aboutsummaryrefslogtreecommitdiffstats
path: root/community
diff options
context:
space:
mode:
Diffstat (limited to 'community')
-rw-r--r--community/lxcfs/APKBUILD68
-rw-r--r--community/lxcfs/README.alpine31
-rw-r--r--community/lxcfs/chownmap46
-rw-r--r--community/lxcfs/lxcfs-subdir.patch19
-rw-r--r--community/lxcfs/lxcfs.confd4
-rw-r--r--community/lxcfs/lxcfs.initd144
6 files changed, 312 insertions, 0 deletions
diff --git a/community/lxcfs/APKBUILD b/community/lxcfs/APKBUILD
new file mode 100644
index 0000000000..5e1a2c5c30
--- /dev/null
+++ b/community/lxcfs/APKBUILD
@@ -0,0 +1,68 @@
+# Contributor: Carlo Landmeter <clandmeter@gmail.com>
+# Maintainer: Stuart Cardall <developer@it-offshore.co.uk>
+pkgname=lxcfs
+pkgver=2.0.3
+pkgrel=2
+pkgdesc="FUSE filesystem for LXC"
+url="https://linuxcontainers.org/lxcfs"
+arch="all"
+license="Apache 2.0"
+depends="cgmanager shadow"
+makedepends="fuse-dev linux-pam-dev linux-headers help2man"
+subpackages="$pkgname-pam $pkgname-doc"
+source="https://linuxcontainers.org/downloads/lxcfs/lxcfs-$pkgver.tar.gz
+ lxcfs.confd
+ lxcfs.initd
+ chownmap
+ README.alpine
+ lxcfs-subdir.patch
+ "
+builddir="$srcdir/lxcfs-$pkgver"
+
+build() {
+ cd "$builddir"
+ ./configure --prefix=/usr \
+ --sysconfdir=/etc \
+ --localstatedir=/var \
+ --mandir=/usr/share/man \
+ --infodir=/usr/share/info || return 1
+ make || return 1
+}
+
+package() {
+ cd "$builddir"
+ make DESTDIR="$pkgdir" install || return 1
+ install -m755 -D "$srcdir"/$pkgname.initd \
+ "$pkgdir"/etc/init.d/$pkgname || return 1
+ install -m644 -D "$srcdir"/$pkgname.confd \
+ "$pkgdir"/etc/conf.d/$pkgname || return 1
+ install -m700 -D "$srcdir"/chownmap \
+ "$pkgdir"/etc/lxc/chownmap || return 1
+ install -m644 -D "$srcdir"/README.alpine \
+ "$pkgdir"/usr/share/doc/lxcfs/README.alpine || return 1
+}
+
+pam() {
+ pkgdesc="$pkgdesc (pam plugin)"
+ mkdir -p "$subpkgdir"/lib
+ mv "$pkgdir"/lib/security "$subpkgdir"/lib/ || return 1
+}
+
+md5sums="8d79c575d0dc5d127776370eceb0f58b lxcfs-2.0.3.tar.gz
+6d7943272d6b71ab7b93e93c55e42ee9 lxcfs.confd
+2c4a59861c846dd9ddef0cab6664eed8 lxcfs.initd
+e1d7c118ae134fcdd171f8aac146f9a0 chownmap
+722e7a773283170910f5c9b40fb83610 README.alpine
+14531d992c3c3e731ee596ff86e91829 lxcfs-subdir.patch"
+sha256sums="dd94e19bff202cb9fe2aa7d244b2cccf53cf5d7f6dd76c815e1161e3ba4ce0df lxcfs-2.0.3.tar.gz
+d8915d4635b675897895c379c892250f6c2bb55515a3b59cad09b92c35264359 lxcfs.confd
+30e9005010508eaa382fbb44f784d26a641bf7c12e94d9ba2603ab3ad782e86b lxcfs.initd
+2e6b84d98fc3cd03fa3f384876191dba05e6d781629a748add75ab380d921823 chownmap
+a458f5561d8f1404ac7547bd73f7bf7d56898322d04268f31a7ee3ffdd5e36aa README.alpine
+ef3d2848e534b3db9267efbb5bc515e0ecd6a768cdf8de928bccac21c26add9e lxcfs-subdir.patch"
+sha512sums="1bca2dc88a4551c90e9760ad8d3c7548126d7803040ddab3ac24fda2d602ec0d34ebf78bbd2b4cd5941edba3ccfe135e86d257f0dc2b89617c7ca876b3dda4bb lxcfs-2.0.3.tar.gz
+71df316b1aaf1a0fadc230473a66c0be4d201d706481f1042c353b79fc629e9e681ec4fe0dfb113370e00d3f40175b0d7759fdcdcce57cf1d2db585068aa6e8d lxcfs.confd
+e08ee2e33cc8d82dbfbdc86b7aa87ef6b0033473951e9759bd8fd2b12b1d7beda1c7cb7befb7ce4fd1d7aea274778313957350af617d56b8702dbfcdc59b49b4 lxcfs.initd
+5d18df216a004d5039d86634e62dc078f134991696da9c6f1c292f0f8aa3de1f202aa531000c9f75e2bc5d5121f856660e4f1d71c8e92a0e87517a23836a743d chownmap
+16c65a10b2b95a85ea21d2cb44a45c9c7faf1e22c8c438c7325be96025588834a528544598a91facc13fa93cc46f6c4534fa2ca6bb58b152a26f1ced94b18f16 README.alpine
+f7589ef65b3e01de0bb9e55c8ae06ae8124196b29b444006f3beaba308a8bebccad38e11c9c74f705dcad826aa6de0a10830053e0b025c640b7337804c48c056 lxcfs-subdir.patch"
diff --git a/community/lxcfs/README.alpine b/community/lxcfs/README.alpine
new file mode 100644
index 0000000000..a358bab6e4
--- /dev/null
+++ b/community/lxcfs/README.alpine
@@ -0,0 +1,31 @@
+Alpine Linux unprivileged LXC containers
+========================================
+
+At the moment unprivileged containers are only working with linux-vanilla.
