[995c968] | 1 | #!/bin/bash |
---|
| 2 | |
---|
| 3 | # template script for generating ubuntu container for LXC based on released cloud |
---|
| 4 | # images |
---|
| 5 | # |
---|
| 6 | # Copyright © 2012 Serge Hallyn <serge.hallyn@canonical.com> |
---|
| 7 | # |
---|
| 8 | # This program is free software; you can redistribute it and/or modify |
---|
| 9 | # it under the terms of the GNU General Public License version 2, as |
---|
| 10 | # published by the Free Software Foundation. |
---|
| 11 | |
---|
| 12 | # This program is distributed in the hope that it will be useful, |
---|
| 13 | # but WITHOUT ANY WARRANTY; without even the implied warranty of |
---|
| 14 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
---|
| 15 | # GNU General Public License for more details. |
---|
| 16 | |
---|
| 17 | # You should have received a copy of the GNU General Public License along |
---|
| 18 | # with this program; if not, write to the Free Software Foundation, Inc., |
---|
| 19 | # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. |
---|
| 20 | # |
---|
| 21 | |
---|
| 22 | set -e |
---|
| 23 | |
---|
| 24 | if [ -r /etc/default/lxc ]; then |
---|
| 25 | . /etc/default/lxc |
---|
| 26 | fi |
---|
| 27 | |
---|
| 28 | copy_configuration() |
---|
| 29 | { |
---|
| 30 | path=$1 |
---|
| 31 | rootfs=$2 |
---|
| 32 | name=$3 |
---|
| 33 | arch=$4 |
---|
| 34 | release=$5 |
---|
| 35 | |
---|
| 36 | if [ $arch = "i386" ]; then |
---|
| 37 | arch="i686" |
---|
| 38 | fi |
---|
| 39 | |
---|
| 40 | # if there is exactly one veth network entry, make sure it has an |
---|
| 41 | # associated hwaddr. |
---|
| 42 | nics=`grep -e '^lxc\.network\.type[ \t]*=[ \t]*veth' $path/config | wc -l` |
---|
| 43 | if [ $nics -eq 1 ]; then |
---|
| 44 | grep -q "^lxc.network.hwaddr" $path/config || cat <<EOF >> $path/config |
---|
| 45 | lxc.network.hwaddr = 00:16:3e:$(openssl rand -hex 3| sed 's/\(..\)/\1:/g; s/.$//') |
---|
| 46 | EOF |
---|
| 47 | fi |
---|
| 48 | |
---|
| 49 | cat <<EOF >> $path/config |
---|
| 50 | lxc.utsname = $name |
---|
| 51 | |
---|
| 52 | lxc.tty = 4 |
---|
| 53 | lxc.pts = 1024 |
---|
| 54 | lxc.rootfs = $rootfs |
---|
| 55 | lxc.mount = $path/fstab |
---|
| 56 | lxc.arch = $arch |
---|
| 57 | lxc.cap.drop = sys_module mac_admin |
---|
| 58 | lxc.pivotdir = lxc_putold |
---|
| 59 | |
---|
| 60 | # uncomment the next line to run the container unconfined: |
---|
| 61 | #lxc.aa_profile = unconfined |
---|
| 62 | |
---|
| 63 | lxc.cgroup.devices.deny = a |
---|
| 64 | # Allow any mknod (but not using the node) |
---|
| 65 | lxc.cgroup.devices.allow = c *:* m |
---|
| 66 | lxc.cgroup.devices.allow = b *:* m |
---|
| 67 | # /dev/null and zero |
---|
| 68 | lxc.cgroup.devices.allow = c 1:3 rwm |
---|
| 69 | lxc.cgroup.devices.allow = c 1:5 rwm |
---|
| 70 | # consoles |
---|
| 71 | lxc.cgroup.devices.allow = c 5:1 rwm |
---|
| 72 | lxc.cgroup.devices.allow = c 5:0 rwm |
---|
| 73 | #lxc.cgroup.devices.allow = c 4:0 rwm |
