This adds detection for the case where we are root in an unprivileged container and then run LXC from there. In this case, we want to download to the system location, ignore the missing uid/gid ranges and run templates that are userns-ready.
Signed-off-by: Stéphane Graber <stgra...@ubuntu.com> --- templates/lxc-download.in | 61 ++++++++++++++++++++++++++++------------------- 1 file changed, 36 insertions(+), 25 deletions(-) diff --git a/templates/lxc-download.in b/templates/lxc-download.in index c231161..6e3237d 100644 --- a/templates/lxc-download.in +++ b/templates/lxc-download.in @@ -21,37 +21,38 @@ set -eu -LXC_TEMPLATE_CONFIG="@LXCTEMPLATECONFIG@" -LXC_HOOK_DIR="@LXCHOOKDIR@" LOCALSTATEDIR="@LOCALSTATEDIR@" +LXC_HOOK_DIR="@LXCHOOKDIR@" +LXC_TEMPLATE_CONFIG="@LXCTEMPLATECONFIG@" # Defaults -DOWNLOAD_DIST= -DOWNLOAD_RELEASE= DOWNLOAD_ARCH= -DOWNLOAD_VARIANT="default" -DOWNLOAD_SERVER="images.linuxcontainers.org" -DOWNLOAD_KEYID="0xBAEFF88C22F6E216" -DOWNLOAD_KEYSERVER="hkp://pool.sks-keyservers.net" -DOWNLOAD_VALIDATE="true" +DOWNLOAD_BUILD= +DOWNLOAD_COMPAT_LEVEL=1 +DOWNLOAD_DIST= DOWNLOAD_FLUSH_CACHE="false" DOWNLOAD_FORCE_CACHE="false" +DOWNLOAD_INTERACTIVE="false" +DOWNLOAD_KEYID="0xBAEFF88C22F6E216" +DOWNLOAD_KEYSERVER="hkp://pool.sks-keyservers.net" +DOWNLOAD_LIST_IMAGES="false" DOWNLOAD_MODE="system" -DOWNLOAD_USE_CACHE="false" -DOWNLOAD_URL= -DOWNLOAD_SHOW_HTTP_WARNING="true" -DOWNLOAD_SHOW_GPG_WARNING="true" DOWNLOAD_READY_GPG="false" -DOWNLOAD_COMPAT_LEVEL=1 -DOWNLOAD_LIST_IMAGES="false" -DOWNLOAD_BUILD= -DOWNLOAD_INTERACTIVE="false" +DOWNLOAD_RELEASE= +DOWNLOAD_SERVER="images.linuxcontainers.org" +DOWNLOAD_SHOW_GPG_WARNING="true" +DOWNLOAD_SHOW_HTTP_WARNING="true" +DOWNLOAD_TARGET="system" +DOWNLOAD_URL= +DOWNLOAD_USE_CACHE="false" +DOWNLOAD_VALIDATE="true" +DOWNLOAD_VARIANT="default" +LXC_MAPPED_GID= +LXC_MAPPED_UID= LXC_NAME= LXC_PATH= LXC_ROOTFS= -LXC_MAPPED_UID= -LXC_MAPPED_GID= # Deal with GPG over http proxy if [ -n "${http_proxy:-}" ]; then @@ -141,6 +142,8 @@ gpg_validate() { in_userns() { [ -e /proc/self/uid_map ] || { echo no; return; } + [ "$(cat /proc/self/uid_map)" = "$(cat /proc/1/uid_map)" ] && \ + { echo host; return; } [ "$(wc -l /proc/self/uid_map | awk '{ print $1 }')" -eq 1 ] || \ { echo yes; return; } line=$(awk '{ print $1 " " $2 " " $3 }' /proc/self/uid_map) @@ -245,12 +248,20 @@ if [ -z "$LXC_NAME" ] || [ -z "$LXC_PATH" ] || [ -z "$LXC_ROOTFS" ]; then exit 1 fi -if [ "$(in_userns)" = "yes" ]; then - if [ -z "$LXC_MAPPED_UID" ] || [ "$LXC_MAPPED_UID" = "-1" ]; then - echo "ERROR: In a user namespace without a map." 1>&2 - exit 1 +USERNS=$(in_userns) + +if [ "$USERNS" != "no" ]; then + if [ "$USERNS" = "yes" ]; then + if [ -z "$LXC_MAPPED_UID" ] || [ "$LXC_MAPPED_UID" = "-1" ]; then + echo "ERROR: In a user namespace without a map." 1>&2 + exit 1 + fi + DOWNLOAD_MODE="user" + DOWNLOAD_TARGET="user" + else + DOWNLOAD_MODE="user" + DOWNLOAD_TARGET="system" fi - DOWNLOAD_MODE="user" fi if [ -z "$DOWNLOAD_DIST" ] || [ -z "$DOWNLOAD_RELEASE" ] || \ @@ -337,7 +348,7 @@ if [ "$DOWNLOAD_LIST_IMAGES" = "true" ] || \ fi # Setup the cache -if [ "$DOWNLOAD_MODE" = "system" ]; then +if [ "$DOWNLOAD_TARGET" = "system" ]; then LXC_CACHE_BASE="$LOCALSTATEDIR/cache/lxc/" else LXC_CACHE_BASE="$HOME/.cache/lxc/" -- 1.9.rc1 _______________________________________________ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel