Integrate 2 upstream patches that enable creating unprivileged Busybox containers.
Signed-off-by: Bogdan Purcareata <[email protected]> --- ...sybox_template_mount_fstab_when_available.patch | 32 +++++++ ...plate_support_for_unprivileged_containers.patch | 92 ++++++++++++++++++++ recipes-containers/lxc/lxc_1.0.6.bb | 3 + 3 files changed, 127 insertions(+) create mode 100644 recipes-containers/lxc/files/busybox_template_mount_fstab_when_available.patch create mode 100644 recipes-containers/lxc/files/busybox_template_support_for_unprivileged_containers.patch diff --git a/recipes-containers/lxc/files/busybox_template_mount_fstab_when_available.patch b/recipes-containers/lxc/files/busybox_template_mount_fstab_when_available.patch new file mode 100644 index 0000000..74b4fdf --- /dev/null +++ b/recipes-containers/lxc/files/busybox_template_mount_fstab_when_available.patch @@ -0,0 +1,32 @@ +From 12c3b43fbeacd9cc471adf565ecea3263e37e353 Mon Sep 17 00:00:00 2001 +From: Bogdan Purcareata <[email protected]> +Date: Mon, 20 Oct 2014 15:56:54 -0400 +Subject: [PATCH] busybox template: mount fstab when available + +When running unprivileged, lxc-create will touch a fstab file, with bind-mounts +for the ttys and other devices. Add this entry in the container config. + +Upstream-Status: Accepted +[https://github.com/lxc/lxc/commit/12c3b43fbeacd9cc471adf565ecea3263e37e353] + +Signed-off-by: Bogdan Purcareata <[email protected]> +Acked-by: Serge E. Hallyn <[email protected]> +--- + templates/lxc-busybox.in | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/templates/lxc-busybox.in b/templates/lxc-busybox.in +index ca2dd43..ee54a7a 100644 +--- a/templates/lxc-busybox.in ++++ b/templates/lxc-busybox.in +@@ -301,6 +301,10 @@ EOF + done + echo "lxc.mount.entry = /sys/kernel/security sys/kernel/security none ro,bind,optional 0 0" >>$path/config + echo "lxc.mount.auto = proc:mixed sys" >>$path/config ++ ++ if [ -f "$path/fstab" ]; then ++ echo "lxc.mount = $path/fstab" >>$path/config ++ fi + } + + remap_userns() diff --git a/recipes-containers/lxc/files/busybox_template_support_for_unprivileged_containers.patch b/recipes-containers/lxc/files/busybox_template_support_for_unprivileged_containers.patch new file mode 100644 index 0000000..4e9ab74 --- /dev/null +++ b/recipes-containers/lxc/files/busybox_template_support_for_unprivileged_containers.patch @@ -0,0 +1,92 @@ +From a542dd3c1aca8b6674f631d625d888eb13ae3a4d Mon Sep 17 00:00:00 2001 +From: Bogdan Purcareata <[email protected]> +Date: Mon, 20 Oct 2014 15:56:53 -0400 +Subject: [PATCH] busybox template: support for unprivileged containers + +Apply the changes found in templates/lxc-download to the busybox template as +well. Change ownership of the config and fstab files to the unprivileged user, +and the ownership of the rootfs to root in the new user namespace. + +Eliminate the "unsupported for userns" flag. + +Upstream-Status: Accepted +[https://github.com/lxc/lxc/commit/a542dd3c1aca8b6674f631d625d888eb13ae3a4d] + +Signed-off-by: Bogdan Purcareata <[email protected]> +Acked-by: Serge E. Hallyn <[email protected]> +--- + templates/lxc-busybox.in | 36 ++++++++++++++++++++++++++---------- + 1 file changed, 26 insertions(+), 10 deletions(-) + +diff --git a/templates/lxc-busybox.in b/templates/lxc-busybox.in +index 246e743..ca2dd43 100644 +--- a/templates/lxc-busybox.in ++++ b/templates/lxc-busybox.in +@@ -20,15 +20,8 @@ + # License along with this library; if not, write to the Free Software + # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA + +-# Detect use under userns (unsupported) +-for arg in "$@"; do +- [ "$arg" = "--" ] && break +- if [ "$arg" = "--mapped-uid" -o "$arg" = "--mapped-gid" ]; then +- echo "This template can't be used for unprivileged containers." 1>&2 +- echo "You may want to try the \"download\" template instead." 1>&2 +- exit 1 +- fi +-done ++LXC_MAPPED_UID= ++LXC_MAPPED_GID= + + # Make sure the usual locations are in PATH + export PATH=$PATH:/usr/sbin:/usr/bin:/sbin:/bin +@@ -310,6 +303,21 @@ EOF + echo "lxc.mount.auto = proc:mixed sys" >>$path/config + } + ++remap_userns() ++{ ++ path=$1 ++ ++ if [ -n "$LXC_MAPPED_UID" ] && [ "$LXC_MAPPED_UID" != "-1" ]; then ++ chown $LXC_MAPPED_UID $path/config $path/fstab >/dev/null 2>&1 ++ chown -R root $path/rootfs >/dev/null 2>&1 ++ fi ++ ++ if [ -n "$LXC_MAPPED_GID" ] && [ "$LXC_MAPPED_GID" != "-1" ]; then ++ chgrp $LXC_MAPPED_GID $path/config $path/fstab >/dev/null 2>&1 ++ chgrp -R root $path/rootfs >/dev/null 2>&1 ++ fi ++} ++ + usage() + { + cat <<EOF +@@ -318,7 +326,7 @@ EOF + return 0 + } + +-options=$(getopt -o hp:n: -l help,rootfs:,path:,name: -- "$@") ++options=$(getopt -o hp:n: -l help,rootfs:,path:,name:,mapped-uid:,mapped-gid: -- "$@") + if [ $? -ne 0 ]; then + usage $(basename $0) + exit 1 +@@ -332,6 +340,8 @@ do + -p|--path) path=$2; shift 2;; + --rootfs) rootfs=$2; shift 2;; + -n|--name) name=$2; shift 2;; ++ --mapped-uid) LXC_MAPPED_UID=$2; shift 2;; ++ --mapped-gid) LXC_MAPPED_GID=$2; shift 2;; + --) shift 1; break ;; + *) break ;; + esac +@@ -374,3 +384,9 @@ if [ $? -ne 0 ]; then + echo "failed to write configuration file" + exit 1 + fi ++ ++remap_userns $path ++if [ $? -ne 0 ]; then ++ echo "failed to remap files to user" ++ exit 1 ++fi diff --git a/recipes-containers/lxc/lxc_1.0.6.bb b/recipes-containers/lxc/lxc_1.0.6.bb index 2d384dd..0805573 100644 --- a/recipes-containers/lxc/lxc_1.0.6.bb +++ b/recipes-containers/lxc/lxc_1.0.6.bb @@ -26,7 +26,10 @@ SRC_URI = "http://linuxcontainers.org/downloads/${BPN}-${PV}.tar.gz \ file://runtest.patch \ file://run-ptest \ file://automake-ensure-VPATH-builds-correctly.patch \ + file://busybox_template_mount_fstab_when_available.patch \ + file://busybox_template_support_for_unprivileged_containers.patch \ " + SRC_URI[md5sum] = "4aad3aee84b42faa194e44091d723a3b" SRC_URI[sha256sum] = "fc6bffa750f00daaa92aa33d719c1cc235146aa779ebd2a64a0c24423977cf14" -- 1.7.10.4 -- _______________________________________________ meta-virtualization mailing list [email protected] https://lists.yoctoproject.org/listinfo/meta-virtualization