---|
| 74 | #lxc.cgroup.devices.allow = c 4:1 rwm |
---|
| 75 | # /dev/{,u}random |
---|
| 76 | lxc.cgroup.devices.allow = c 1:9 rwm |
---|
| 77 | lxc.cgroup.devices.allow = c 1:8 rwm |
---|
| 78 | lxc.cgroup.devices.allow = c 136:* rwm |
---|
| 79 | lxc.cgroup.devices.allow = c 5:2 rwm |
---|
| 80 | # rtc |
---|
| 81 | lxc.cgroup.devices.allow = c 254:0 rwm |
---|
| 82 | #fuse |
---|
| 83 | lxc.cgroup.devices.allow = c 10:229 rwm |
---|
| 84 | #tun |
---|
| 85 | lxc.cgroup.devices.allow = c 10:200 rwm |
---|
| 86 | #full |
---|
| 87 | lxc.cgroup.devices.allow = c 1:7 rwm |
---|
| 88 | #hpet |
---|
| 89 | lxc.cgroup.devices.allow = c 10:228 rwm |
---|
| 90 | #kvm |
---|
| 91 | lxc.cgroup.devices.allow = c 10:232 rwm |
---|
| 92 | EOF |
---|
| 93 | |
---|
| 94 | cat <<EOF > $path/fstab |
---|
| 95 | proc proc proc nodev,noexec,nosuid 0 0 |
---|
| 96 | sysfs sys sysfs defaults 0 0 |
---|
| 97 | EOF |
---|
| 98 | |
---|
| 99 | # rmdir /dev/shm for containers that have /run/shm |
---|
| 100 | # I'm afraid of doing rm -rf $rootfs/dev/shm, in case it did |
---|
| 101 | # get bind mounted to the host's /run/shm. So try to rmdir |
---|
| 102 | # it, and in case that fails move it out of the way. |
---|
| 103 | if [ ! -L $rootfs/dev/shm ] && [ -d $rootfs/run/shm ] && [ -e $rootfs/dev/shm ]; then |
---|
| 104 | mv $rootfs/dev/shm $rootfs/dev/shm.bak |
---|
| 105 | ln -s /run/shm $rootfs/dev/shm |
---|
| 106 | fi |
---|
| 107 | |
---|
| 108 | return 0 |
---|
| 109 | } |
---|
| 110 | |
---|
| 111 | usage() |
---|
| 112 | { |
---|
| 113 | cat <<EOF |
---|
| 114 | LXC Container configuration for Ubuntu Cloud images. |
---|
| 115 | |
---|
| 116 | Generic Options |
---|
| 117 | [ -r | --release <release> ]: Release name of container, defaults to host |
---|
| 118 | [ -a | --arch ]: Arhcitecture of container, defaults to host arcitecture |
---|
| 119 | [ -C | --cloud ]: Configure container for use with meta-data service, defaults to no |
---|
| 120 | [ -T | --tarball ]: Location of tarball |
---|
| 121 | [ -d | --debug ]: Run with 'set -x' to debug errors |
---|
| 122 | [ -s | --stream]: Use specified stream rather than 'released' |
---|
| 123 | |
---|
| 124 | Options, mutually exclusive of "-C" and "--cloud": |
---|
| 125 | [ -i | --hostid ]: HostID for cloud-init, defaults to random string |
---|
| 126 | [ -u | --userdata ]: Cloud-init user-data file to configure container on start |
---|
| 127 | [ -S | --auth-key ]: SSH Public key file to inject into container |
---|
| 128 | [ -L | --nolocales ]: Do not copy host's locales into container |
---|
| 129 | |
---|
| 130 | EOF |
---|
| 131 | return 0 |
---|
| 132 | } |
---|
| 133 | |
---|
| 134 | options=$(getopt -o a:hp:r:n:Fi:CLS:T:ds: -l arch:,help,path:,release:,name:,flush-cache,hostid:,auth-key:,cloud,no_locales,tarball:,debug,stream:,userdata: -- "$@") |
---|
| 135 | if [ $? -ne 0 ]; then |
---|
| 136 | usage $(basename $0) |
---|
| 137 | exit 1 |
---|
| 138 | fi |
---|
