From: Stéphane Graber Date: Tue, 4 Feb 2014 16:16:07 +0000 (-0500) Subject: templates: Refuse to run unprivileged X-Git-Tag: lxc-1.0.0.beta4~22 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=8ec981fc8b0105da5f071e40811e0c2472a6c3c9;p=thirdparty%2Flxc.git templates: Refuse to run unprivileged Only the download and ubuntu-cloud templates work with unprivileged containers, for all others, detect --mapped-uid and error out as early as possible, recommending the use of the download template. Signed-off-by: Stéphane Graber Acked-by: Serge Hallyn --- diff --git a/templates/lxc-alpine.in b/templates/lxc-alpine.in index 70da08de9..232f54bd4 100644 --- a/templates/lxc-alpine.in +++ b/templates/lxc-alpine.in @@ -1,5 +1,14 @@ #!/bin/bash +# Detect use under userns (unsupported) +for arg in $*; do + if [ "$arg" == "--mapped-uid" ]; then + echo "This template can't be used for unprivileged containers." 1>&2 + echo "You may want to try the \"download\" template instead." 1>&2 + exit 1 + fi +done + key_sha256sums="9c102bcc376af1498d549b77bdbfa815ae86faa1d2d82f040e616b18ef2df2d4 alpine-devel@lists.alpinelinux.org-4a6a0840.rsa.pub 2adcf7ce224f476330b5360ca5edb92fd0bf91c92d83292ed028d7c4e26333ab alpine-devel@lists.alpinelinux.org-4d07755e.rsa.pub" diff --git a/templates/lxc-altlinux.in b/templates/lxc-altlinux.in index 1a586d8ad..385465c1b 100644 --- a/templates/lxc-altlinux.in +++ b/templates/lxc-altlinux.in @@ -24,6 +24,15 @@ # License along with this library; if not, write to the Free Software # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA +# Detect use under userns (unsupported) +for arg in $*; do + if [ "$arg" == "--mapped-uid" ]; then + echo "This template can't be used for unprivileged containers." 1>&2 + echo "You may want to try the \"download\" template instead." 1>&2 + exit 1 + fi +done + #Configurations arch=$(uname -m) cache_base=@LOCALSTATEDIR@/cache/lxc/altlinux/$arch diff --git a/templates/lxc-archlinux.in b/templates/lxc-archlinux.in index 82c4fcb21..d394816f1 100755 --- a/templates/lxc-archlinux.in +++ b/templates/lxc-archlinux.in @@ -25,6 +25,15 @@ # License along with this library; if not, write to the Free Software # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA +# Detect use under userns (unsupported) +for arg in $*; do + if [ "$arg" == "--mapped-uid" ]; then + echo "This template can't be used for unprivileged containers." 1>&2 + echo "You may want to try the \"download\" template instead." 1>&2 + exit 1 + fi +done + # defaults arch=$(uname -m) lxc_network_type="veth" diff --git a/templates/lxc-busybox.in b/templates/lxc-busybox.in index 3568c0cfa..f4aa6c40e 100644 --- a/templates/lxc-busybox.in +++ b/templates/lxc-busybox.in @@ -20,6 +20,15 @@ # License along with this library; if not, write to the Free Software # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA +# Detect use under userns (unsupported) +for arg in $*; do + if [ "$arg" == "--mapped-uid" ]; then + echo "This template can't be used for unprivileged containers." 1>&2 + echo "You may want to try the \"download\" template instead." 1>&2 + exit 1 + fi +done + am_in_userns() { [ -e /proc/self/uid_map ] || { echo no; return; } [ "$(wc -l /proc/self/uid_map | awk '{ print $1 }')" -eq 1 ] || { echo yes; return; } diff --git a/templates/lxc-centos.in b/templates/lxc-centos.in index f5f6e53b2..1fce0e3b4 100644 --- a/templates/lxc-centos.in +++ b/templates/lxc-centos.in @@ -72,6 +72,15 @@ lxc_network_link=lxcbr0 # This may be in /etc/os-release or /etc/system-release-cpe. We # should be able to use EITHER. Give preference to /etc/os-release for now. +# Detect use under userns (unsupported) +for arg in $*; do + if [ "$arg" == "--mapped-uid" ]; then + echo "This template can't be used for unprivileged containers." 1>&2 + echo "You may want to try the \"download\" template instead." 1>&2 + exit 1 + fi +done + if [ -e /etc/os-release ] then # This is a shell friendly configuration file. We can just source it. diff --git a/templates/lxc-cirros.in b/templates/lxc-cirros.in index 255095674..519013f5c 100644 --- a/templates/lxc-cirros.in +++ b/templates/lxc-cirros.in @@ -20,6 +20,16 @@ # You should have received a copy of the GNU General Public License along # with this program; if not, write to the Free Software Foundation, Inc., # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + +# Detect use under userns (unsupported) +for arg in $*; do + if [ "$arg" == "--mapped-uid" ]; then + echo "This template can't be used for unprivileged containers." 1>&2 + echo "You may want to try the \"download\" template instead." 1>&2 + exit 1 + fi +done + VERBOSITY=0 DOWNLOAD_URL="http://download.cirros-cloud.net/" CACHE_D="@LOCALSTATEDIR@/cache/lxc/cirros" diff --git a/templates/lxc-debian.in b/templates/lxc-debian.in index 5d41396d0..376e30d44 100644 --- a/templates/lxc-debian.in +++ b/templates/lxc-debian.in @@ -20,6 +20,15 @@ # License along with this library; if not, write to the Free Software # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA +# Detect use under userns (unsupported) +for arg in $*; do + if [ "$arg" == "--mapped-uid" ]; then + echo "This template can't be used for unprivileged containers." 