From 1aad9e44d65e7c20dabc4c99f57bcf532db66c68 Mon Sep 17 00:00:00 2001 From: Serge Hallyn Date: Mon, 15 Jul 2013 20:24:14 -0500 Subject: [PATCH] ubuntu-cloud: changes to support unprivileged use MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit don't try to lock if using a specified tarball The lock/subsys/lxc-ubuntu-cloud lock is to protect the tarballs managed under /var/cache/lxc/cloud-$release. Don't lock if we've been handed a tarball. fake device creation Unprivileged users can't create devices, so bind mount null, tty, urandom and console from the host. Changelog: Jul 22: as Stéphane points out, remove a left-over debug line Signed-off-by: Serge Hallyn Acked-by: Stéphane Graber --- templates/lxc-ubuntu-cloud.in | 38 +++++++++++++++++++++++++++++++---- 1 file changed, 34 insertions(+), 4 deletions(-) diff --git a/templates/lxc-ubuntu-cloud.in b/templates/lxc-ubuntu-cloud.in index 480ef14d7..e05caed68 100644 --- a/templates/lxc-ubuntu-cloud.in +++ b/templates/lxc-ubuntu-cloud.in @@ -25,6 +25,18 @@ if [ -r /etc/default/lxc ]; then . /etc/default/lxc fi +am_in_userns() { + [ -e /proc/self/uid_map ] || { echo no; return; } + [ "$(wc -l /proc/self/uid_map | awk '{ print $1 }')" -eq 1 ] || { echo yes; return; } + line=$(awk '{ print $1 " " $2 " " $3 }' /proc/self/uid_map) + [ "$line" = "0 0 4294967295" ] && { echo no; return; } + echo yes +} + +in_userns=0 +[ $(am_in_userns) = "yes" ] && in_userns=1 +echo "am_in_userns returns $(am_in_userns)" >> /tmp/xa + copy_configuration() { path=$1 @@ -101,6 +113,16 @@ sysfs sys sysfs defaults 0 0 /sys/kernel/security sys/kernel/security none bind 0 0 EOF + # unprivileged user can't mknod these. One day we may allow + # that in the kernel, but not right now. So let's just bind + # mount the files from the host. + if [ $in_userns -eq 1 ]; then + for dev in null tty urandom console; do + touch $rootfs/dev/$dev + echo "/dev/$dev dev/$dev none bind 0 0" >> $path/fstab + done + fi + # rmdir /dev/shm for containers that have /run/shm # I'm afraid of doing rm -rf $rootfs/dev/shm, in case it did # get bind mounted to the host's /run/shm. So try to rmdir @@ -341,9 +363,7 @@ build_root_tgz() trap SIGTERM } -mkdir -p @LOCALSTATEDIR@/lock/subsys/ -( - flock -x 200 +do_extract_rootfs() { cd $cache if [ $flushcache -eq 1 ]; then @@ -418,7 +438,17 @@ EOF echo "If you do not have a meta-data service, this container will likely be useless." fi -) 200>@LOCALSTATEDIR@/lock/subsys/lxc-ubuntu-cloud +} + +if [ -n "$tarball" ]; then + do_extract_rootfs +else + mkdir -p @LOCALSTATEDIR@/lock/subsys/ + ( + flock -x 200 + do_extract_rootfs + ) 200>@LOCALSTATEDIR@/lock/subsys/lxc-ubuntu-cloud +fi copy_configuration $path $rootfs $name $arch $release -- 2.47.2