This commit addresses an issue in the OCI template where lxc-create
fails if OCI-cache directory for blob caching is not on the same mount
as the destination OCI directory. lxc-create bails when skopeo tries to
create a hard-link across the two and fails.
For example, if /var/lib/lxc is a bind mountpoint of a random directory
and skopeo fails to hard-link across /var/cache/lxc and /var/lib/lxc
This commit introduces a check where if both directories are on not the
same mount points, it disables blob caching in skopeo and continues.
Signed-off-by: Tanmay Naik <tnaik96@gmail.com>
Update tar invocation to preserve all xattrs when unpacking the rootfs,
notably retaining security.capability xattrs (e.g. for ping, newuidmap)
Note: bsdtar already preserves xattrs with -p
Signed-off-by: Jacob McNamee <jacob@jacobmcnamee.com>
This patch fixes unpacking images when the system provided tar is libarchive (bsd-tar). bsd-tar doesn't support 'exclude' flags (--anchored) like gnu-tar does. Instead each exclude path is prepended with ^ to simulate behavior of --anchored when bsd tar is detected.
Signed-off-by: Levent Komurcu <levent.komurcu@nl.bosch.com>
This adds support to the oci template for squashfs images.
It uses 'atomfs' from [1] to accomplish this.
Squashfs images (media type
application/vnd.stacker.image.layer.squashfs+zstd+verity) have several
benefits compared to tar+gz:
* immediately mountable
* read-only filesystem
* verity data present in oci manifest.
I presented this at Fosdem 2023 at [2].
The 'atomfs' program can be replaced by passing '--mount-helper'
argument to the oci template.
mount-helper mount oci:<oci_dir>:<oci_name> <mountpoint>
mount-helper umount <mountpoint>
[1] https://github.com/project-machine/atomfs
[2] https://fosdem.org/2023/schedule/event/container_secure_storage/
Signed-off-by: Scott Moser <smoser@brickies.net>
GPG has been a major source of issues over the years with various
attacks on the key network as well as client side issues making it hard
to retrieve our keys.
Back when we introduced the image server, SSL certificates were still
expensive and annoying to setup, so not something we'd have expected
potential mirrors to setup for us. They were also issued for multiple
years, making a compromise of such a certificate quite problematic.
But things have changed since, we now have completely free, very easily
deployable SSL certificates everywhere with the majority of those being
shortlived and with good reporting of issued certificates.
With that, we can now deprecate the GPG validation, disable the fallback
to non-HTTPS download and rely on our indices being accurate because
they've been downloaded from a server with a valid certificate.
This puts LXC more in line with what LXD has done since the beginning
and should offer a more reliable user experience.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
See https://github.com/koalaman/shellcheck/wiki/SC2006 for details.
Not only uses this the recommended construct, it also makes the code
more uniform as in many other places the $() construct was already used.
Signed-off-by: Diederik de Haas <didi.debian@cknow.org>
The 'which' command is deprecated on Debian Sid as it is not POSIX
compliant and it's behavior is therefor not consistent, so replace it
with 'command -v' which is POSIX compliant.
See https://stackoverflow.com/a/677212 for details.
Also replaced a use of backticks (`) as that is deprecated as well.
See https://github.com/koalaman/shellcheck/wiki/SC2006 for details.
Signed-off-by: Diederik de Haas <didi.debian@cknow.org>
if $PATH already contains a path with a space the append of the
default directories in all template scripts fails with an error
like the following:
/usr/share/lxc/templates/lxc-download: 69: export: (x86)/NVIDIA: bad
variable name
Signed-off-by: Christian Ratzenhofer <christian.ratzenhofer@cdnm.at>
This reverts commit 409040e702.
Testing of both options show identical behavior but receive-keys does
not exist on older releases, so let's revert this.
Closes#3510
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Move the content of rootfs inside OCI package to rootfs instead of
replacing it, as the directory is used as the mountpoint.
Tested with directory and loop backingstore.
Signed-off-by: Toni Ylenius <toni.ylenius@iki.fi>
shm file system was not mounted because of the "/" in :
lxc.mount.entry = shm /dev/shm tmpfs defaults 0 0
Signed-off-by: Rachid Koucha <rachid.koucha@gmail.com>
The udhcpc directory is created with "mkdir -p" at the place dynamically specified by "busybox udhcpc --help".
Signed-off-by: Rachid Koucha <rachid.koucha@gmail.com>
In busybox 1.30, the help of udhcpc for "-s" option changed:
--> busybox v1.27.2: -s,--script PROG Run PROG at DHCP events (default /usr/share/udhcpc/default.script)
--> busybox v1.30.1: -s PROG Run PROG at DHCP events (default /etc/udhcpc/default.script)
So, I changed the command line which extracts the script name to make it work for both versions
Signed-off-by: Rachid Koucha <rachid.koucha@gmail.com>
``/proc`` might be mounted with ``hidepid=2``.
This makes ``/proc/1/…`` appear absent for non-root users.
When using the templates or the nvidia hook as a non-root user
(e.g., when creating unprivileged containers) the error
"/proc/1/uid_map: No such file or directory" is printed.
Since the script works correctly despite the error, this error
message might be confusing for users.
Signed-off-by: Lukas Pirl <git@lukas-pirl.de>
. Add the "--bbpath" option to pass an alternate busybox pathname instead of the one found from ${PATH}.
. Take this opportunity to add some formatting in the usage display
. As a try is done to pick rootfs from the config file and set it to ${path}/rootfs, it is unnecessary to make it mandatory
Signed-off-by: Rachid Koucha <rachid.koucha@gmail.com>