| 139 | eval set -- "$options" |
---|
| 140 | |
---|
| 141 | release=lucid |
---|
| 142 | if [ -f /etc/lsb-release ]; then |
---|
| 143 | . /etc/lsb-release |
---|
| 144 | case "$DISTRIB_CODENAME" in |
---|
| 145 | lucid|maverick|natty|oneiric|precise) |
---|
| 146 | release=$DISTRIB_CODENAME |
---|
| 147 | ;; |
---|
| 148 | esac |
---|
| 149 | fi |
---|
| 150 | |
---|
| 151 | arch=$(arch) |
---|
| 152 | |
---|
| 153 | # Code taken from debootstrap |
---|
| 154 | if [ -x /usr/bin/dpkg ] && /usr/bin/dpkg --print-architecture >/dev/null 2>&1; then |
---|
| 155 | arch=`/usr/bin/dpkg --print-architecture` |
---|
| 156 | elif type udpkg >/dev/null 2>&1 && udpkg --print-architecture >/dev/null 2>&1; then |
---|
| 157 | arch=`/usr/bin/udpkg --print-architecture` |
---|
| 158 | else |
---|
| 159 | arch=$(arch) |
---|
| 160 | if [ "$arch" = "i686" ]; then |
---|
| 161 | arch="i386" |
---|
| 162 | elif [ "$arch" = "x86_64" ]; then |
---|
| 163 | arch="amd64" |
---|
| 164 | elif [ "$arch" = "armv7l" ]; then |
---|
| 165 | # note: arm images don't exist before oneiric; are called armhf in |
---|
| 166 | # precise; and are not supported by the query, so we don't actually |
---|
| 167 | # support them yet (see check later on). When Query2 is available, |
---|
| 168 | # we'll use that to enable arm images. |
---|
| 169 | arch="armel" |
---|
| 170 | fi |
---|
| 171 | fi |
---|
| 172 | |
---|
| 173 | debug=0 |
---|
| 174 | hostarch=$arch |
---|
| 175 | cloud=0 |
---|
| 176 | locales=1 |
---|
| 177 | flushcache=0 |
---|
| 178 | stream="released" |
---|
| 179 | while true |
---|
| 180 | do |
---|
| 181 | case "$1" in |
---|
| 182 | -h|--help) usage $0 && exit 0;; |
---|
| 183 | -p|--path) path=$2; shift 2;; |
---|
| 184 | -n|--name) name=$2; shift 2;; |
---|
| 185 | -F|--flush-cache) flushcache=1; shift 1;; |
---|
| 186 | -r|--release) release=$2; shift 2;; |
---|
| 187 | -a|--arch) arch=$2; shift 2;; |
---|
| 188 | -i|--hostid) host_id=$2; shift 2;; |
---|
| 189 | -u|--userdata) userdata=$2; shift 2;; |
---|
| 190 | -C|--cloud) cloud=1; shift 1;; |
---|
| 191 | -S|--auth-key) auth_key=$2; shift 2;; |
---|
| 192 | -L|--no_locales) locales=0; shift 2;; |
---|
| 193 | -T|--tarball) tarball=$2; shift 2;; |
---|
| 194 | -d|--debug) debug=1; shift 1;; |
---|
| 195 | -s|--stream) stream=$2; shift 2;; |
---|
| 196 | --) shift 1; break ;; |
---|
| 197 | *) break ;; |
---|
| 198 | esac |
---|
| 199 | done |
---|
| 200 | |
---|
| 201 | if [ $debug -eq 1 ]; then |
---|
| 202 | set -x |
---|
| 203 | fi |
---|
| 204 | |
---|
| 205 | if [ "$arch" == "i686" ]; then |
---|
| 206 | arch=i386 |
---|
| 207 | fi |
---|
| 208 | |
---|
| 209 | if [ $hostarch = "i386" -a $arch = "amd64" ]; then |
---|
| 210 | echo "can't create amd64 container on i386" |
---|
| 211 | exit 1 |
---|
| 212 | fi |
---|
| 213 | |
---|
| 214 | if [ $arch != "i386" -a $arch != "amd64" ]; then |
---|
| 215 | echo "Only i386 and amd64 are supported by the ubuntu cloud template." |
---|
