1 | #!/bin/bash |
---|
2 | |
---|
3 | # template script for generating ubuntu container for LXC based on released cloud |
---|
4 | # images |
---|
5 | # |
---|
6 | # Copyright © 2012 Serge Hallyn <serge.hallyn@canonical.com> |
---|
7 | # |
---|
8 | # This program is free software; you can redistribute it and/or modify |
---|
9 | # it under the terms of the GNU General Public License version 2, as |
---|
10 | # published by the Free Software Foundation. |
---|
11 | |
---|
12 | # This program is distributed in the hope that it will be useful, |
---|
13 | # but WITHOUT ANY WARRANTY; without even the implied warranty of |
---|
14 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
---|
15 | # GNU General Public License for more details. |
---|
16 | |
---|
17 | # You should have received a copy of the GNU General Public License along |
---|
18 | # with this program; if not, write to the Free Software Foundation, Inc., |
---|
19 | # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. |
---|
20 | # |
---|
21 | |
---|
22 | set -e |
---|
23 | |
---|
24 | if [ -r /etc/default/lxc ]; then |
---|
25 | . /etc/default/lxc |
---|
26 | fi |
---|
27 | |
---|
28 | copy_configuration() |
---|
29 | { |
---|
30 | path=$1 |
---|
31 | rootfs=$2 |
---|
32 | name=$3 |
---|
33 | arch=$4 |
---|
34 | release=$5 |
---|
35 | |
---|
36 | if [ $arch = "i386" ]; then |
---|
37 | arch="i686" |
---|
38 | fi |
---|
39 | |
---|
40 | # if there is exactly one veth network entry, make sure it has an |
---|
41 | # associated hwaddr. |
---|
42 | nics=`grep -e '^lxc\.network\.type[ \t]*=[ \t]*veth' $path/config | wc -l` |
---|
43 | if [ $nics -eq 1 ]; then |
---|
44 | grep -q "^lxc.network.hwaddr" $path/config || cat <<EOF >> $path/config |
---|
45 | lxc.network.hwaddr = 00:16:3e:$(openssl rand -hex 3| sed 's/\(..\)/\1:/g; s/.$//') |
---|
46 | EOF |
---|
47 | fi |
---|
48 | |
---|
49 | grep -q "^lxc.rootfs" $path/config 2>/dev/null || echo "lxc.rootfs = $rootfs" >> $path/config |
---|
50 | cat <<EOF >> $path/config |
---|
51 | lxc.utsname = $name |
---|
52 | |
---|
53 | lxc.tty = 4 |
---|
54 | lxc.pts = 1024 |
---|
55 | lxc.mount = $path/fstab |
---|
56 | lxc.arch = $arch |
---|
57 | lxc.cap.drop = sys_module mac_admin |
---|
58 | lxc.pivotdir = lxc_putold |
---|
59 | |
---|
60 | # uncomment the next line to run the container unconfined: |
---|
61 | #lxc.aa_profile = unconfined |
---|
62 | |
---|
63 | lxc.cgroup.devices.deny = a |
---|
64 | # Allow any mknod (but not using the node) |
---|
65 | lxc.cgroup.devices.allow = c *:* m |
---|
66 | lxc.cgroup.devices.allow = b *:* m |
---|
67 | # /dev/null and zero |
---|
68 | lxc.cgroup.devices.allow = c 1:3 rwm |
---|
69 | lxc.cgroup.devices.allow = c 1:5 rwm |
---|
70 | # consoles |
---|
71 | lxc.cgroup.devices.allow = c 5:1 rwm |
---|
72 | lxc.cgroup.devices.allow = c 5:0 rwm |
---|
73 | #lxc.cgroup.devices.allow = c 4:0 rwm |
---|
74 | #lxc.cgroup.devices.allow = c 4:1 rwm |
---|
75 | # /dev/{,u}random |
---|
76 | lxc.cgroup.devices.allow = c 1:9 rwm |
