1 | #!/bin/bash |
---|
2 | |
---|
3 | # template script for generating ubuntu container for LXC based on released cloud |
---|
4 | # images |
---|
5 | # |
---|
6 | # Copyright © 2012 Serge Hallyn <serge.hallyn@canonical.com> |
---|
7 | # |
---|
8 | # This program is free software; you can redistribute it and/or modify |
---|
9 | # it under the terms of the GNU General Public License version 2, as |
---|
10 | # published by the Free Software Foundation. |
---|
11 | |
---|
12 | # This program is distributed in the hope that it will be useful, |
---|
13 | # but WITHOUT ANY WARRANTY; without even the implied warranty of |
---|
14 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
---|
15 | # GNU General Public License for more details. |
---|
16 | |
---|
17 | # You should have received a copy of the GNU General Public License along |
---|
18 | # with this program; if not, write to the Free Software Foundation, Inc., |
---|
19 | # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. |
---|
20 | # |
---|
21 | |
---|
22 | set -e |
---|
23 | |
---|
24 | if [ -r /etc/default/lxc ]; then |
---|
25 | . /etc/default/lxc |
---|
26 | fi |
---|
27 | |
---|
28 | copy_configuration() |
---|
29 | { |
---|
30 | path=$1 |
---|
31 | rootfs=$2 |
---|
32 | name=$3 |
---|
33 | arch=$4 |
---|
34 | release=$5 |
---|
35 | |
---|
36 | if [ $arch = "i386" ]; then |
---|
37 | arch="i686" |
---|
38 | fi |
---|
39 | |
---|
40 | # if there is exactly one veth network entry, make sure it has an |
---|
41 | # associated hwaddr. |
---|
42 | nics=`grep -e '^lxc\.network\.type[ \t]*=[ \t]*veth' $path/config | wc -l` |
---|
43 | if [ $nics -eq 1 ]; then |
---|
44 | grep -q "^lxc.network.hwaddr" $path/config || cat <<EOF >> $path/config |
---|
45 | lxc.network.hwaddr = 00:16:3e:$(openssl rand -hex 3| sed 's/\(..\)/\1:/g; s/.$//') |
---|
46 | EOF |
---|
47 | fi |
---|
48 | |
---|
49 | cat <<EOF >> $path/config |
---|
50 | lxc.utsname = $name |
---|
51 | |
---|
52 | lxc.tty = 4 |
---|
53 | lxc.pts = 1024 |
---|
54 | lxc.rootfs = $rootfs |
---|
55 | lxc.mount = $path/fstab |
---|
56 | lxc.arch = $arch |
---|
57 | lxc.cap.drop = sys_module mac_admin |
---|
58 | lxc.pivotdir = lxc_putold |
---|
59 | |
---|
60 | # uncomment the next line to run the container unconfined: |
---|
61 | #lxc.aa_profile = unconfined |
---|
62 | |
---|
63 | lxc.cgroup.devices.deny = a |
---|
64 | # Allow any mknod (but not using the node) |
---|
65 | lxc.cgroup.devices.allow = c *:* m |
---|
66 | lxc.cgroup.devices.allow = b *:* m |
---|
67 | # /dev/null and zero |
---|
68 | lxc.cgroup.devices.allow = c 1:3 rwm |
---|
69 | lxc.cgroup.devices.allow = c 1:5 rwm |
---|
70 | # consoles |
---|
71 | lxc.cgroup.devices.allow = c 5:1 rwm |
---|
72 | lxc.cgroup.devices.allow = c 5:0 rwm |
---|
73 | #lxc.cgroup.devices.allow = c 4:0 rwm |
---|
74 | #lxc.cgroup.devices.allow = c 4:1 rwm |
---|
75 | # /dev/{,u}random |
---|
76 | lxc.cgroup.devices.allow = c 1:9 rwm |
---|
77 | lxc.cgroup.devices.allow = c 1:8 rwm |
---|
78 | lxc.cgroup.devices.allow = c 136:* rwm |
---|
79 | lxc.cgroup.devices.allow = c 5:2 rwm |
---|
80 | # rtc |
---|
81 | lxc.cgroup.devices.allow = c 254:0 rwm |
---|
82 | #fuse |
---|
83 | lxc.cgroup.devices.allow = c 10:229 rwm |
---|
84 | #tun |
---|
85 | lxc.cgroup.devices.allow = c 10:200 rwm |
---|
86 | #full |
---|
87 | lxc.cgroup.devices.allow = c 1:7 rwm |
---|
88 | #hpet |
---|
89 | lxc.cgroup.devices.allow = c 10:228 rwm |
---|
90 | #kvm |
---|
91 | lxc.cgroup.devices.allow = c 10:232 rwm |
---|
92 | EOF |