+
+They may work with grsecurity in the future with the following disabled:
+
+ echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mount
+ echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_pivot
+ echo 0 > /proc/sys/kernel/grsecurity/chroot_caps
+
+see also: https://en.wikibooks.org/wiki/Grsecurity/Runtime_Configuration
+-------------------------------------------------------------------------------
+
+Instructions:
+-------------
+
+(a) add the name(s) of the containers to run unprivileged to /etc/conf.d/lxcfs
+(b) rc-service lxcfs setup => converts privileged => unprivileged containers
+ => creates /etc/subuid & /etc/subgid
+(c) rc-service lxcfs start
+(d) rc-update add lxcfs
+(e) rc-service lxcfs info => print & add config file settings to the containers
+
+-------------------------------------------------------------------------------
+
+Start the container & verify processes are running unprivileged:
+
+ps aux | grep 100000
+
+
diff --git a/community/lxcfs/chownmap b/community/lxcfs/chownmap
new file mode 100644
index 0000000000..07e5aea20b
--- /dev/null
+++ b/community/lxcfs/chownmap
@@ -0,0 +1,46 @@
+#!/bin/sh
+# author: Mirek Kratochvil
+# https://github.com/exaexa/chownmap
+
+help_exit () {
+ echo "usage: $0 <from> <to> <length> [ files ] ..."
+ exit $1
+}
+
+FROM="$1"
+[ -n "$FROM" ] || help_exit 0
+[ "$FROM" -ge 0 ] || help_exit 1
+
+TO="$2"
+[ -n "$TO" ] || help_exit 0
+[ "$TO" -ge 0 ] || help_exit 1
+
+LEN="$3"
+[ -n "$LEN" ] || help_exit 0
+[ "$LEN" -gt 0 ] || help_exit 1
+
+[ -n "$4" ] || help_exit 0
+
+shift 3
+
+LAST=$(( FROM + LEN ))
+CHANGE=$(( TO - FROM ))
+CHOWN_EXTRA_OPTS=${CHOWN_EXTRA_OPTS:-}
+
+do_dir () {
+ find "$1" |while read fn ; do
+ stat "$fn" -c"%u %g" | {
+ read uid gid
+ chuid=$uid
+ chgid=$gid
+ [[ $chuid -ge $FROM && $chuid -lt $LAST ]] && chuid=$(( chuid + CHANGE ))
+ [[ $chgid -ge $FROM && $chgid -lt $LAST ]] && chgid=$(( chgid + CHANGE ))
+ [[ $uid -ne $chuid || $gid -ne $chgid ]] && chown $CHOWN_EXTRA_OPTS -h $chuid:$chgid "$fn"
+ }
+ done
+}
+
+while [ -n "$1" ] ; do
+ do_dir "$1"
+ shift
+done
diff --git a/community/lxcfs/lxcfs-subdir.patch b/community/lxcfs/lxcfs-subdir.patch
new file mode 100644
index 0000000000..de53ac0f52
--- /dev/null
+++ b/community/lxcfs/lxcfs-subdir.patch
@@ -0,0 +1,19 @@
+--- lxcfs-2.0.3/Makefile.in
++++ lxcfs-2.0.3/Makefile.in.new
+@@ -409,14 +409,14 @@
+ includedir = @includedir@
+ infodir = @infodir@
+ install_sh = @install_sh@
+-libdir = @libdir@
++libdir = /usr/lib/lxcfs
+ libexecdir = @libexecdir@
+ localedir = @localedir@
+ localstatedir = @localstatedir@
+ mandir = @mandir@
+ mkdir_p = @mkdir_p@
+ oldincludedir = @oldincludedir@
+-pamdir = @pamdir@
++pamdir = /lib/security
+ pdfdir = @pdfdir@
+ prefix = @prefix@
+ program_transform_name = @program_transform_name@
diff --git a/community/lxcfs/lxcfs.confd b/community/lxcfs/lxcfs.confd
new file mode 100644
index 0000000000..f718d936b7
--- /dev/null
+++ b/community/lxcfs/lxcfs.confd
@@ -0,0 +1,4 @@
+# container names to run unprivileged
+# can also be set to "all"
+UNPRIV=""
+
diff --git a/community/lxcfs/lxcfs.initd b/community/lxcfs/lxcfs.initd
new file mode 100644
index 0000000000..058a157859
