download: Support nested containers in unpriv

This adds detection for the case where we are root in an unprivileged
container and then run LXC from there. In this case, we want to download
to the system location, ignore the missing uid/gid ranges and run
templates that are userns-ready.

Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

diff --git a/templates/lxc-download.in b/templates/lxc-download.in
index c231161403f8fa31dbe9a1eb79221577028c877b..f4bd6eb423dde3fba4567f45b7b657d2066729b9 100644 (file)
--- a/templates/lxc-download.in
+++ b/templates/lxc-download.in
@@ -21,37 +21,38 @@
 
 set -eu
 
-LXC_TEMPLATE_CONFIG="@LXCTEMPLATECONFIG@"
-LXC_HOOK_DIR="@LXCHOOKDIR@"
 LOCALSTATEDIR="@LOCALSTATEDIR@"
+LXC_HOOK_DIR="@LXCHOOKDIR@"
+LXC_TEMPLATE_CONFIG="@LXCTEMPLATECONFIG@"
 
 # Defaults
-DOWNLOAD_DIST=
-DOWNLOAD_RELEASE=
 DOWNLOAD_ARCH=
-DOWNLOAD_VARIANT="default"
-DOWNLOAD_SERVER="images.linuxcontainers.org"
-DOWNLOAD_KEYID="0xBAEFF88C22F6E216"
-DOWNLOAD_KEYSERVER="hkp://pool.sks-keyservers.net"
-DOWNLOAD_VALIDATE="true"
+DOWNLOAD_BUILD=
+DOWNLOAD_COMPAT_LEVEL=1
+DOWNLOAD_DIST=
 DOWNLOAD_FLUSH_CACHE="false"
 DOWNLOAD_FORCE_CACHE="false"
+DOWNLOAD_INTERACTIVE="false"
+DOWNLOAD_KEYID="0xBAEFF88C22F6E216"
+DOWNLOAD_KEYSERVER="hkp://pool.sks-keyservers.net"
+DOWNLOAD_LIST_IMAGES="false"
 DOWNLOAD_MODE="system"
-DOWNLOAD_USE_CACHE="false"
-DOWNLOAD_URL=
-DOWNLOAD_SHOW_HTTP_WARNING="true"
-DOWNLOAD_SHOW_GPG_WARNING="true"
 DOWNLOAD_READY_GPG="false"
-DOWNLOAD_COMPAT_LEVEL=1
-DOWNLOAD_LIST_IMAGES="false"
-DOWNLOAD_BUILD=
-DOWNLOAD_INTERACTIVE="false"
+DOWNLOAD_RELEASE=
+DOWNLOAD_SERVER="images.linuxcontainers.org"
+DOWNLOAD_SHOW_GPG_WARNING="true"
+DOWNLOAD_SHOW_HTTP_WARNING="true"
+DOWNLOAD_TARGET="system"
+DOWNLOAD_URL=
+DOWNLOAD_USE_CACHE="false"
+DOWNLOAD_VALIDATE="true"
+DOWNLOAD_VARIANT="default"
 
+LXC_MAPPED_GID=
+LXC_MAPPED_UID=
 LXC_NAME=
 LXC_PATH=
 LXC_ROOTFS=
-LXC_MAPPED_UID=
-LXC_MAPPED_GID=
 
 # Deal with GPG over http proxy
 if [ -n "${http_proxy:-}" ]; then
@@ -141,10 +142,10 @@ gpg_validate() {
 
 in_userns() {
     [ -e /proc/self/uid_map ] || { echo no; return; }
-    [ "$(wc -l /proc/self/uid_map | awk '{ print $1 }')" -eq 1 ] || \
-        { echo yes; return; }
     line=$(awk '{ print $1 " " $2 " " $3 }' /proc/self/uid_map)
     [ "$line" = "0 0 4294967295" ] && { echo no; return; }
+    [ "$(cat /proc/self/uid_map)" = "$(cat /proc/1/uid_map)" ] && \
+        { echo userns-root; return; }
     echo yes
 }
 
@@ -245,12 +246,20 @@ if [ -z "$LXC_NAME" ] || [ -z "$LXC_PATH" ] || [ -z "$LXC_ROOTFS" ]; then
     exit 1
 fi
 
-if [ "$(in_userns)" = "yes" ]; then
-    if [ -z "$LXC_MAPPED_UID" ] || [ "$LXC_MAPPED_UID" = "-1" ]; then
-        echo "ERROR: In a user namespace without a map." 1>&2
-        exit 1
+USERNS=$(in_userns)
+
+if [ "$USERNS" != "no" ]; then
+    if [ "$USERNS" = "yes" ]; then
+        if [ -z "$LXC_MAPPED_UID" ] || [ "$LXC_MAPPED_UID" = "-1" ]; then
+            echo "ERROR: In a user namespace without a map." 1>&2
+            exit 1
+        fi
+        DOWNLOAD_MODE="user"
+        DOWNLOAD_TARGET="user"
+    else
+        DOWNLOAD_MODE="user"
+        DOWNLOAD_TARGET="system"
     fi
-    DOWNLOAD_MODE="user"
 fi
 
 if [ -z "$DOWNLOAD_DIST" ] || [ -z "$DOWNLOAD_RELEASE" ] || \
@@ -337,7 +346,7 @@ if [ "$DOWNLOAD_LIST_IMAGES" = "true" ] || \
 fi
 
 # Setup the cache
-if [ "$DOWNLOAD_MODE" = "system" ]; then
+if [ "$DOWNLOAD_TARGET" = "system" ]; then
     LXC_CACHE_BASE="$LOCALSTATEDIR/cache/lxc/"
 else
     LXC_CACHE_BASE="$HOME/.cache/lxc/"