| 216 | exit 1 |
---|
| 217 | fi |
---|
| 218 | |
---|
| 219 | if [ "$stream" != "daily" -a "$stream" != "released" ]; then |
---|
| 220 | echo "Only 'daily' and 'released' streams are supported" |
---|
| 221 | exit 1 |
---|
| 222 | fi |
---|
| 223 | |
---|
| 224 | if [ -n "$userdata" -a ! -f "$userdata" ]; then |
---|
| 225 | echo "Userdata does not exist" |
---|
| 226 | exit 1 |
---|
| 227 | fi |
---|
| 228 | |
---|
| 229 | if [ -z "$path" ]; then |
---|
| 230 | echo "'path' parameter is required" |
---|
| 231 | exit 1 |
---|
| 232 | fi |
---|
| 233 | |
---|
| 234 | if [ "$(id -u)" != "0" ]; then |
---|
| 235 | echo "This script should be run as 'root'" |
---|
| 236 | exit 1 |
---|
| 237 | fi |
---|
| 238 | |
---|
| 239 | rootfs=$path/rootfs |
---|
| 240 | |
---|
| 241 | type ubuntu-cloudimg-query |
---|
| 242 | type wget |
---|
| 243 | |
---|
| 244 | # determine the url, tarball, and directory names |
---|
| 245 | # download if needed |
---|
| 246 | cache="/var/cache/lxc/cloud-$release" |
---|
| 247 | |
---|
| 248 | mkdir -p $cache |
---|
| 249 | |
---|
| 250 | if [ -n "$tarball" ]; then |
---|
| 251 | url2="$tarball" |
---|
| 252 | else |
---|
| 253 | url1=`ubuntu-cloudimg-query $release $stream $arch --format "%{url}\n"` |
---|
| 254 | url2=`echo $url1 | sed -e 's/.tar.gz/-root\0/'` |
---|
| 255 | fi |
---|
| 256 | |
---|
| 257 | filename=`basename $url2` |
---|
| 258 | |
---|
| 259 | buildcleanup() |
---|
| 260 | { |
---|
| 261 | cd $rootfs |
---|
| 262 | umount -l $cache/$xdir || true |
---|
| 263 | rm -rf $cache |
---|
| 264 | } |
---|
| 265 | |
---|
| 266 | # if the release doesn't have a *-rootfs.tar.gz, then create one from the |
---|
| 267 | # cloudimg.tar.gz by extracting the .img, mounting it loopback, and creating |
---|
| 268 | # a tarball from the mounted image. |
---|
| 269 | build_root_tgz() |
---|
| 270 | { |
---|
| 271 | url=$1 |
---|
| 272 | filename=$2 |
---|
| 273 | |
---|
| 274 | xdir=`mktemp -d -p .` |
---|
| 275 | tarname=`basename $url` |
---|
| 276 | imgname="$release-*-cloudimg-$arch.img" |
---|
| 277 | trap buildcleanup EXIT |
---|
| 278 | if [ $flushcache -eq 1 -o ! -f $cache/$tarname ]; then |
---|
| 279 | rm -f $tarname |
---|
| 280 | echo "Downloading cloud image from $url" |
---|
| 281 | wget $url || { echo "Couldn't find cloud image $url."; exit 1; } |
---|
| 282 | fi |
---|
| 283 | echo "Creating new cached cloud image rootfs" |
---|
| 284 | tar --wildcards -zxf $tarname $imgname |
---|
| 285 | mount -o loop $imgname $xdir |
---|
| 286 | (cd $xdir; tar zcf ../$filename .) |
---|
| 287 | umount $xdir |
---|
| 288 | rm -f $tarname $imgname |
---|
| 289 | rmdir $xdir |
---|
| 290 | echo "New cloud image cache created" |
---|
| 291 | trap EXIT |
---|
| 292 | } |
---|
| 293 | |
---|
| 294 | mkdir -p /var/lock/subsys/ |
---|
| 295 | ( |
---|
| 296 | flock -x 200 |
---|
| 297 | |
---|
| 298 | cd $cache |
---|
| 299 | if [ $flushcache -eq 1 ]; then |
---|
| 300 | echo "Clearing the cached images" |
