From: Serge Hallyn <serge.hal...@ubuntu.com>
don't try to lock if using a specified tarball
The lock/subsys/lxc-ubuntu-cloud lock is to protect the tarballs
managed under /var/cache/lxc/cloud-$release. Don't lock if we've
been handed a tarball.
fake device creation
Unprivileged users can't create devices, so bind mount null, tty, urandom
and console from the host.
Signed-off-by: Serge Hallyn <serge.hal...@ubuntu.com>
---
templates/lxc-ubuntu-cloud.in | 39 +++++++++++++++++++++++++++++++++++----
1 file changed, 35 insertions(+), 4 deletions(-)
diff --git a/templates/lxc-ubuntu-cloud.in b/templates/lxc-ubuntu-cloud.in
index 480ef14..ca868fd 100644
--- a/templates/lxc-ubuntu-cloud.in
+++ b/templates/lxc-ubuntu-cloud.in
@@ -25,6 +25,18 @@ if [ -r /etc/default/lxc ]; then
. /etc/default/lxc
fi
+am_in_userns() {
+ [ -e /proc/self/uid_map ] || { echo no; return; }
+ [ "$(wc -l /proc/self/uid_map | awk '{ print $1 }')" -eq 1 ] || { echo
yes; return; }
+ line=$(awk '{ print $1 " " $2 " " $3 }' /proc/self/uid_map)
+ [ "$line" = "0 0 4294967295" ] && { echo no; return; }
+ echo yes
+}
+
+in_userns=0
+[ $(am_in_userns) = "yes" ] && in_userns=1
+echo "am_in_userns returns $(am_in_userns)" >> /tmp/xa
+
copy_configuration()
{
path=$1
@@ -101,6 +113,17 @@ sysfs sys sysfs defaults 0 0
/sys/kernel/security sys/kernel/security none bind 0 0
EOF
+ # unprivileged user can't mknod these. One day we may allow
+ # that in the kernel, but not right now. So let's just bind
+ # mount the files from the host.
+ if [ $in_userns -eq 1 ]; then
+ echo "found myself in_userns" >> /tmp/xa
+ for dev in null tty urandom console; do
+ touch $rootfs/dev/$dev
+ echo "/dev/$dev dev/$dev none bind 0 0" >> $path/fstab
+ done
+ fi
+
# rmdir /dev/shm for containers that have /run/shm
# I'm afraid of doing rm -rf $rootfs/dev/shm, in case it did
# get bind mounted to the host's /run/shm. So try to rmdir
@@ -341,9 +364,7 @@ build_root_tgz()
trap SIGTERM
}
-mkdir -p @LOCALSTATEDIR@/lock/subsys/
-(
- flock -x 200
+do_extract_rootfs() {
cd $cache
if [ $flushcache -eq 1 ]; then
@@ -418,7 +439,17 @@ EOF
echo "If you do not have a meta-data service, this container will
likely be useless."
fi
-) 200>@LOCALSTATEDIR@/lock/subsys/lxc-ubuntu-cloud
+}
+
+if [ -n "$tarball" ]; then
+ do_extract_rootfs
+else
+ mkdir -p @LOCALSTATEDIR@/lock/subsys/
+ (
+ flock -x 200
+ do_extract_rootfs
+ ) 200>@LOCALSTATEDIR@/lock/subsys/lxc-ubuntu-cloud
+fi
copy_configuration $path $rootfs $name $arch $release
--
1.8.3.2
------------------------------------------------------------------------------
See everything from the browser to the database with AppDynamics
Get end-to-end visibility with application monitoring from AppDynamics
Isolate bottlenecks and diagnose root cause in seconds.
Start your free trial of AppDynamics Pro today!
http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
_______________________________________________
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel
