Add example hooks from Ubuntu package

We've been shipping those two hooks for a while in Ubuntu.
Yesterday I reworked them to use the new environment variables and
avoid hardcoding any path that we have available as a variable.

I tested both to work on Ubuntu 13.04 but they should work just as well
on any distro shipping with the cgroup hierarchy in /sys/fs/cgroup and
with ecryptfs available.

Those are intended as example and distros are free to drop them, they
should however be working without any change required, at least on Ubuntu.

Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge Hallyn <serge.hallyn@ubuntu.com>

diff --git a/Makefile.am b/Makefile.am
index 53473eecbbc524031ea6bd69940c1c1a3011ab3e..7ebef9dcbb2ac8ddf8fad921e3d0eba219e252bd 100644 (file)
--- a/Makefile.am
+++ b/Makefile.am
@@ -2,8 +2,8 @@
 
 ACLOCAL_AMFLAGS = -I config
 
-SUBDIRS = config src templates doc
-DIST_SUBDIRS = config src templates doc
+SUBDIRS = config src templates doc hooks
+DIST_SUBDIRS = config src templates doc hooks
 EXTRA_DIST = autogen.sh lxc.spec CONTRIBUTING MAINTAINERS ChangeLog
 RPMARGS =
 

diff --git a/configure.ac b/configure.ac
index 6e406bd5f7c0f5cbb5ba18732e139f1d5bf01843..a133d16b49f918ba72e2d040e5617db44ed64911 100644 (file)
--- a/configure.ac
+++ b/configure.ac
@@ -219,6 +219,7 @@ AS_AC_EXPAND(LXCPATH, "$with_config_path")
 AS_AC_EXPAND(LXC_GLOBAL_CONF, "$with_global_conf")
 AS_AC_EXPAND(LXCROOTFSMOUNT, "$with_rootfs_path")
 AS_AC_EXPAND(LXCTEMPLATEDIR, "$datadir/lxc/templates")
+AS_AC_EXPAND(LXCHOOKDIR, "$datadir/lxc/hooks")
 AS_AC_EXPAND(LXCINITDIR, "$libexecdir")
 AS_AC_EXPAND(LOGPATH, "$with_log_path")
 
@@ -350,6 +351,8 @@ AC_CONFIG_FILES([
        doc/examples/lxc-veth.conf
        doc/examples/lxc-complex.conf
 
+       hooks/Makefile
+
        templates/Makefile
        templates/lxc-lenny
        templates/lxc-debian

diff --git a/hooks/Makefile.am b/hooks/Makefile.am
new file mode 100644 (file)
index 0000000..4fc20ac
--- /dev/null
+++ b/hooks/Makefile.am
@@ -0,0 +1,5 @@
+hooksdir=@LXCHOOKDIR@
+
+hooks_SCRIPTS = \
+       mountcgroups \
+       mountecryptfsroot

diff --git a/hooks/mountcgroups b/hooks/mountcgroups
new file mode 100755 (executable)
index 0000000..8250ae9
--- /dev/null
+++ b/hooks/mountcgroups
@@ -0,0 +1,42 @@
+#!/bin/bash
+
+# (C) Copyright Canonical 2011,2012
+
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2.1 of the License, or (at your option) any later version.
+
+# This library is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# Lesser General Public License for more details.
+
+# You should have received a copy of the GNU Lesser General Public
+# License along with this library; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+
+#
+# This is an example hook to mount all mounted cgroups in the
+# container.  Only the container's own cgroup (not parents) will be
+# accessible to the container.  You can enable this by adding
+# lxc.hook.mount = /usr/share/lxc/hooks/mountcgroups
+# to your container's configuration file.
+
+set -e
+
+c=$1
+d=/sys/fs/cgroup
+d2=$LXC_ROOTFS_MOUNT/${d}
+if [ ! -d "$d" ]; then
+    exit 0
+fi
+
+mount -n -t tmpfs tmpfs ${d2}
+
+for dir in `/bin/ls $d`; do
+    mkdir -p "${d}/${dir}/lxc/${c}/${c}.real"
+    echo 1 > "${d}/${dir}/lxc/${c}/${c}.real/tasks"
+    mkdir -p ${d2}/${dir}
+    mount -n --bind "${d}/${dir}/lxc/${c}/${c}.real" "${d2}/${dir}"
+done

diff --git a/hooks/mountecryptfsroot b/hooks/mountecryptfsroot
new file mode 100755 (executable)
index 0000000..f3cb0fb
--- /dev/null
+++ b/hooks/mountecryptfsroot
@@ -0,0 +1,50 @@
+#!/bin/sh
+
+# (C) Copyright Canonical 2011-2013
+
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2.1 of the License, or (at your option) any later version.
+
+# This library is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# Lesser General Public License for more details.
+
+# You should have received a copy of the GNU Lesser General Public
+# License along with this library; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+
+# This hook can be used to mount an ecryptfs filesystem as a container's
+# rootfs.
+# To use this hook, assuming your container is called q1,
+#  1. add 'lxc.hook.pre-mount = /usr/share/lxc/hooks/mountecryptfsroot' to
+#     the container's configuration file
+#  2. Create /var/lib/lxc/q1/ecryptfs-root
+#     a. mkdir /var/lib/lxc/q1/ecryptfs-root
+#  3. convert your container's root filesystem to be ecryptfs-backed.  Assuming
+#     your container is called 'q1', do
+#     a. c=q1
+#     b. mv /var/lib/lxc/$c/rootfs /var/lib/lxc/$c/rootfs.plain
+#     c. mkdir /var/lib/lxc/$c/rootfs{,.crypt}
+#     d. sig=`echo none | ecryptfs-add-passphrase | grep -v Passphrase | cut -d[ -f 2 | cut -d] -f 1`
+#     e. echo $sig > /var/lib/lxc/$c/sig
+#     f. mount -t ecryptfs -o ecryptfs_cipher=aes,ecryptfs_key_bytes=16,ecryptfs_passthrough=n,ecryptfs_enable_filename_crypto=n,ecryptfs_sig=${sig},sig=${sig},verbosity=0 /var/lib/lxc/$c/rootfs.crypt /var/lib/lxc/$c/rootfs
+#     g. rsync -va /var/lib/lxc/$c/rootfs.plain/ /var/lib/lxc/$c/rootfs/
+#     h. umount /var/lib/lxc/$c/rootfs
+#     i. rm -rf /var/lib/lxc/$c/rootfs.plain
+#  4. Now you can start your container by adding the passphrase to your
+#     in-kernel keyring using 'ecryptfs-add-passphrase', then starting your
+#     container as normal.
+#     a. echo none | ecryptfs-add-passphrase
+#     b. lxc-start -n q1
+#  Note that you may well want to use a wrapped passhrase (see the ecryptfs-wrap-passphrase(1) manual page).
+
+set -e
+ecryptfs_crypt=$(echo $LXC_ROOTFS_PATH | sed 's/rootfs$/rootfs.crypt/')
+sigfile=$(echo $LXC_CONFIG_FILE | sed 's/config$/sig/')
+
+sig=`cat $sigfile`
+mount -n -t ecryptfs -o ecryptfs_cipher=aes,ecryptfs_key_bytes=16,ecryptfs_passthrough=n,ecryptfs_enable_filename_crypto=n,ecryptfs_sig=${sig},sig=${sig},verbosity=0 $ecryptfs_crypt $LXC_ROOTFS_PATH
+exit 0