---|
| 301 | rm -f $filename |
---|
| 302 | fi |
---|
| 303 | |
---|
| 304 | if [ ! -f $filename ]; then |
---|
| 305 | wget $url2 || build_root_tgz $url1 $filename |
---|
| 306 | fi |
---|
| 307 | |
---|
| 308 | echo "Extracting container rootfs" |
---|
| 309 | mkdir -p $rootfs |
---|
| 310 | cd $rootfs |
---|
| 311 | tar -zxf $cache/$filename |
---|
| 312 | |
---|
| 313 | |
---|
| 314 | if [ $cloud -eq 0 ]; then |
---|
| 315 | echo "Configuring for running outside of a cloud environment" |
---|
| 316 | echo "If you want to configure for a cloud evironment, please use '-- -C' to create the container" |
---|
| 317 | |
---|
| 318 | seed_d=$rootfs/var/lib/cloud/seed/nocloud-net |
---|
| 319 | rhostid=$(uuidgen | cut -c -8) |
---|
| 320 | host_id=${hostid:-$rhostid} |
---|
| 321 | mkdir -p $seed_d |
---|
| 322 | |
---|
| 323 | cat > "$seed_d/meta-data" <<EOF |
---|
| 324 | instance_id: lxc-$host_id |
---|
| 325 | EOF |
---|
| 326 | |
---|
| 327 | rm $rootfs/etc/hostname |
---|
| 328 | |
---|
| 329 | if [ $locales -eq 1 ]; then |
---|
| 330 | cp /usr/lib/locale/locale-archive $rootfs/usr/lib/locale/locale-archive |
---|
| 331 | fi |
---|
| 332 | |
---|
| 333 | |
---|
| 334 | if [ -n "$auth_key" -a -f "$auth_key" ]; then |
---|
| 335 | u_path="/home/ubuntu/.ssh" |
---|
| 336 | root_u_path="$rootfs/$u_path" |
---|
| 337 | mkdir -p $root_u_path |
---|
| 338 | cp $auth_key "$root_u_path/authorized_keys" |
---|
| 339 | chroot $rootfs chown -R ubuntu: "$u_path" |
---|
| 340 | |
---|
| 341 | echo "Inserted SSH public key from $auth_key into /home/ubuntu/.ssh/authorized_keys" |
---|
| 342 | fi |
---|
| 343 | |
---|
| 344 | if [ -f "$userdata" ]; then |
---|
| 345 | echo "Using custom user-data" |
---|
| 346 | cp $userdata $seed_d/user-data |
---|
| 347 | else |
---|
| 348 | |
---|
| 349 | if [ -z "$MIRROR" ]; then |
---|
| 350 | MIRROR="http://archive.ubuntu.com/ubuntu" |
---|
| 351 | fi |
---|
| 352 | |
---|
| 353 | cat > "$seed_d/user-data" <<EOF |
---|
| 354 | #cloud-config |
---|
| 355 | output: {all: '| tee -a /var/log/cloud-init-output.log'} |
---|
| 356 | apt-mirror: $MIRROR |
---|
| 357 | manage_etc_hosts: localhost |
---|
| 358 | locale: $(/usr/bin/locale | awk -F= '/LANG=/ {print$NF}') |
---|
| 359 | EOF |
---|
| 360 | fi |
---|
| 361 | |
---|
| 362 | chroot $rootfs /usr/sbin/usermod -U ubuntu |
---|
| 363 | echo "ubuntu:ubuntu" | chroot $rootfs chpasswd |
---|
| 364 | echo "Please login as user ubuntu with password ubuntu." |
---|
| 365 | |
---|
| 366 | else |
---|
| 367 | |
---|
| 368 | echo "Configured for running in a cloud environment." |
---|
| 369 | echo "If you do not have a meta-data service, this container will likely be useless." |
---|
| 370 | |
---|
| 371 | fi |
---|
| 372 | |
---|
| 373 | ) 200>/var/lock/subsys/lxc-ubucloud |
---|
| 374 | |
---|
| 375 | copy_configuration $path $rootfs $name $arch $release |
---|
| 376 | |
---|
| 377 | echo "Container $name created." |
---|
| 378 | exit 0 |
---|