diff options
Diffstat (limited to 'community/lxcfs/lxcfs.initd')
-rw-r--r-- | community/lxcfs/lxcfs.initd | 144 |
1 files changed, 144 insertions, 0 deletions
diff --git a/community/lxcfs/lxcfs.initd b/community/lxcfs/lxcfs.initd new file mode 100644 index 0000000000..058a157859 --- /dev/null +++ b/community/lxcfs/lxcfs.initd @@ -0,0 +1,144 @@ +#!/sbin/openrc-run +# Init script for lxcfs +# Copyright (C) 2016 Stuart Cardall +# Licensed under the terms of the GPL2 + +DAEMON=/usr/bin/lxcfs +PIDFILE=/run/lxcfs.pid +VARDIR=/var/lib/lxcfs +RUNDIR=/run/lxcfs +CHOWNMAP=/etc/lxc/chownmap + +description="FUSE filesystem for LXC unprivileged containers" +description_setup="Setup unprivileged container permissions" +description_info="Unprivileged container config file settings" +extra_commands="setup info" + +depend() { + need cgproxy +} + +start_pre() { + local module= + checkpath --directory ${VARDIR} + for module in fuse autofs4; do + if ! $(lsmod | grep -q ^$module); then + eerror "Enable module: $module" + eerror "modprobe $module" + eerror "echo $module >> /etc/modules" + eend 1 + fi + done +} + +find_perms() { + local file= path= tmp= + + for file in subuid subgid; do + path=/etc/$file + if [ -f $path ]; then + tmp=$(root_id $path 2) + if [ -n "$tmp" ]; then + tmp=$(echo $tmp | tr -cd '[:digit:]') + PERMS="$PERMS $tmp" + else + create_id $file + fi + else + create_id $file + fi + done + PERMS=$(echo $PERMS | sed 's| |:|') +} + +create_id() { + einfo "Creating $1 for root: /etc/$1" + touch /etc/$1 + usermod --add-${1}s 100000-165536 root + PERMS="$PERMS 100000" +} + +root_id() { + grep ^root $1 | cut -d':' -f $2 +} + +find_lxc_path() { + local lxc_path= + lxc_path=$(grep ^lxc.lxcpath /etc/lxc/lxc.conf 2>/dev/null) + lxc_path=${lxc_path#*=} + lxc_path=${lxc_path:-/var/lib/lxc} + echo $lxc_path +} + +dir_perms() { + local subgid=$(root_id /etc/subgid 2) + # set permissions to allow unprivileged services to run + einfo "Setting Mode 755 & root:root => $1/rootfs" + chmod 755 $1/rootfs + chown root:root $1/rootfs + einfo "Setting Mode 750 & root:$subgid => $1" + chmod 750 $1 + chown root:$subgid $1 +} + +info() { + cat > /tmp/lxc.fs <<EOF +### unprivileged container config ############################# +lxc.include = /usr/share/lxc/config/common.conf.d/00-lxcfs.conf +lxc.id_map = u 0 100000 65536 +lxc.id_map = g 0 100000 65536 +############################################################### +EOF +cat /tmp/lxc.fs +} + +setup() { + # only needs to be run once on a container + # set unprivileged containers in conf.d + local ctr= subuid= range= path= ctr_list= + find_perms + + subuid=$(root_id /etc/subuid 2) + range=$(root_id /etc/subuid 3) + path=$(find_lxc_path) + + if [ "${UNPRIV}" = "all" ]; then + ctr_list="$(lxc-ls)" + else + ctr_list=${UNPRIV} + fi + + for ctr in $ctr_list; do + einfo "Mapping user permissions in container: $ctr" + ${CHOWNMAP} 0 $subuid $range $path/$ctr/rootfs + dir_perms "$path/$ctr" + done +} + +start() { + ebegin "Starting lxcfs" + find_perms + + start-stop-daemon --start \ + --pidfile ${PIDFILE} \ + --exec ${DAEMON} \ + --background \ + --make-pidfile \ + -- \ + -f -o allow_other ${VARDIR} + + # sometimes reboots are too fast + until [ -d ${RUNDIR} ]; do + usleep 50000 + done + + chown -R ${PERMS} ${RUNDIR} + eend $? +} + +stop() { + ebegin "Stopping lxcfs" + start-stop-daemon --stop --exec ${DAEMON} --pidfile ${PIDFILE} --signal KILL + umount ${VARDIR} + eend $? +} |