logo

scripts

A bunch of scripts, some to be moved to their own repository git clone https://anongit.hacktivis.me/git/scripts.git/

lxc-abyss (8916B)

    

  1. #!/bin/sh
  2. # vim: set ts=4:
  4. # Exit on error and treat unset variables as an error.
  5. set -eu
  7. #
  8. # LXC template for Abyss Linux, based on Alpine one
  9. #
  11. # Note: Do not replace tabs with spaces, it would break heredocs!
  13. # Authors:
  14. # Jakub Jirutka <jakub@jirutka.cz>
  15. # Haelwenn (lanodan) Monnier <contact+abyss@hacktivis.me>
  17. # This library is free software; you can redistribute it and/or
  18. # modify it under the terms of the GNU Lesser General Public
  19. # License as published by the Free Software Foundation; either
  20. # version 2.1 of the License, or (at your option) any later version.
  21. #
  22. # This library is distributed in the hope that it will be useful,
  23. # but WITHOUT ANY WARRANTY; without even the implied warranty of
  24. # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
  25. # Lesser General Public License for more details.
  26. #
  27. # You should have received a copy of the GNU Lesser General Public
  28. # License along with this library; if not, write to the Free Software
  29. # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
  32. #===========================  Constants  ============================#
  34. # Make sure the usual locations are in PATH
  35. export PATH=$PATH:/usr/sbin:/usr/bin:/sbin:/bin
  37. readonly LOCAL_STATE_DIR='/var/lib'
  38. readonly LXC_TEMPLATE_CONFIG='/usr/share/lxc/config'
  39. #readonly LXC_CACHE_DIR="${LXC_CACHE_PATH:-"$LOCAL_STATE_DIR/cache/lxc"}/abyss"
  40. readonly LXC_CACHE_DIR="/var/cache/apk"
  42. readonly DEFAULT_MIRROR_URL='https://mirror.getabyss.com/abyss'
  44. : ${APK:=$(command -v apk || true)}
  45. if [ ! -x "$APK" ]; then
  46. 	APK="$LXC_CACHE_DIR/bootstrap/usr/bin/apk"
  47. fi
  48. readonly APK
  51. #========================  Helper Functions  ========================#
  53. usage() {
  54. 	cat <<-EOF
  55. 		Template specific options can be passed to lxc-create after a '--' like this:
  57. 		   lxc-create --name=NAME [lxc-create-options] -- [template-options] [PKG...]
  59. 		PKG  Additional APK package(s) to install into the container.
  61. 		Template options:
  62. 		   -a ARCH, --arch=ARCH   The container architecture (e.g. x86, x86_64); defaults
  63. 		                          to the host arch.
  64. 		   -d, --debug            Run this script in a debug mode (set -x and wget w/o -q).
  65. 		   -m URL --mirror=URL    The Abyss mirror to use; defaults to $DEFAULT_MIRROR_URL.
  67. 		Environment variables:
  68. 		   APK             The apk-tools binary to use when building rootfs. If not set
  69. 		                   or not executable and apk is not on PATH, then the script
  70. 		                   will download the latest apk-tools.
  71. 		   LXC_CACHE_PATH  Path to the cache directory where to store bootstrap files
  72. 		                   and APK packages.
  73. 	EOF
  74. }
  76. die() {
  77. 	local retval=$1; shift
  79. 	printf 'ERROR: %s\n' "$@" 1>&2
  80. 	exit $retval
  81. }
  83. einfo() {
  84. 	printf "\n==> $1\n"
  85. }
  87. fetch() {
  88. 	if [ "$DEBUG" = 'yes' ]; then
  89. 		wget -T 10 -O - $@
  90. 	else
  91. 		wget -T 10 -O - -q $@
  92. 	fi
  93. }
  95. parse_arch() {
  96. 	case "$1" in
  97. 		x86 | i[3-6]86) echo 'x86';;
  98. 		x86_64 | amd64) echo 'x86_64';;
  99. 		aarch64 | arm64) echo 'aarch64';;
  100. 		armv7) echo 'armv7';;
  101. 		arm*) echo 'armhf';;