---|
93 | |
---|
94 | cat <<EOF > $path/fstab |
---|
95 | proc proc proc nodev,noexec,nosuid 0 0 |
---|
96 | sysfs sys sysfs defaults 0 0 |
---|
97 | EOF |
---|
98 | |
---|
99 | # rmdir /dev/shm for containers that have /run/shm |
---|
100 | # I'm afraid of doing rm -rf $rootfs/dev/shm, in case it did |
---|
101 | # get bind mounted to the host's /run/shm. So try to rmdir |
---|
102 | # it, and in case that fails move it out of the way. |
---|
103 | if [ ! -L $rootfs/dev/shm ] && [ -d $rootfs/run/shm ] && [ -e $rootfs/dev/shm ]; then |
---|
104 | mv $rootfs/dev/shm $rootfs/dev/shm.bak |
---|
105 | ln -s /run/shm $rootfs/dev/shm |
---|
106 | fi |
---|
107 | |
---|
108 | return 0 |
---|
109 | } |
---|
110 | |
---|
111 | usage() |
---|
112 | { |
---|
113 | cat <<EOF |
---|
114 | LXC Container configuration for Ubuntu Cloud images. |
---|
115 | |
---|
116 | Generic Options |
---|
117 | [ -r | --release <release> ]: Release name of container, defaults to host |
---|
118 | [ -a | --arch ]: Arhcitecture of container, defaults to host arcitecture |
---|
119 | [ -C | --cloud ]: Configure container for use with meta-data service, defaults to no |
---|
120 | [ -T | --tarball ]: Location of tarball |
---|
121 | [ -d | --debug ]: Run with 'set -x' to debug errors |
---|
122 | [ -s | --stream]: Use specified stream rather than 'released' |
---|
123 | |
---|
124 | Options, mutually exclusive of "-C" and "--cloud": |
---|
125 | [ -i | --hostid ]: HostID for cloud-init, defaults to random string |
---|
126 | [ -u | --userdata ]: Cloud-init user-data file to configure container on start |
---|
127 | [ -S | --auth-key ]: SSH Public key file to inject into container |
---|
128 | [ -L | --nolocales ]: Do not copy host's locales into container |
---|
129 | |
---|
130 | EOF |
---|
131 | return 0 |
---|
132 | } |
---|
133 | |
---|
134 | options=$(getopt -o a:hp:r:n:Fi:CLS:T:ds: -l arch:,help,path:,release:,name:,flush-cache,hostid:,auth-key:,cloud,no_locales,tarball:,debug,stream:,userdata: -- "$@") |
---|
135 | if [ $? -ne 0 ]; then |
---|
136 | usage $(basename $0) |
---|
137 | exit 1 |
---|
138 | fi |
---|
139 | eval set -- "$options" |
---|
140 | |
---|
141 | release=lucid |
---|
142 | if [ -f /etc/lsb-release ]; then |
---|
143 | . /etc/lsb-release |
---|
144 | case "$DISTRIB_CODENAME" in |
---|
145 | lucid|maverick|natty|oneiric|precise) |
---|
146 | release=$DISTRIB_CODENAME |
---|
147 | ;; |
---|
148 | esac |
---|
149 | fi |
---|
150 | |
---|
151 | arch=$(arch) |
---|
152 | |
---|
153 | # Code taken from debootstrap |
---|
154 | if [ -x /usr/bin/dpkg ] && /usr/bin/dpkg --print-architecture >/dev/null 2>&1; then |
---|
155 | arch=`/usr/bin/dpkg --print-architecture` |
---|
156 | elif type udpkg >/dev/null 2>&1 && udpkg --print-architecture >/dev/null 2>&1; then |
---|
157 | arch=`/usr/bin/udpkg --print-architecture` |
---|
158 | else |
---|
159 | arch=$(arch) |
---|
160 | if [ "$arch" = "i686" ]; then |
---|
161 | arch="i386" |
---|
162 | elif [ "$arch" = "x86_64" ]; then |
---|
163 | arch="amd64" |
---|
164 | elif [ "$arch" = "armv7l" ]; then |
---|
165 | # note: arm images don't exist before oneiric; are called armhf in |
---|
166 | # precise; and are not supported by the query, so we don't actually |
---|
167 | # support them yet (see check later on). When Query2 is available, |
---|
168 | # we'll use that to enable arm images. |
---|
169 | arch="armel" |
---|
170 | fi |
---|
171 | fi |
---|
172 | |
---|
173 | debug=0 |
---|
174 | hostarch=$arch |
---|
175 | cloud=0 |
