[meta-virtualization] [PATCH] lxc: add unprivileged Busybox containers support
Bogdan Purcareata
bogdan.purcareata at freescale.com
Thu Oct 23 09:31:54 PDT 2014
Integrate 2 upstream patches that enable creating unprivileged Busybox
containers.
Signed-off-by: Bogdan Purcareata <bogdan.purcareata at freescale.com>
---
...sybox_template_mount_fstab_when_available.patch | 32 +++++++
...plate_support_for_unprivileged_containers.patch | 92 ++++++++++++++++++++
recipes-containers/lxc/lxc_1.0.6.bb | 3 +
3 files changed, 127 insertions(+)
create mode 100644 recipes-containers/lxc/files/busybox_template_mount_fstab_when_available.patch
create mode 100644 recipes-containers/lxc/files/busybox_template_support_for_unprivileged_containers.patch
diff --git a/recipes-containers/lxc/files/busybox_template_mount_fstab_when_available.patch b/recipes-containers/lxc/files/busybox_template_mount_fstab_when_available.patch
new file mode 100644
index 0000000..74b4fdf
--- /dev/null
+++ b/recipes-containers/lxc/files/busybox_template_mount_fstab_when_available.patch
@@ -0,0 +1,32 @@
+From 12c3b43fbeacd9cc471adf565ecea3263e37e353 Mon Sep 17 00:00:00 2001
+From: Bogdan Purcareata <bogdan.purcareata at freescale.com>
+Date: Mon, 20 Oct 2014 15:56:54 -0400
+Subject: [PATCH] busybox template: mount fstab when available
+
+When running unprivileged, lxc-create will touch a fstab file, with bind-mounts
+for the ttys and other devices. Add this entry in the container config.
+
+Upstream-Status: Accepted
+[https://github.com/lxc/lxc/commit/12c3b43fbeacd9cc471adf565ecea3263e37e353]
+
+Signed-off-by: Bogdan Purcareata <bogdan.purcareata at freescale.com>
+Acked-by: Serge E. Hallyn <serge.hallyn at ubuntu.com>
+---
+ templates/lxc-busybox.in | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/templates/lxc-busybox.in b/templates/lxc-busybox.in
+index ca2dd43..ee54a7a 100644
+--- a/templates/lxc-busybox.in
++++ b/templates/lxc-busybox.in
+@@ -301,6 +301,10 @@ EOF
+ done
+ echo "lxc.mount.entry = /sys/kernel/security sys/kernel/security none ro,bind,optional 0 0" >>$path/config
+ echo "lxc.mount.auto = proc:mixed sys" >>$path/config
++
++ if [ -f "$path/fstab" ]; then
++ echo "lxc.mount = $path/fstab" >>$path/config
++ fi
+ }
+
+ remap_userns()
diff --git a/recipes-containers/lxc/files/busybox_template_support_for_unprivileged_containers.patch b/recipes-containers/lxc/files/busybox_template_support_for_unprivileged_containers.patch
new file mode 100644
index 0000000..4e9ab74
--- /dev/null
+++ b/recipes-containers/lxc/files/busybox_template_support_for_unprivileged_containers.patch
@@ -0,0 +1,92 @@
+From a542dd3c1aca8b6674f631d625d888eb13ae3a4d Mon Sep 17 00:00:00 2001
+From: Bogdan Purcareata <bogdan.purcareata at freescale.com>
+Date: Mon, 20 Oct 2014 15:56:53 -0400
+Subject: [PATCH] busybox template: support for unprivileged containers
+
+Apply the changes found in templates/lxc-download to the busybox template as
+well. Change ownership of the config and fstab files to the unprivileged user,
+and the ownership of the rootfs to root in the new user namespace.
+
+Eliminate the "unsupported for userns" flag.
