proxmox-mirrors/mirror_lxc
1
0
Fork 0
mirror of https://git.proxmox.com/git/mirror_lxc synced 2025-06-06 18:11:29 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

ubuntu-cloud: changes to support unprivileged use

Browse Source 
don't try to lock if using a specified tarball

The lock/subsys/lxc-ubuntu-cloud lock is to protect the tarballs
managed under /var/cache/lxc/cloud-$release.  Don't lock if we've
been handed a tarball.

fake device creation

Unprivileged users can't create devices, so bind mount null, tty, urandom
and console from the host.

Changelog:
	Jul 22: as Stéphane points out, remove a left-over debug line

Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
This commit is contained in:
Serge Hallyn 2013-07-15 20:24:14 -05:00
parent 460bcbd85c
commit 1aad9e44d6
1 changed files with 34 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

38
templates/lxc-ubuntu-cloud.in
View File

@ -25,6 +25,18 @@ if [ -r /etc/default/lxc ]; then
. /etc/default/lxc . /etc/default/lxc
fi fi
am_in_userns() {
[ -e /proc/self/uid_map ] || { echo no; return; }
[ "$(wc -l /proc/self/uid_map | awk '{ print $1 }')" -eq 1 ] || { echo yes; return; }
line=$(awk '{ print $1 " " $2 " " $3 }' /proc/self/uid_map)
[ "$line" = "0 0 4294967295" ] && { echo no; return; }
echo yes
}
in_userns=0
[ $(am_in_userns) = "yes" ] && in_userns=1
echo "am_in_userns returns $(am_in_userns)" >> /tmp/xa
copy_configuration() copy_configuration()
{ {
path=$1 path=$1
@ -101,6 +113,16 @@ sysfs sys sysfs defaults 0 0
/sys/kernel/security sys/kernel/security none bind 0 0 /sys/kernel/security sys/kernel/security none bind 0 0
EOF EOF
# unprivileged user can't mknod these. One day we may allow
# that in the kernel, but not right now. So let's just bind
# mount the files from the host.
if [ $in_userns -eq 1 ]; then
for dev in null tty urandom console; do
touch $rootfs/dev/$dev
echo "/dev/$dev dev/$dev none bind 0 0" >> $path/fstab
done
fi
# rmdir /dev/shm for containers that have /run/shm # rmdir /dev/shm for containers that have /run/shm
# I'm afraid of doing rm -rf $rootfs/dev/shm, in case it did # I'm afraid of doing rm -rf $rootfs/dev/shm, in case it did
# get bind mounted to the host's /run/shm. So try to rmdir # get bind mounted to the host's /run/shm. So try to rmdir
@ -341,9 +363,7 @@ build_root_tgz()
trap SIGTERM trap SIGTERM
} }
mkdir -p @LOCALSTATEDIR@/lock/subsys/ do_extract_rootfs() {
(
flock -x 200
cd $cache cd $cache
if [ $flushcache -eq 1 ]; then if [ $flushcache -eq 1 ]; then
@ -418,7 +438,17 @@ EOF
echo "If you do not have a meta-data service, this container will likely be useless." echo "If you do not have a meta-data service, this container will likely be useless."
fi fi
) 200>@LOCALSTATEDIR@/lock/subsys/lxc-ubuntu-cloud }
if [ -n "$tarball" ]; then
do_extract_rootfs
else
mkdir -p @LOCALSTATEDIR@/lock/subsys/
(
flock -x 200
do_extract_rootfs
) 200>@LOCALSTATEDIR@/lock/subsys/lxc-ubuntu-cloud
fi
copy_configuration $path $rootfs $name $arch $release copy_configuration $path $rootfs $name $arch $release