--- /dev/null
+++ b/community/lxcfs/lxcfs.initd
@@ -0,0 +1,144 @@
+#!/sbin/openrc-run
+# Init script for lxcfs
+# Copyright (C) 2016 Stuart Cardall
+# Licensed under the terms of the GPL2
+
+DAEMON=/usr/bin/lxcfs
+PIDFILE=/run/lxcfs.pid
+VARDIR=/var/lib/lxcfs
+RUNDIR=/run/lxcfs
+CHOWNMAP=/etc/lxc/chownmap
+
+description="FUSE filesystem for LXC unprivileged containers"
+description_setup="Setup unprivileged container permissions"
+description_info="Unprivileged container config file settings"
+extra_commands="setup info"
+
+depend() {
+ need cgproxy
+}
+
+start_pre() {
+ local module=
+ checkpath --directory ${VARDIR}
+ for module in fuse autofs4; do
+ if ! $(lsmod | grep -q ^$module); then
+ eerror "Enable module: $module"
+ eerror "modprobe $module"
+ eerror "echo $module >> /etc/modules"
+ eend 1
+ fi
+ done
+}
+
+find_perms() {
+ local file= path= tmp=
+
+ for file in subuid subgid; do
+ path=/etc/$file
+ if [ -f $path ]; then
+ tmp=$(root_id $path 2)
+ if [ -n "$tmp" ]; then
+ tmp=$(echo $tmp | tr -cd '[:digit:]')
+ PERMS="$PERMS $tmp"
+ else
+ create_id $file
+ fi
+ else
+ create_id $file
+ fi
+ done
+ PERMS=$(echo $PERMS | sed 's| |:|')
+}
+
+create_id() {
+ einfo "Creating $1 for root: /etc/$1"
+ touch /etc/$1
+ usermod --add-${1}s 100000-165536 root
+ PERMS="$PERMS 100000"
+}
+
+root_id() {
+ grep ^root $1 | cut -d':' -f $2
+}
+
+find_lxc_path() {
+ local lxc_path=
+ lxc_path=$(grep ^lxc.lxcpath /etc/lxc/lxc.conf 2>/dev/null)
+ lxc_path=${lxc_path#*=}
+ lxc_path=${lxc_path:-/var/lib/lxc}
+ echo $lxc_path
+}
+
+dir_perms() {
+ local subgid=$(root_id /etc/subgid 2)
+ # set permissions to allow unprivileged services to run
+ einfo "Setting Mode 755 & root:root => $1/rootfs"
+ chmod 755 $1/rootfs
+ chown root:root $1/rootfs
+ einfo "Setting Mode 750 & root:$subgid => $1"
+ chmod 750 $1
+ chown root:$subgid $1
+}
+
+info() {
+ cat > /tmp/lxc.fs <<EOF
+### unprivileged container config #############################
+lxc.include = /usr/share/lxc/config/common.conf.d/00-lxcfs.conf
+lxc.id_map = u 0 100000 65536
+lxc.id_map = g 0 100000 65536
+###############################################################
+EOF
+cat /tmp/lxc.fs
+}
+
+setup() {
+ # only needs to be run once on a container
+ # set unprivileged containers in conf.d
+ local ctr= subuid= range= path= ctr_list=
+ find_perms
+
+ subuid=$(root_id /etc/subuid 2)
+ range=$(root_id /etc/subuid 3)
+ path=$(find_lxc_path)
+
+ if [ "${UNPRIV}" = "all" ]; then
+ ctr_list="$(lxc-ls)"
+ else
+ ctr_list=${UNPRIV}
+ fi
+
+ for ctr in $ctr_list; do
+ einfo "Mapping user permissions in container: $ctr"
+ ${CHOWNMAP} 0 $subuid $range $path/$ctr/rootfs
+ dir_perms "$path/$ctr"
+ done
+}
+
+start() {
+ ebegin "Starting lxcfs"
+ find_perms
+
+ start-stop-daemon --start \
+ --pidfile ${PIDFILE} \
+ --exec ${DAEMON} \
+ --background \
+ --make-pidfile \
+ -- \
+ -f -o allow_other ${VARDIR}
+
+ # sometimes reboots are too fast
+ until [ -d ${RUNDIR} ]; do
+ usleep 50000
+ done
+
+ chown -R ${PERMS} ${RUNDIR}
+ eend $?
+}
+
+stop() {
+ ebegin "Stopping lxcfs"
+ start-stop-daemon --stop --exec ${DAEMON} --pidfile ${PIDFILE} --signal KILL
+ umount ${VARDIR}
+ eend $?
+}