+
+Upstream-Status: Accepted
+[https://github.com/lxc/lxc/commit/a542dd3c1aca8b6674f631d625d888eb13ae3a4d]
+
+Signed-off-by: Bogdan Purcareata <bogdan.purcareata at freescale.com>
+Acked-by: Serge E. Hallyn <serge.hallyn at ubuntu.com>
+---
+ templates/lxc-busybox.in | 36 ++++++++++++++++++++++++++----------
+ 1 file changed, 26 insertions(+), 10 deletions(-)
+
+diff --git a/templates/lxc-busybox.in b/templates/lxc-busybox.in
+index 246e743..ca2dd43 100644
+--- a/templates/lxc-busybox.in
++++ b/templates/lxc-busybox.in
+@@ -20,15 +20,8 @@
+ # License along with this library; if not, write to the Free Software
+ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
+
+-# Detect use under userns (unsupported)
+-for arg in "$@"; do
+- [ "$arg" = "--" ] && break
+- if [ "$arg" = "--mapped-uid" -o "$arg" = "--mapped-gid" ]; then
+- echo "This template can't be used for unprivileged containers." 1>&2
+- echo "You may want to try the \"download\" template instead." 1>&2
+- exit 1
+- fi
+-done
++LXC_MAPPED_UID=
++LXC_MAPPED_GID=
+
+ # Make sure the usual locations are in PATH
+ export PATH=$PATH:/usr/sbin:/usr/bin:/sbin:/bin
+@@ -310,6 +303,21 @@ EOF
+ echo "lxc.mount.auto = proc:mixed sys" >>$path/config
+ }
+
++remap_userns()
++{
++ path=$1
++
++ if [ -n "$LXC_MAPPED_UID" ] && [ "$LXC_MAPPED_UID" != "-1" ]; then
++ chown $LXC_MAPPED_UID $path/config $path/fstab >/dev/null 2>&1
++ chown -R root $path/rootfs >/dev/null 2>&1
++ fi
++
++ if [ -n "$LXC_MAPPED_GID" ] && [ "$LXC_MAPPED_GID" != "-1" ]; then
++ chgrp $LXC_MAPPED_GID $path/config $path/fstab >/dev/null 2>&1
++ chgrp -R root $path/rootfs >/dev/null 2>&1
++ fi
++}
++
+ usage()
+ {
+ cat <<EOF
+@@ -318,7 +326,7 @@ EOF
+ return 0
+ }
+
+-options=$(getopt -o hp:n: -l help,rootfs:,path:,name: -- "$@")
++options=$(getopt -o hp:n: -l help,rootfs:,path:,name:,mapped-uid:,mapped-gid: -- "$@")
+ if [ $? -ne 0 ]; then
+ usage $(basename $0)
+ exit 1
+@@ -332,6 +340,8 @@ do
+ -p|--path) path=$2; shift 2;;
+ --rootfs) rootfs=$2; shift 2;;
+ -n|--name) name=$2; shift 2;;
++ --mapped-uid) LXC_MAPPED_UID=$2; shift 2;;
++ --mapped-gid) LXC_MAPPED_GID=$2; shift 2;;
+ --) shift 1; break ;;
+ *) break ;;
+ esac
+@@ -374,3 +384,9 @@ if [ $? -ne 0 ]; then
+ echo "failed to write configuration file"
+ exit 1
+ fi
++
++remap_userns $path
++if [ $? -ne 0 ]; then
++ echo "failed to remap files to user"
++ exit 1
++fi
diff --git a/recipes-containers/lxc/lxc_1.0.6.bb b/recipes-containers/lxc/lxc_1.0.6.bb
index 2d384dd..0805573 100644
--- a/recipes-containers/lxc/lxc_1.0.6.bb
+++ b/recipes-containers/lxc/lxc_1.0.6.bb
@@ -26,7 +26,10 @@ SRC_URI = "http://linuxcontainers.org/downloads/${BPN}-${PV}.tar.gz \
file://runtest.patch \
file://run-ptest \
file://automake-ensure-VPATH-builds-correctly.patch \
+ file://busybox_template_mount_fstab_when_available.patch \
+ file://busybox_template_support_for_unprivileged_containers.patch \
"
+
SRC_URI[md5sum] = "4aad3aee84b42faa194e44091d723a3b"
SRC_URI[sha256sum] = "fc6bffa750f00daaa92aa33d719c1cc235146aa779ebd2a64a0c24423977cf14"
--
1.7.10.4
More information about the meta-virtualization
mailing list