1>&2 + echo "You may want to try the \"download\" template instead." 1>&2 + exit 1 + fi +done + MIRROR=${MIRROR:-http://cdn.debian.net/debian} LOCALSTATEDIR="@LOCALSTATEDIR@" LXC_TEMPLATE_CONFIG="@LXCTEMPLATECONFIG@" diff --git a/templates/lxc-fedora.in b/templates/lxc-fedora.in index 2230b5c67..b8a233956 100644 --- a/templates/lxc-fedora.in +++ b/templates/lxc-fedora.in @@ -72,6 +72,15 @@ lxc_network_link=lxcbr0 # This may be in /etc/os-release or /etc/system-release-cpe. We # should be able to use EITHER. Give preference to /etc/os-release for now. +# Detect use under userns (unsupported) +for arg in $*; do + if [ "$arg" == "--mapped-uid" ]; then + echo "This template can't be used for unprivileged containers." 1>&2 + echo "You may want to try the \"download\" template instead." 1>&2 + exit 1 + fi +done + if [ -e /etc/os-release ] then # This is a shell friendly configuration file. We can just source it. diff --git a/templates/lxc-gentoo.in b/templates/lxc-gentoo.in index 0fd392e78..dff146e10 100644 --- a/templates/lxc-gentoo.in +++ b/templates/lxc-gentoo.in @@ -13,6 +13,15 @@ # - ready to use cache # +# Detect use under userns (unsupported) +for arg in $*; do + if [ "$arg" == "--mapped-uid" ]; then + echo "This template can't be used for unprivileged containers." 1>&2 + echo "You may want to try the \"download\" template instead." 1>&2 + exit 1 + fi +done + # Ensure strict root's umask doesen't render the VM unusable umask 022 diff --git a/templates/lxc-openmandriva.in b/templates/lxc-openmandriva.in index eddaad035..e5d2b1cd4 100644 --- a/templates/lxc-openmandriva.in +++ b/templates/lxc-openmandriva.in @@ -26,6 +26,15 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA # +# Detect use under userns (unsupported) +for arg in $*; do + if [ "$arg" == "--mapped-uid" ]; then + echo "This template can't be used for unprivileged containers." 1>&2 + echo "You may want to try the \"download\" template instead." 1>&2 + exit 1 + fi +done + #Configurations #distro=cooker hostarch=$(uname -m) diff --git a/templates/lxc-opensuse.in b/templates/lxc-opensuse.in index 89ae8bd9b..fb2186412 100644 --- a/templates/lxc-opensuse.in +++ b/templates/lxc-opensuse.in @@ -25,6 +25,15 @@ # License along with this library; if not, write to the Free Software # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA +# Detect use under userns (unsupported) +for arg in $*; do + if [ "$arg" == "--mapped-uid" ]; then + echo "This template can't be used for unprivileged containers." 1>&2 + echo "You may want to try the \"download\" template instead." 1>&2 + exit 1 + fi +done + DISTRO=12.3 configure_opensuse() diff --git a/templates/lxc-oracle.in b/templates/lxc-oracle.in index 40fe5c0f9..c114ad835 100644 --- a/templates/lxc-oracle.in +++ b/templates/lxc-oracle.in @@ -27,6 +27,15 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA # +# Detect use under userns (unsupported) +for arg in $*; do + if [ "$arg" == "--mapped-uid" ]; then + echo "This template can't be used for unprivileged containers." 1>&2 + echo "You may want to try the \"download\" template instead." 1>&2 + exit 1 + fi +done + # use virbr0 that is setup by default by libvirtd lxc_network_type=veth lxc_network_link=virbr0 diff --git a/templates/lxc-plamo.in b/templates/lxc-plamo.in index dd8d29b4c..e9f681e99 100644 --- a/templates/lxc-plamo.in +++ b/templates/lxc-plamo.in @@ -28,6 +28,15 @@ # ref. https://github.com/Ponce/lxc-slackware/blob/master/lxc-slackware # lxc-ubuntu script +# Detect use under userns (unsupported) +for arg in $*; do + if [ "$arg" == "--mapped-uid" ]; then + echo "This template can't be used for unprivileged containers." 1>&2 + echo "You may want to try the \"download\" template instead." 1>&2 + exit 1 + fi +done + [ -r /etc/default/lxc ] && . /etc/default/lxc DLSCHEME=${DLSCHEME:-"http"} diff --git a/templates/lxc-sshd.in b/templates/lxc-sshd.in index 74467bbdb..397a388fe 100644 --- a/templates/lxc-sshd.in +++ b/templates/lxc-sshd.in @@ -20,6 +20,15 @@ # License along with this library; if not, write to the Free Software # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA +# Detect use under userns (unsupported) +for arg in $*; do + if [ "$arg" == "--mapped-uid" ]; then + echo "This template can't be used for unprivileged containers." 1>&2 + echo "You may want to try the \"download\" template instead." 1>&2 + exit 1 + fi +done + install_sshd() { rootfs=$1 diff --git a/templates/lxc-ubuntu.in b/templates/lxc-ubuntu.in index 88e7c9c23..b7f9777c9 100644 --- a/templates/lxc-ubuntu.in +++ b/templates/lxc-ubuntu.in @@ -24,6 +24,15 @@ # License along with this library; if not, write to the Free Software # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA +# Detect use under userns (unsupported) +for arg in $*; do + if [ "$arg" == "--mapped-uid" ]; then + echo "This template can't be used for unprivileged containers." 1>&2 + echo "You may want to try the \"download\" template instead." 1>&2 + exit 1 + fi +done + set -e LOCALSTATEDIR="@LOCALSTATEDIR@"