Commit f78de625 authored by Stuart Cardall's avatar Stuart Cardall Committed by Carlo Landmeter

testing/lxcfs: fix build & move to community

this enables unprivileged lxc containers on the vanilla kernel

full instructions in README.alpine
parent b078598f
# Contributor: Carlo Landmeter <clandmeter@gmail.com>
# Maintainer: Carlo Landmeter <clandmeter@gmail.com>
# Maintainer: Stuart Cardall <developer@it-offshore.co.uk>
pkgname=lxcfs
pkgver=2.0.3
pkgrel=1
pkgrel=2
pkgdesc="FUSE filesystem for LXC"
url="https://linuxcontainers.org/lxcfs"
arch="all"
license="Apache 2.0"
depends=""
makedepends="fuse-dev linux-pam-dev linux-headers"
install=""
subpackages="$pkgname-dev $pkgname-pam"
depends="cgmanager shadow"
makedepends="fuse-dev linux-pam-dev linux-headers help2man"
subpackages="$pkgname-pam $pkgname-doc"
source="https://linuxcontainers.org/downloads/lxcfs/lxcfs-$pkgver.tar.gz
lxcfs.initd"
lxcfs.confd
lxcfs.initd
chownmap
README.alpine
lxcfs-subdir.patch
"
builddir="$srcdir/lxcfs-$pkgver"
build() {
cd "$builddir"
./configure --prefix=/usr \
--sysconfdir=/etc \
--localstatedir=/var \
--mandir=/usr/share/man \
--infodir=/usr/share/info || return 1
make || return 1
......@@ -27,8 +32,14 @@ build() {
package() {
cd "$builddir"
make DESTDIR="$pkgdir" install || return 1
install -Dm755 "$srcdir"/lxcfs.initd \
"$pkgdir"/etc/init.d/lxcfs || return 1
install -m755 -D "$srcdir"/$pkgname.initd \
"$pkgdir"/etc/init.d/$pkgname || return 1
install -m644 -D "$srcdir"/$pkgname.confd \
"$pkgdir"/etc/conf.d/$pkgname || return 1
install -m700 -D "$srcdir"/chownmap \
"$pkgdir"/etc/lxc/chownmap || return 1
install -m644 -D "$srcdir"/README.alpine \
"$pkgdir"/usr/share/doc/lxcfs/README.alpine || return 1
}
pam() {
......@@ -38,8 +49,20 @@ pam() {
}
md5sums="8d79c575d0dc5d127776370eceb0f58b lxcfs-2.0.3.tar.gz
05765f1f677c500ea16a2a8ea8168532 lxcfs.initd"
6d7943272d6b71ab7b93e93c55e42ee9 lxcfs.confd
2c4a59861c846dd9ddef0cab6664eed8 lxcfs.initd
e1d7c118ae134fcdd171f8aac146f9a0 chownmap
722e7a773283170910f5c9b40fb83610 README.alpine
14531d992c3c3e731ee596ff86e91829 lxcfs-subdir.patch"
sha256sums="dd94e19bff202cb9fe2aa7d244b2cccf53cf5d7f6dd76c815e1161e3ba4ce0df lxcfs-2.0.3.tar.gz
de41e57b8e540eb771fed82348eadca08dcde92c7ca29abdcc09023a98a2475a lxcfs.initd"
d8915d4635b675897895c379c892250f6c2bb55515a3b59cad09b92c35264359 lxcfs.confd
30e9005010508eaa382fbb44f784d26a641bf7c12e94d9ba2603ab3ad782e86b lxcfs.initd
2e6b84d98fc3cd03fa3f384876191dba05e6d781629a748add75ab380d921823 chownmap
a458f5561d8f1404ac7547bd73f7bf7d56898322d04268f31a7ee3ffdd5e36aa README.alpine
ef3d2848e534b3db9267efbb5bc515e0ecd6a768cdf8de928bccac21c26add9e lxcfs-subdir.patch"
sha512sums="1bca2dc88a4551c90e9760ad8d3c7548126d7803040ddab3ac24fda2d602ec0d34ebf78bbd2b4cd5941edba3ccfe135e86d257f0dc2b89617c7ca876b3dda4bb lxcfs-2.0.3.tar.gz
3f213f7fe57cb5862091ee8ff50209648ce903a0e6adf31023598e767fd866fe6a921f709c140959a399c37a2cebcdad2f8d936b7441c936b53ccdf587ec9383 lxcfs.initd"
71df316b1aaf1a0fadc230473a66c0be4d201d706481f1042c353b79fc629e9e681ec4fe0dfb113370e00d3f40175b0d7759fdcdcce57cf1d2db585068aa6e8d lxcfs.confd