  102. 		ppc64le) echo 'ppc64le';;
  103. 		*) return 1;;
  104. 	esac
  105. }
  107. run_exclusively() {
  108. 	local lock_name="$1"
  109. 	local timeout=$2
  110. 	shift 2
  112. 	mkdir -p "$LOCAL_STATE_DIR/lock/subsys"
  114. 	local retval
  115. 	{
  116. 		echo -n "Obtaining an exclusive lock..."
  117. 		if ! flock -x 9; then
  118. 			echo ' failed.'
  119. 			return 1
  120. 		fi
  121. 		echo ' done'
  123. 		"$@"; retval=$?
  124. 	} 9> "$LOCAL_STATE_DIR/lock/subsys/lxc-alpine-$lock_name"
  126. 	return $retval
  127. }
  130. #============================  Bootstrap  ===========================#
  132. bootstrap() {
  133. 	if [ ! -x "$APK" ]; then
  134. 		einfo 'Fetching apk-tools static binary'
  136. 		local host_arch=$(parse_arch $(uname -m))
  137. 		fetch_apk_static "$LXC_CACHE_DIR/bootstrap" "$host_arch"
  138. 	fi
  139. }
  141. fetch_apk_static() {
  142. 	local dest="$1"
  143. 	local arch="$2"
  144. 	local pkg_name='apk-tools'
  146. 	mkdir -p "$dest"
  148. 	local pkg_ver=$(fetch "$MIRROR_URL/core/$arch/APKINDEX.tar.gz" \
  149. 		| tar -xzO APKINDEX \
  150. 		| sed -n "/P:${pkg_name}/,/^$/ s/V:\(.*\)$/\1/p")
  152. 	[ -n "$pkg_ver" ] || die 2 "Cannot find a version of $pkg_name in APKINDEX"
  154. 	fetch "$MIRROR_URL/core/$arch/${pkg_name}-${pkg_ver}.apk" \
  155. 		| tar -xz -C "$dest" usr/bin/  # --extract --gzip --directory
  157. 	[ -s "$dest/usr/bin/apk" ] || die 2 'apk not found'
  159. 	# Note: apk doesn't return 0 for --version
  160. 	local out="$("$dest"/usr/bin/apk --version)"
  161. 	echo "$out"
  163. 	[ "${out%% *}" = 'apk-tools' ] || die 3 'apk --version failed'
  164. }
  167. #============================  Install  ============================#
  169. install() {
  170. 	local dest="$1"
  171. 	local arch="$2"
  172. 	local extra_packages="$3"
  174. 	einfo "Installing Abyss Linux in $dest"
  175. 	cd "$dest"
  177. 	mkdir -p usr/bin usr/lib
  178. 	ln -s bin usr/sbin
  179. 	ln -s usr/bin bin
  180. 	ln -s usr/bin sbin
  181. 	ln -s usr/lib lib
  183. 	mkdir -p etc/apk
  184. 	ln -s /var/cache/apk etc/apk/cache
  186. 	install_packages "$arch" "$dest" "filesystem"
  187. 	install_packages "$arch" "$dest" "abyss-keyring ca-certificates apk-tools busybox openrc"
  188. 	install_packages "$arch" "$dest" "$extra_packages"
  189. 	busybox --install -s ./usr/bin
  191. 	$APK -X "$MIRROR_URL/core" --update-cache --allow-untrusted --arch="$arch" --root="$dest" fix || true
  193. 	echo "$MIRROR_URL/core" >> etc/apk/repositories
  195. 	# Busybox has getty but /etc/init.d/agetty is configured for agetty
  196. 	# which is provided by util-linux
  197. 	install_packages "$arch" "$dest" "util-linux"
  198. 	ln -sf openrc-init ./usr/bin/init
  199. 	for i in 1 2 3 4 5 6
  200. 	do
  201. 		ln -s agetty ./etc/init.d/agetty.tty"$i"
  202. 		ln -s /etc/init.d/agetty.tty"$i" ./etc/runlevels/boot/
  203. 	done
  205. 	chroot . /bin/true \
  206. 		|| die 3 'Failed to execute /bin/true in chroot, the builded rootfs is broken!'
  208. 	rm etc/apk/cache
  210. 	cd - >/dev/null
  211. }
  213. install_packages() {
  214. 	local arch="$1"
  215. 	local dest="$2"
  216. 	local packages="$3"
  218. 	$APK -v -X "$MIRROR_URL/core" --update-cache --allow-untrusted --arch="$arch" --root="$dest" \
  219. 		--initdb add $packages || true
  220. }
  222. #===========================  Configure  ===========================#
  224. configure_container() {
  225. 	local config="$1"
  226. 	local hostname="$2"
  227. 	local arch="$3"
  229. 	cat <<-EOF >> "$config"
  231. 		# Specify container architecture.