---|
176 | locales=1 |
---|
177 | flushcache=0 |
---|
178 | stream="released" |
---|
179 | while true |
---|
180 | do |
---|
181 | case "$1" in |
---|
182 | -h|--help) usage $0 && exit 0;; |
---|
183 | -p|--path) path=$2; shift 2;; |
---|
184 | -n|--name) name=$2; shift 2;; |
---|
185 | -F|--flush-cache) flushcache=1; shift 1;; |
---|
186 | -r|--release) release=$2; shift 2;; |
---|
187 | -a|--arch) arch=$2; shift 2;; |
---|
188 | -i|--hostid) host_id=$2; shift 2;; |
---|
189 | -u|--userdata) userdata=$2; shift 2;; |
---|
190 | -C|--cloud) cloud=1; shift 1;; |
---|
191 | -S|--auth-key) auth_key=$2; shift 2;; |
---|
192 | -L|--no_locales) locales=0; shift 2;; |
---|
193 | -T|--tarball) tarball=$2; shift 2;; |
---|
194 | -d|--debug) debug=1; shift 1;; |
---|
195 | -s|--stream) stream=$2; shift 2;; |
---|
196 | --) shift 1; break ;; |
---|
197 | *) break ;; |
---|
198 | esac |
---|
199 | done |
---|
200 | |
---|
201 | if [ $debug -eq 1 ]; then |
---|
202 | set -x |
---|
203 | fi |
---|
204 | |
---|
205 | if [ "$arch" == "i686" ]; then |
---|
206 | arch=i386 |
---|
207 | fi |
---|
208 | |
---|
209 | if [ $hostarch = "i386" -a $arch = "amd64" ]; then |
---|
210 | echo "can't create amd64 container on i386" |
---|
211 | exit 1 |
---|
212 | fi |
---|
213 | |
---|
214 | if [ $arch != "i386" -a $arch != "amd64" ]; then |
---|
215 | echo "Only i386 and amd64 are supported by the ubuntu cloud template." |
---|
216 | exit 1 |
---|
217 | fi |
---|
218 | |
---|
219 | if [ "$stream" != "daily" -a "$stream" != "released" ]; then |
---|
220 | echo "Only 'daily' and 'released' streams are supported" |
---|
221 | exit 1 |
---|
222 | fi |
---|
223 | |
---|
224 | if [ -n "$userdata" -a ! -f "$userdata" ]; then |
---|
225 | echo "Userdata does not exist" |
---|
226 | exit 1 |
---|
227 | fi |
---|
228 | |
---|
229 | if [ -z "$path" ]; then |
---|
230 | echo "'path' parameter is required" |
---|
231 | exit 1 |
---|
232 | fi |
---|
233 | |
---|
234 | if [ "$(id -u)" != "0" ]; then |
---|
235 | echo "This script should be run as 'root'" |
---|
236 | exit 1 |
---|
237 | fi |
---|
238 | |
---|
239 | rootfs=$path/rootfs |
---|
240 | |
---|
241 | type ubuntu-cloudimg-query |
---|
242 | type wget |
---|
243 | |
---|
244 | # determine the url, tarball, and directory names |
---|
245 | # download if needed |
---|
246 | cache="/var/cache/lxc/cloud-$release" |
---|
247 | |
---|
248 | mkdir -p $cache |
---|
249 | |
---|
250 | if [ -n "$tarball" ]; then |
---|
251 | url2="$tarball" |
---|
252 | else |
---|
253 | url1=`ubuntu-cloudimg-query $release $stream $arch --format "%{url}\n"` |
---|
254 | url2=`echo $url1 | sed -e 's/.tar.gz/-root\0/'` |
---|
255 | fi |
---|
256 | |
---|
257 | filename=`basename $url2` |
---|
258 | |
---|
259 | buildcleanup() |
---|
260 | { |
---|
261 | cd $rootfs |
---|
262 | umount -l $cache/$xdir || true |
---|
263 | rm -rf $cache |
---|
264 | } |
---|
265 | |
---|
266 | # if the release doesn't have a *-rootfs.tar.gz, then create one from the |
---|
267 | # cloudimg.tar.gz by extracting the .img, mounting it loopback, and creating |
---|
268 | # a tarball from the mounted image. |
---|
269 | build_root_tgz() |
---|
270 | { |
---|
271 | url=$1 |
---|
272 | filename=$2 |
---|
273 | |
---|
274 | xdir=`mktemp -d -p .` |
---|
275 | tarname=`basename $url` |
---|
276 | imgname="$release-*-cloudimg-$arch.img" |
---|
277 | trap buildcleanup EXIT |
---|
278 | if [ $flushcache -eq 1 -o ! -f $cache/$tarname ]; then |
---|
279 | rm -f $tarname |
---|
280 | echo "Downloading cloud image from $url" |
---|
281 | wget $url || { echo "Couldn't find cloud image $url."; exit 1; } |
---|
282 | fi |
---|
283 | echo "Creating new cached cloud image rootfs" |
---|
284 | tar --wildcards -zxf $tarname $imgname |
---|
285 | mount -o loop $imgname $xdir |
---|
286 | (cd $xdir; tar zcf ../$filename .) |
---|
287 | umount $xdir |
---|
288 | rm -f $tarname $imgname |
---|
289 | rmdir $xdir |
---|
290 | echo "New cloud image cache created" |
---|
291 | trap EXIT |
---|
292 | } |
---|
293 | |
---|
294 | mkdir -p /var/lock/subsys/ |
---|
295 | ( |
---|
296 | flock -x 200 |
---|
297 | |
---|
298 | cd $cache |
---|
299 | if [ $flushcache -eq 1 ]; then |
---|
300 | echo "Clearing the cached images" |
---|
301 | rm -f $filename |
---|
302 | fi |
---|
303 | |
---|
304 | if [ ! -f $filename ]; then |
---|
305 | wget $url2 || build_root_tgz $url1 $filename |
---|
306 | fi |
---|
307 | |
---|
308 | echo "Extracting container rootfs" |
---|
309 | mkdir -p $rootfs |
---|
310 | cd $rootfs |
---|
311 | tar -zxf $cache/$filename |
---|
312 | |
---|
313 | |
---|
314 | if [ $cloud -eq 0 ]; then |
---|
315 | echo "Configuring for running outside of a cloud environment" |
---|
316 | echo "If you want to configure for a cloud evironment, please use '-- -C' to create the container" |
---|
317 | |
---|
318 | seed_d=$rootfs/var/lib/cloud/seed/nocloud-net |
---|
319 | rhostid=$(uuidgen | cut -c -8) |
---|
320 | host_id=${hostid:-$rhostid} |
---|
321 | mkdir -p $seed_d |
---|
322 | |
---|
323 | cat > "$seed_d/meta-data" <<EOF |
---|
324 | instance_id: lxc-$host_id |
---|
325 | EOF |
---|
326 | |
---|
327 | rm $rootfs/etc/hostname |
---|
328 | |
---|
329 | if [ $locales -eq 1 ]; then |
---|
330 | cp /usr/lib/locale/locale-archive $rootfs/usr/lib/locale/locale-archive |
---|
331 | fi |
---|
332 | |
---|
333 | |
---|
334 | if [ -n "$auth_key" -a -f "$auth_key" ]; then |
---|
335 | u_path="/home/ubuntu/.ssh" |
---|
336 | root_u_path="$rootfs/$u_path" |
---|
337 | mkdir -p $root_u_path |
---|
338 | cp $auth_key "$root_u_path/authorized_keys" |
---|
339 | chroot $rootfs chown -R ubuntu: "$u_path" |
---|
340 | |
---|
341 | echo "Inserted SSH public key from $auth_key into /home/ubuntu/.ssh/authorized_keys" |
---|
342 | fi |
---|
343 | |
---|
344 | if [ -f "$userdata" ]; then |
---|
345 | echo "Using custom user-data" |
---|
346 | cp $userdata $seed_d/user-data |
---|
347 | else |
---|
348 | |
---|
349 | if [ -z "$MIRROR" ]; then |
---|
350 | MIRROR="http://archive.ubuntu.com/ubuntu" |
---|
351 | fi |
---|
352 | |
---|
353 | cat > "$seed_d/user-data" <<EOF |
---|
354 | #cloud-config |
---|
355 | output: {all: '| tee -a /var/log/cloud-init-output.log'} |
---|
356 | apt-mirror: $MIRROR |
---|
357 | manage_etc_hosts: localhost |
---|
358 | locale: $(/usr/bin/locale | awk -F= '/LANG=/ {print$NF}') |
---|
359 | EOF |
---|
360 | fi |
---|
361 | |
---|
362 | chroot $rootfs /usr/sbin/usermod -U ubuntu |
---|
363 | echo "ubuntu:ubuntu" | chroot $rootfs chpasswd |
---|
364 | echo "Please login as user ubuntu with password ubuntu." |
---|
365 | |
---|
366 | else |
---|
367 | |
---|
368 | echo "Configured for running in a cloud environment." |
---|
369 | echo "If you do not have a meta-data service, this container will likely be useless." |
---|
370 | |
---|
371 | fi |
---|
372 | |
---|
373 | ) 200>/var/lock/subsys/lxc-ubucloud |
---|
374 | |
---|
375 | copy_configuration $path $rootfs $name $arch $release |
---|
376 | |
---|
377 | echo "Container $name created." |
---|
378 | exit 0 |
---|