e08ee2e33cc8d82dbfbdc86b7aa87ef6b0033473951e9759bd8fd2b12b1d7beda1c7cb7befb7ce4fd1d7aea274778313957350af617d56b8702dbfcdc59b49b4 lxcfs.initd
5d18df216a004d5039d86634e62dc078f134991696da9c6f1c292f0f8aa3de1f202aa531000c9f75e2bc5d5121f856660e4f1d71c8e92a0e87517a23836a743d chownmap
16c65a10b2b95a85ea21d2cb44a45c9c7faf1e22c8c438c7325be96025588834a528544598a91facc13fa93cc46f6c4534fa2ca6bb58b152a26f1ced94b18f16 README.alpine
f7589ef65b3e01de0bb9e55c8ae06ae8124196b29b444006f3beaba308a8bebccad38e11c9c74f705dcad826aa6de0a10830053e0b025c640b7337804c48c056 lxcfs-subdir.patch"
Alpine Linux unprivileged LXC containers
========================================
At the moment unprivileged containers are only working with linux-vanilla.
They may work with grsecurity in the future with the following disabled:
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mount
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_pivot
echo 0 > /proc/sys/kernel/grsecurity/chroot_caps
see also: https://en.wikibooks.org/wiki/Grsecurity/Runtime_Configuration
-------------------------------------------------------------------------------
Instructions:
-------------
(a) add the name(s) of the containers to run unprivileged to /etc/conf.d/lxcfs
(b) rc-service lxcfs setup => converts privileged => unprivileged containers
=> creates /etc/subuid & /etc/subgid
(c) rc-service lxcfs start
(d) rc-update add lxcfs
(e) rc-service lxcfs info => print & add config file settings to the containers
-------------------------------------------------------------------------------
Start the container & verify processes are running unprivileged:
ps aux | grep 100000
#!/bin/sh
# author: Mirek Kratochvil
# https://github.com/exaexa/chownmap
help_exit () {
echo "usage: $0 <from> <to> <length> [ files ] ..."
exit $1
}
FROM="$1"
[ -n "$FROM" ] || help_exit 0
[ "$FROM" -ge 0 ] || help_exit 1
TO="$2"
[ -n "$TO" ] || help_exit 0
[ "$TO" -ge 0 ] || help_exit 1
LEN="$3"
[ -n "$LEN" ] || help_exit 0
[ "$LEN" -gt 0 ] || help_exit 1
[ -n "$4" ] || help_exit 0
shift 3
LAST=$(( FROM + LEN ))
CHANGE=$(( TO - FROM ))
CHOWN_EXTRA_OPTS=${CHOWN_EXTRA_OPTS:-}
do_dir () {
find "$1" |while read fn ; do
stat "$fn" -c"%u %g" | {
read uid gid
chuid=$uid
chgid=$gid
[[ $chuid -ge $FROM && $chuid -lt $LAST ]] && chuid=$(( chuid + CHANGE ))
[[ $chgid -ge $FROM && $chgid -lt $LAST ]] && chgid=$(( chgid + CHANGE ))
[[ $uid -ne $chuid || $gid -ne $chgid ]] && chown $CHOWN_EXTRA_OPTS -h $chuid:$chgid "$fn"
}
done
}
while [ -n "$1" ] ; do
do_dir "$1"
shift
done
--- lxcfs-2.0.3/Makefile.in
+++ lxcfs-2.0.3/Makefile.in.new
@@ -409,14 +409,14 @@
includedir = @includedir@
infodir = @infodir@
install_sh = @install_sh@
-libdir = @libdir@
+libdir = /usr/lib/lxcfs
libexecdir = @libexecdir@
localedir = @localedir@
localstatedir = @localstatedir@
mandir = @mandir@
mkdir_p = @mkdir_p@
oldincludedir = @oldincludedir@
-pamdir = @pamdir@
+pamdir = /lib/security
pdfdir = @pdfdir@
prefix = @prefix@
program_transform_name = @program_transform_name@
# container names to run unprivileged
# can also be set to "all"
UNPRIV=""