  232. 		lxc.arch = $arch
  234. 		# Set hostname.
  235. 		lxc.uts.name = $hostname
  237. 		# If something doesn't work, try to comment this out.
  238. 		# Dropping sys_admin disables container root from doing a lot of things
  239. 		# that could be bad like re-mounting lxc fstab entries rw for example,
  240. 		# but also disables some useful things like being able to nfs mount, and
  241. 		# things that are already namespaced with ns_capable() kernel checks, like
  242. 		# hostname(1).
  243. 		lxc.cap.drop = sys_admin
  245. 		# Comment this out if you have to debug processes by tracing.
  246. 		lxc.cap.drop = sys_ptrace
  248. 		# Comment this out if required by your applications.
  249. 		lxc.cap.drop = setpcap
  251. 		# Include common configuration.
  252. 		lxc.include = $LXC_TEMPLATE_CONFIG/alpine.common.conf
  253. 	EOF
  254. }
  257. #=============================  Main  ==============================#
  259. if [ "$(id -u)" != "0" ]; then
  260. 	die 1 "This script must be run as 'root'"
  261. fi
  263. # Parse command options.
  264. options=$(getopt -o a:dFm:n:p:r:h -l arch:,debug,mirror:,name:,\
  265. path:,release:,rootfs:,help,mapped-uid:,mapped-gid: -- "$@")
  266. eval set -- "$options"
  268. # Clean variables and set defaults.
  269. arch="$(uname -m)"
  270. debug='no'
  271. mirror_url=
  272. name=
  273. path=
  274. rootfs=
  276. # Process command options.
  277. while [ $# -gt 0 ]; do
  278. 	case $1 in
  279. 		-a | --arch)
  280. 			arch=$2; shift 2
  281. 		;;
  282. 		-d | --debug)
  283. 			debug='yes'; shift 1
  284. 		;;
  285. 		-m | --mirror)
  286. 			mirror_url=$2; shift 2
  287. 		;;
  288. 		-n | --name)
  289. 			name=$2; shift 2
  290. 		;;
  291. 		-p | --path)
  292. 			path=$2; shift 2
  293. 		;;
  294. 		--rootfs)
  295. 			rootfs=$2; shift 2
  296. 		;;
  297. 		-h | --help)
  298. 			usage; exit 0
  299. 		;;
  300. 		--)
  301. 			shift; break
  302. 		;;
  303. 		--mapped-[ug]id)
  304. 			die 1 "This template can't be used for unprivileged containers." \
  305. 				'You may want to try the "download" template instead.'
  306. 		;;
  307. 		*)
  308. 			echo "Unknown option: $1" 1>&2
  309. 			usage; exit 1
  310. 		;;
  311. 	esac
  312. done
  314. extra_packages="$@"
  316. [ "$debug" = 'yes' ] && set -x
  318. # Set global variables.
  319. readonly DEBUG="$debug"
  320. readonly MIRROR_URL="${mirror_url:-$DEFAULT_MIRROR_URL}"
  322. # Validate options.
  323. [ -n "$name" ] || die 1 'Missing required option --name'
  324. [ -n "$path" ] || die 1 'Missing required option --path'
  326. if [ -z "$rootfs" ] && [ -f "$path/config" ]; then
  327. 	rootfs="$(sed -nE 's/^lxc.rootfs.path\s*=\s*(.*)$/\1/p' "$path/config")"
  328. fi
  329. if [ -z "$rootfs" ]; then
  330. 	rootfs="$path/rootfs"
  331. fi
  333. arch=$(parse_arch "$arch") \
  334. 	|| die 1 "Unsupported architecture: $arch"
  336. # Here we go!
  337. run_exclusively 'bootstrap' 10 bootstrap
  338. run_exclusively "$arch" 30 install "$rootfs" "$arch" "$extra_packages"
  339. configure_container "$path/config" "$name" "$arch"
  341. einfo "Container's rootfs and config have been created"
  342. cat <<-EOF
  343. 	Edit the config file $path/config to check/enable networking setup.
  344. 	The installed system isn't configured for any networking setup, but lxc.network.type="none" (no additionnal network, reuse the host one) works out of the box.
  346. 	To start the container, run "lxc-start -n $name".
  347. 	As root isn't locked with a password, you can already enter via "lxc-console -n $name".
  348. EOF