---|
77 | lxc.cgroup.devices.allow = c 1:8 rwm |
---|
78 | lxc.cgroup.devices.allow = c 136:* rwm |
---|
79 | lxc.cgroup.devices.allow = c 5:2 rwm |
---|
80 | # rtc |
---|
81 | lxc.cgroup.devices.allow = c 254:0 rwm |
---|
82 | #fuse |
---|
83 | lxc.cgroup.devices.allow = c 10:229 rwm |
---|
84 | #tun |
---|
85 | lxc.cgroup.devices.allow = c 10:200 rwm |
---|
86 | #full |
---|
87 | lxc.cgroup.devices.allow = c 1:7 rwm |
---|
88 | #hpet |
---|
89 | lxc.cgroup.devices.allow = c 10:228 rwm |
---|
90 | #kvm |
---|
91 | lxc.cgroup.devices.allow = c 10:232 rwm |
---|
92 | EOF |
---|
93 | |
---|
94 | cat <<EOF > $path/fstab |
---|
95 | proc proc proc nodev,noexec,nosuid 0 0 |
---|
96 | sysfs sys sysfs defaults 0 0 |
---|
97 | devtmpfs dev devtmpfs defaults 0 0 |
---|
98 | EOF |
---|
99 | |
---|
100 | # rmdir /dev/shm for containers that have /run/shm |
---|
101 | # I'm afraid of doing rm -rf $rootfs/dev/shm, in case it did |
---|
102 | # get bind mounted to the host's /run/shm. So try to rmdir |
---|
103 | # it, and in case that fails move it out of the way. |
---|
104 | if [ ! -L $rootfs/dev/shm ] && [ -d $rootfs/run/shm ] && [ -e $rootfs/dev/shm ]; then |
---|
105 | mv $rootfs/dev/shm $rootfs/dev/shm.bak |
---|
106 | ln -s /run/shm $rootfs/dev/shm |
---|
107 | fi |
---|
108 | |
---|
109 | return 0 |
---|
110 | } |
---|
111 | |
---|
112 | usage() |
---|
113 | { |
---|
114 | cat <<EOF |
---|
115 | LXC Container configuration for Ubuntu Cloud images. |
---|
116 | |
---|
117 | Generic Options |
---|
118 | [ -r | --release <release> ]: Release name of container, defaults to host |
---|
119 | [ -a | --arch ]: Arhcitecture of container, defaults to host arcitecture |
---|
120 | [ -C | --cloud ]: Configure container for use with meta-data service, defaults to no |
---|
121 | [ -T | --tarball ]: Location of tarball |
---|
122 | [ -d | --debug ]: Run with 'set -x' to debug errors |
---|
123 | [ -s | --stream]: Use specified stream rather than 'released' |
---|
124 | |
---|
125 | Options, mutually exclusive of "-C" and "--cloud": |
---|
126 | [ -i | --hostid ]: HostID for cloud-init, defaults to random string |
---|
127 | [ -u | --userdata ]: Cloud-init user-data file to configure container on start |
---|
128 | [ -S | --auth-key ]: SSH Public key file to inject into container |
---|
129 | [ -L | --nolocales ]: Do not copy host's locales into container |
---|
130 | |
---|
131 | EOF |
---|
132 | return 0 |
---|
133 | } |
---|
134 | |
---|
135 | options=$(getopt -o a:hp:r:n:Fi:CLS:T:ds: -l arch:,help,path:,release:,name:,flush-cache,hostid:,auth-key:,cloud,no_locales,tarball:,debug,stream:,userdata: -- "$@") |
---|
136 | if [ $? -ne 0 ]; then |
---|
137 | usage $(basename $0) |
---|
138 | exit 1 |
---|
139 | fi |
---|
140 | eval set -- "$options" |
---|
141 | |
---|
142 | release=lucid |
---|
143 | if [ -f /etc/lsb-release ]; then |
---|
144 | . /etc/lsb-release |
---|
145 | case "$DISTRIB_CODENAME" in |
---|
146 | lucid|natty|oneiric|precise|quantal) |
---|
147 | release=$DISTRIB_CODENAME |
---|
148 | ;; |
---|
149 | esac |
---|
150 | fi |
---|
151 | |
---|
152 | arch=$(arch) |
---|
153 | |
---|
154 | # Code taken from debootstrap |
---|
155 | if [ -x /usr/bin/dpkg ] && /usr/bin/dpkg --print-architecture >/dev/null 2>&1; then |
---|
156 | arch=`/usr/bin/dpkg --print-architecture` |
---|
157 | elif type udpkg >/dev/null 2>&1 && udpkg --print-architecture >/dev/null 2>&1; then |
---|
158 | arch=`/usr/bin/udpkg --print-architecture` |
---|
159 | else |
---|
160 | arch=$(arch) |
---|
161 | if [ "$arch" = "i686" ]; then |
---|
162 | arch="i386" |
---|
163 | elif [ "$arch" = "x86_64" ]; then |
---|
164 | arch="amd64" |
---|
165 | elif [ "$arch" = "armv7l" ]; then |
---|
166 | # note: arm images don't exist before oneiric; are called armhf in |
---|
167 | # precise and later; and are not supported by the query, so we don't actually |
---|
168 | # support them yet (see check later on). When Query2 is available, |
---|
169 | # we'll use that to enable arm images. |
---|
170 | arch="armel" |
---|
171 | fi |
---|
172 | fi |
---|
173 | |
---|
174 | debug=0 |
---|
175 | hostarch=$arch |
---|
176 | cloud=0 |
---|
177 | locales=1 |
---|
178 | flushcache=0 |
---|
179 | stream="released" |
---|
180 | while true |
---|
181 | do |
---|
182 | case "$1" in |
---|
183 | -h|--help) usage $0 && exit 0;; |
---|
184 | -p|--path) path=$2; shift 2;; |
---|
185 | -n|--name) name=$2; shift 2;; |
---|
186 | -F|--flush-cache) flushcache=1; shift 1;; |
---|
187 | -r|--release) release=$2; shift 2;; |
---|
188 | -a|--arch) arch=$2; shift 2;; |
---|
189 | -i|--hostid) host_id=$2; shift 2;; |
---|
190 | -u|--userdata) userdata=$2; shift 2;; |
---|
191 | -C|--cloud) cloud=1; shift 1;; |
---|
192 | -S|--auth-key) auth_key=$2; shift 2;; |
---|
193 | -L|--no_locales) locales=0; shift 2;; |
---|
194 | -T|--tarball) tarball=$2; shift 2;; |
---|
195 | -d|--debug) debug=1; shift 1;; |
---|
196 | -s|--stream) stream=$2; shift 2;; |
---|
197 | --) shift 1; break ;; |
---|
198 | *) break ;; |
---|
199 | esac |
---|
200 | done |
---|
201 | |
---|
202 | if [ $debug -eq 1 ]; then |
---|
203 | set -x |
---|
204 | fi |
---|
205 | |
---|
206 | if [ "$arch" == "i686" ]; then |
---|
207 | arch=i386 |
---|
208 | fi |
---|
209 | |
---|
210 | if [ $hostarch = "i386" -a $arch = "amd64" ]; then |
---|
211 | echo "can't create amd64 container on i386" |
---|
212 | exit 1 |
---|
213 | fi |
---|
214 | |
---|
215 | if [ $arch != "i386" -a $arch != "amd64" ]; then |
---|
216 | echo "Only i386 and amd64 are supported by the ubuntu cloud template." |
---|
217 | exit 1 |
---|
218 | fi |
---|
219 | |
---|
220 | if [ "$stream" != "daily" -a "$stream" != "released" ]; then |
---|
221 | echo "Only 'daily' and 'released' streams are supported" |
---|
222 | exit 1 |
---|
223 | fi |
---|
224 | |
---|
225 | if [ -n "$userdata" ]; then |
---|
226 | if [ ! -f "$userdata" ]; then |
---|
227 | echo "Userdata ($userdata) does not exist" |
---|
228 | exit 1 |
---|
229 | else |
---|
230 | userdata=`readlink -f $userdata` |
---|
231 | fi |
---|
232 | fi |
---|
233 | |
---|
234 | if [ -n "$auth_key" ]; then |
---|
235 | if [ ! -f "$auth_key" ]; then |
---|
236 | echo "--auth-key=${auth_key} must reference a file" |
---|
237 | exit 1 |
---|
238 | fi |
---|
239 | auth_key=$(readlink -f "${auth_key}") || |
---|
240 | { echo "failed to get full path for auth_key"; exit 1; } |
---|
241 | fi |
---|
242 | |
---|
243 | if [ -z "$path" ]; then |
---|
244 | echo "'path' parameter is required" |
---|
245 | exit 1 |
---|
246 | fi |
---|
247 | |
---|
248 | if [ "$(id -u)" != "0" ]; then |
---|
249 | echo "This script should be run as 'root'" |
---|
250 | exit 1 |
---|
251 | fi |
---|
252 | |
---|
253 | # detect rootfs |
---|
254 | config="$path/config" |
---|
255 | if grep -q '^lxc.rootfs' $config 2>/dev/null ; then |
---|
256 | rootfs=`grep 'lxc.rootfs =' $config | awk -F= '{ print $2 }'` |
---|
257 | else |
---|
258 | rootfs=$path/rootfs |
---|
259 | fi |
---|
260 | |
---|
261 | type ubuntu-cloudimg-query |
---|
262 | type wget |
---|
263 | |
---|
264 | # determine the url, tarball, and directory names |
---|
265 | # download if needed |
---|
266 | cache="/var/cache/lxc/cloud-$release" |
---|
267 | |
---|
268 | mkdir -p $cache |
---|
269 | |
---|
270 | if [ -n "$tarball" ]; then |
---|
271 | url2="$tarball" |
---|
272 | else |
---|
273 | url1=`ubuntu-cloudimg-query $release $stream $arch --format "%{url}\n"` |
---|
274 | url2=`echo $url1 | sed -e 's/.tar.gz/-root\0/'` |
---|
275 | fi |
---|
276 | |
---|
277 | filename=`basename $url2` |
---|
278 | |
---|
279 | wgetcleanup() |
---|
280 | { |
---|
281 | rm -f $filename |
---|
282 | } |
---|
283 | |
---|
284 | buildcleanup() |
---|
285 | { |
---|
286 | cd $rootfs |
---|
287 | umount -l $cache/$xdir || true |
---|
288 | rm -rf $cache |
---|
289 | } |
---|
290 | |
---|
291 | # if the release doesn't have a *-rootfs.tar.gz, then create one from the |
---|
292 | # cloudimg.tar.gz by extracting the .img, mounting it loopback, and creating |
---|
293 | # a tarball from the mounted image. |
---|
294 | build_root_tgz() |
---|
295 | { |
---|
296 | url=$1 |
---|
297 | filename=$2 |
---|
298 | |
---|
299 | xdir=`mktemp -d -p .` |
---|
300 | tarname=`basename $url` |
---|
301 | imgname="$release-*-cloudimg-$arch.img" |
---|
302 | trap buildcleanup EXIT SIGHUP SIGINT SIGTERM |
---|
303 | if [ $flushcache -eq 1 -o ! -f $cache/$tarname ]; then |
---|
304 | rm -f $tarname |
---|
305 | echo "Downloading cloud image from $url" |
---|
306 | wget $url || { echo "Couldn't find cloud image $url."; exit 1; } |
---|
307 | fi |
---|
308 | echo "Creating new cached cloud image rootfs" |
---|
309 | tar --wildcards -zxf $tarname $imgname |
---|
310 | mount -o loop $imgname $xdir |
---|
311 | (cd $xdir; tar zcf ../$filename .) |
---|
312 | umount $xdir |
---|
313 | rm -f $tarname $imgname |
---|
314 | rmdir $xdir |
---|
315 | echo "New cloud image cache created" |
---|
316 | trap EXIT |
---|
317 | trap SIGHUP |
---|
318 | trap SIGINT |