#!/sbin/openrc-run
# Init script for lxcfs
# Copyright (C) 2016 Stuart Cardall
# Licensed under the terms of the GPL2
DAEMON=/usr/bin/lxcfs
PIDFILE=/run/lxcfs.pid
VARDIR=/var/lib/lxcfs
RUNDIR=/run/lxcfs
CHOWNMAP=/etc/lxc/chownmap
description="FUSE filesystem for LXC unprivileged containers"
description_setup="Setup unprivileged container permissions"
description_info="Unprivileged container config file settings"
extra_commands="setup info"
depend() {
need cgproxy
}
start_pre() {
local module=
checkpath --directory ${VARDIR}
for module in fuse autofs4; do
if ! $(lsmod | grep -q ^$module); then
eerror "Enable module: $module"
eerror "modprobe $module"
eerror "echo $module >> /etc/modules"
eend 1
fi
done
}
find_perms() {
local file= path= tmp=
for file in subuid subgid; do
path=/etc/$file
if [ -f $path ]; then
tmp=$(root_id $path 2)
if [ -n "$tmp" ]; then
tmp=$(echo $tmp | tr -cd '[:digit:]')
PERMS="$PERMS $tmp"
else
create_id $file
fi
else
create_id $file
fi
done
PERMS=$(echo $PERMS | sed 's| |:|')
}
create_id() {
einfo "Creating $1 for root: /etc/$1"
touch /etc/$1
usermod --add-${1}s 100000-165536 root
PERMS="$PERMS 100000"
}
root_id() {
grep ^root $1 | cut -d':' -f $2
}
find_lxc_path() {
local lxc_path=
lxc_path=$(grep ^lxc.lxcpath /etc/lxc/lxc.conf 2>/dev/null)
lxc_path=${lxc_path#*=}
lxc_path=${lxc_path:-/var/lib/lxc}
echo $lxc_path
}
dir_perms() {
local subgid=$(root_id /etc/subgid 2)
# set permissions to allow unprivileged services to run
einfo "Setting Mode 755 & root:root => $1/rootfs"
chmod 755 $1/rootfs
chown root:root $1/rootfs
einfo "Setting Mode 750 & root:$subgid => $1"
chmod 750 $1
chown root:$subgid $1
}
info() {
cat > /tmp/lxc.fs <<EOF
### unprivileged container config #############################
lxc.include = /usr/share/lxc/config/common.conf.d/00-lxcfs.conf
lxc.id_map = u 0 100000 65536
lxc.id_map = g 0 100000 65536
###############################################################
EOF
cat /tmp/lxc.fs
}
setup() {
# only needs to be run once on a container
# set unprivileged containers in conf.d
local ctr= subuid= range= path= ctr_list=
find_perms
subuid=$(root_id /etc/subuid 2)
range=$(root_id /etc/subuid 3)
path=$(find_lxc_path)
if [ "${UNPRIV}" = "all" ]; then
ctr_list="$(lxc-ls)"
else
ctr_list=${UNPRIV}
fi
for ctr in $ctr_list; do
einfo "Mapping user permissions in container: $ctr"
${CHOWNMAP} 0 $subuid $range $path/$ctr/rootfs
dir_perms "$path/$ctr"
done
}
start() {
ebegin "Starting lxcfs"
find_perms
start-stop-daemon --start \
--pidfile ${PIDFILE} \
--exec ${DAEMON} \
--background \
--make-pidfile \
-- \
-f -o allow_other ${VARDIR}
# sometimes reboots are too fast
until [ -d ${RUNDIR} ]; do
usleep 50000
done
chown -R ${PERMS} ${RUNDIR}
eend $?
}
stop() {
ebegin "Stopping lxcfs"
start-stop-daemon --stop --exec ${DAEMON} --pidfile ${PIDFILE} --signal KILL
umount ${VARDIR}
eend $?
}
#!/sbin/openrc-run
command=/usr/bin/lxcfs
command_args="-f -o allow_other /var/lib/lxcfs"
pidfile="/run/lxcfs.pid"
command_background="yes"
retry="TERM/45"
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment