})
+while read -r line; do
+    echo "lxc.environment = ${line}" >> "${LXC_CONF_FILE}"
+done <<< "${environment}"
+
 echo "lxc.uts.name = ${LXC_NAME}" >> "${LXC_CONF_FILE}"
 # set the hostname
 cat <<EOF > ${LXC_ROOTFS}/etc/hostname

From d7c685c6bee37da85069367db358c511276f6e5d Mon Sep 17 00:00:00 2001
From: Felix Abecassis <fabecassis at nvidia.com>
Date: Tue, 21 Nov 2017 13:49:40 -0800
Subject: [PATCH 6/7] lxc-oci: import common.conf and userns.conf

Signed-off-by: Felix Abecassis <fabecassis at nvidia.com>
---
 templates/lxc-oci.in | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/templates/lxc-oci.in b/templates/lxc-oci.in
index c06c62a67..1818567c4 100755
--- a/templates/lxc-oci.in
+++ b/templates/lxc-oci.in
@@ -34,6 +34,8 @@ for bin in skopeo umoci jq; do
     fi
 done
 
+LXC_TEMPLATE_CONFIG="@LXCTEMPLATECONFIG@"
+
 # Some useful functions
 cleanup() {
     if [ -d "$DOWNLOAD_TEMP" ]; then
@@ -233,6 +235,14 @@ while read -r line; do
     echo "lxc.environment = ${line}" >> "${LXC_CONF_FILE}"
 done <<< "${environment}"
 
+if [ -e "${LXC_TEMPLATE_CONFIG}/common.conf" ]; then
+    echo "lxc.include = ${LXC_TEMPLATE_CONFIG}/common.conf" >> "${LXC_CONF_FILE}"
+fi
+
+if [ -n "$LXC_MAPPED_UID" ] && [ "$LXC_MAPPED_UID" != "-1" ] && [ -e "${LXC_TEMPLATE_CONFIG}/userns.conf" ]; then
+    echo "lxc.include = ${LXC_TEMPLATE_CONFIG}/userns.conf" >> "${LXC_CONF_FILE}"
+fi
+
 echo "lxc.uts.name = ${LXC_NAME}" >> "${LXC_CONF_FILE}"
 # set the hostname
 cat <<EOF > ${LXC_ROOTFS}/etc/hostname

From 797f99c6c9f524fb06d3e752aad7c5f4ec112377 Mon Sep 17 00:00:00 2001
From: Felix Abecassis <fabecassis at nvidia.com>
Date: Tue, 21 Nov 2017 13:49:46 -0800
Subject: [PATCH 7/7] lxc-oci: add support for registry authentication

Signed-off-by: Felix Abecassis <fabecassis at nvidia.com>
---
 templates/lxc-oci.in | 28 +++++++++++++++++++++++++---
 1 file changed, 25 insertions(+), 3 deletions(-)

diff --git a/templates/lxc-oci.in b/templates/lxc-oci.in
index 1818567c4..f98c38bcd 100755
--- a/templates/lxc-oci.in
+++ b/templates/lxc-oci.in
@@ -132,6 +132,10 @@ Special arguments:
 Required arguments:
 [ -u | --url <url> ]: The OCI image URL
 
+Optional arguments:
+[ --username <username> ]: The username for the registry
+[ --password <password> ]: The password for the registry
+
 LXC internal arguments (do not pass manually!):
 [ --name <name> ]: The container name
 [ --path <path> ]: The path to the container
@@ -143,8 +147,8 @@ EOF
     return 0
 }
 
-options=$(getopt -o u:h -l help,url:,name:,path:,\
-rootfs:,mapped-uid:,mapped-gid: -- "$@")
+options=$(getopt -o u:h -l help,url:,username:,password:,\
+name:,path:,rootfs:,mapped-uid:,mapped-gid: -- "$@")
 
 if [ $? -ne 0 ]; then
     usage
@@ -153,6 +157,9 @@ fi
 eval set -- "$options"
 
 OCI_URL=""
+OCI_USERNAME=
+OCI_PASSWORD=
+
 LXC_MAPPED_GID=
 LXC_MAPPED_UID=
 LXC_NAME=
@@ -163,6 +170,8 @@ while :; do
     case "$1" in
         -h|--help)          usage && exit 1;;
         -u|--url)           OCI_URL=$2; shift 2;;
+        --username)         OCI_USERNAME=$2; shift 2;;
+        --password)         OCI_PASSWORD=$2; shift 2;;
         --name)             LXC_NAME=$2; shift 2;;
         --path)             LXC_PATH=$2; shift 2;;
         --rootfs)           LXC_ROOTFS=$2; shift 2;;
@@ -183,6 +192,11 @@ if [ -z "$OCI_URL" ]; then
     exit 1
 fi
 
+if [ -n "$OCI_PASSWORD" ] && [ -z "$OCI_USERNAME" ]; then
+    echo "ERROR: password given but no username specified"
+    exit 1
+fi
+
 USERNS=$(in_userns)
 
 if [ "$USERNS" != "no" ]; then
@@ -210,7 +224,15 @@ else
 fi
 
 # Download the image - TODO - cache
-skopeo copy "${OCI_URL}" "oci:${DOWNLOAD_TEMP}:latest"
+skopeo_args=("")
+if [ -n "$OCI_USERNAME" ]; then
+    CREDENTIALS="${OCI_USERNAME}"
+    if [ -n "$OCI_PASSWORD" ]; then
+        CREDENTIALS="${CREDENTIALS}:${OCI_PASSWORD}"
+    fi
+    skopeo_args+=(--src-creds "${CREDENTIALS}")
+fi
+skopeo copy ${skopeo_args[@]} "${OCI_URL}" "oci:${DOWNLOAD_TEMP}:latest"
 
 # Unpack the rootfs
 echo "Unpacking the rootfs"

More information about the lxc-devel mailing list