---|
319 | trap SIGTERM |
---|
320 | } |
---|
321 | |
---|
322 | mkdir -p /var/lock/subsys/ |
---|
323 | ( |
---|
324 | flock -x 200 |
---|
325 | |
---|
326 | cd $cache |
---|
327 | if [ $flushcache -eq 1 ]; then |
---|
328 | echo "Clearing the cached images" |
---|
329 | rm -f $filename |
---|
330 | fi |
---|
331 | |
---|
332 | trap wgetcleanup EXIT SIGHUP SIGINT SIGTERM |
---|
333 | if [ ! -f $filename ]; then |
---|
334 | wget $url2 || build_root_tgz $url1 $filename |
---|
335 | fi |
---|
336 | trap EXIT |
---|
337 | trap SIGHUP |
---|
338 | trap SIGINT |
---|
339 | trap SIGTERM |
---|
340 | |
---|
341 | echo "Extracting container rootfs" |
---|
342 | mkdir -p $rootfs |
---|
343 | cd $rootfs |
---|
344 | tar -zxf $cache/$filename |
---|
345 | |
---|
346 | |
---|
347 | if [ $cloud -eq 0 ]; then |
---|
348 | echo "Configuring for running outside of a cloud environment" |
---|
349 | echo "If you want to configure for a cloud evironment, please use '-- -C' to create the container" |
---|
350 | |
---|
351 | seed_d=$rootfs/var/lib/cloud/seed/nocloud-net |
---|
352 | rhostid=$(uuidgen | cut -c -8) |
---|
353 | host_id=${hostid:-$rhostid} |
---|
354 | mkdir -p $seed_d |
---|
355 | |
---|
356 | cat > "$seed_d/meta-data" <<EOF |
---|
357 | instance-id: lxc-$host_id |
---|
358 | EOF |
---|
359 | if [ -n "$auth_key" ]; then |
---|
360 | { |
---|
361 | echo "public-keys:" && |
---|
362 | sed -e '/^$/d' -e 's,^,- ,' "$auth_key" "$auth_key" |
---|
363 | } >> "$seed_d/meta-data" |
---|
364 | [ $? -eq 0 ] || |
---|
365 | { echo "failed to write public keys to metadata"; exit 1; } |
---|
366 | fi |
---|
367 | |
---|
368 | rm $rootfs/etc/hostname |
---|
369 | |
---|
370 | if [ $locales -eq 1 ]; then |
---|
371 | cp /usr/lib/locale/locale-archive $rootfs/usr/lib/locale/locale-archive |
---|
372 | fi |
---|
373 | |
---|
374 | if [ -f "$userdata" ]; then |
---|
375 | echo "Using custom user-data" |
---|
376 | cp $userdata $seed_d/user-data |
---|
377 | else |
---|
378 | |
---|
379 | if [ -z "$MIRROR" ]; then |
---|
380 | MIRROR="http://archive.ubuntu.com/ubuntu" |
---|
381 | fi |
---|
382 | |
---|
383 | cat > "$seed_d/user-data" <<EOF |
---|
384 | #cloud-config |
---|
385 | output: {all: '| tee -a /var/log/cloud-init-output.log'} |
---|
386 | apt_mirror: $MIRROR |
---|
387 | manage_etc_hosts: localhost |
---|
388 | locale: $(/usr/bin/locale | awk -F= '/LANG=/ {print$NF}') |
---|
389 | password: ubuntu |
---|
390 | chpasswd: { expire: False } |
---|
391 | EOF |
---|
392 | fi |
---|
393 | |
---|
394 | else |
---|
395 | |
---|
396 | echo "Configured for running in a cloud environment." |
---|
397 | echo "If you do not have a meta-data service, this container will likely be useless." |
---|
398 | |
---|
399 | fi |
---|
400 | ) 200>/var/lock/subsys/lxc-ubucloud |
---|
401 | |
---|
402 | copy_configuration $path $rootfs $name $arch $release |
---|
403 | |
---|
404 | echo "Container $name created." |
---|
405 | exit 0 |
---|
406 | |
---|
407 | # vi: ts=4 expandtab |
---|