Bug#890419: [PATCH] Fix boostrapping libvirt LXC containers

2018-03-22 Thread Lubomir Rintel 
One more patch, to make debootstrap work in case the container has a
separate userns, but not netns.

This makes debootstrap work with virt-install with this branch [1],
making it rather convenient to install a Debian container with virt-
install:

virt-install \
--debug \
--connect lxc:/// \
--name debian \
--memory 512 \
--idmap 
uid_start=0,uid_target=100,uid_count=65536,gid_start=0,gid_target=100,gid_count=65536
 \
--filesystem /var/lib/libvirt/filesystems/debian,/ \
--location http://ftp.us.debian.org/debian/dists/testing/

[1] https://github.com/lkundrak/virt-manager/tree/lr/lxc-installFrom f2524081ad9b9b10ab6b4d1b50f3f55cdc3c9375 Mon Sep 17 00:00:00 2001
From: Lubomir Rintel 
Date: Tue, 20 Mar 2018 22:20:34 +0100
Subject: [PATCH 4/4] Unshare the net namespace in LXC namespace

If we're running without privnet but with a idmap we are CAP_SYS_ADMIN
in the userns but not in the netns and therefore mounting a new sysfs
instance is not allowed (since [7dc5dbc879bd sysfs: Restrict mounting
sysfs] in kernel 3.11).
---
 debootstrap | 4 
 1 file changed, 4 insertions(+)

diff --git a/debootstrap b/debootstrap
index fcdb20f..86d489a 100755
--- a/debootstrap
+++ b/debootstrap
@@ -468,6 +468,10 @@ else
 	CHROOT_CMD="chroot $TARGET"
 fi
 
+if grep -q container=lxc-libvirt /proc/1/environ; then
+	CHROOT_CMD="unshare --net $CHROOT_CMD"
+fi
+
 if [ -z "$SHA_SIZE" ]; then
 	SHA_SIZE=256
 fi
-- 
2.14.3

Bug#890419: [PATCH] Fix boostrapping libvirt LXC containers

2018-02-14 Thread Lubomir Rintel 
Package: debootstrap
Severity: normal

Hi,

I'm attaching a patch set I'm using to bootstrap Debian in LXC
containers (managed by libvirtd).

Cheers,
LuboFrom 6b3b08f72331d533bfceb5e3cced6906027b665f Mon Sep 17 00:00:00 2001
From: Lubomir Rintel 
Date: Sat, 27 Jan 2018 13:21:06 +0100
Subject: [PATCH 3/3] Don't insist on preserving resolv.conf and hostname owner

If we're bootstrapping a Debian tree in a new user namespace, the files
from the host filesystem owned by users from outside our user mapping
range seem to be owned by 65534:65534.

We neither not want to create such files. Also, there doesn't seem to
much point in preserving the ownership information -- the alternative to
copying the files (just a couple of lines above) is just cat-ing files
and we're perfectly fine with that.
---
 functions | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/functions b/functions
index aea6ba9..5fb73de 100644
--- a/functions
+++ b/functions
@@ -1017,7 +1017,7 @@ conditional_cp () {
 		if [ -L "$1" ] && [ -e "$1" ]; then
 			cat "$1" >"$2/$1"
 		elif [ -e "$1" ]; then
-			cp -a "$1" "$2/$1"
+			cp "$1" "$2/$1"
 		fi
 	fi
 }
-- 
2.14.3

From 273978f25010b135a66e5c47f4a18e1a0f454caf Mon Sep 17 00:00:00 2001
From: Lubomir Rintel 
Date: Sat, 27 Jan 2018 11:36:46 +0100
Subject: [PATCH 2/3] Make devices setup work in lxc-libvirt containers

We're allowed to use some basic devices, but not to create new device
nodes. No problem, we can just bind the existing ones.

Another alternative would be to bind the whole host /dev. However,
binding just the devices we need ensures everything we need is there and
nothing more (to be consistent with other ways to set up the target
/dev).

The libvirt LXC containers are recognized by the container variable
in PID 1's environment, as defined in the "Container Interface"
specification.
---
 functions | 35 +++
 1 file changed, 31 insertions(+), 4 deletions(-)

diff --git a/functions b/functions
index 27458a9..aea6ba9 100644
--- a/functions
+++ b/functions
@@ -1131,6 +1131,11 @@ setup_devices () {
 		return 0
 	fi
 
+	if grep -q container=lxc-libvirt /proc/1/environ; then
+		setup_devices_bind
+		return 0
+	fi
+
 	case "$HOST_OS" in
 	kfreebsd*)
 		;;
@@ -1188,6 +1193,26 @@ setup_devices_fakechroot () {
 	ln -s /dev "$TARGET"
 }
 
+setup_devices_bind () {
+	mount -t tmpfs nodev $TARGET/dev
+	umount_on_exit /dev
+	for device in null zero full random urandom tty pts shm ptmx; do
+		if [ -d /dev/$device ]; then
+			mkdir $TARGET/dev/$device
+		elif [ -c /dev/$device ]; then
+			touch $TARGET/dev/$device
+		else
+			continue
+		fi
+		mount -o bind /dev/$device $TARGET/dev/$device
+		umount_on_exit /dev/$device
+	done
+	ln -s /proc/self/fd   $TARGET/dev/fd
+	ln -s /proc/self/fd/0 $TARGET/dev/stdin
+	ln -s /proc/self/fd/1 $TARGET/dev/stdout
+	ln -s /proc/self/fd/2 $TARGET/dev/stderr
+}
+
 setup_dselect_method () {
 	case "$1" in
 	apt)
@@ -1450,12 +1475,14 @@ check_sane_mount () {
 	*freebsd*|hurd*)
 		;;
 	*)
-		mknod "$1/test-dev-null" c 1 3 || return 1
-		if ! echo test > "$1/test-dev-null"; then
+		if ! grep -q container=lxc-libvirt /proc/1/environ; then
+			mknod "$1/test-dev-null" c 1 3 || return 1
+			if ! echo test > "$1/test-dev-null"; then
+rm -f "$1/test-dev-null"
+return 1
+			fi
 			rm -f "$1/test-dev-null"
-			return 1
 		fi
-		rm -f "$1/test-dev-null"
 		;;
 	esac
 
-- 
2.14.3

From 1892105130c3302f1fe2eea271b57f257be3e16a Mon Sep 17 00:00:00 2001
From: Lubomir Rintel 
Date: Tue, 13 Feb 2018 15:22:50 +0100
Subject: [PATCH 1/3] Umount filesystems in reverse order than they were
 mounted in

This will allow us to clean up the nested mounts more easily.
---
 functions | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/functions b/functions
index e30687c..27458a9 100644
--- a/functions
+++ b/functions
@@ -1069,7 +1069,7 @@ umount_exit_function () {
 
 umount_on_exit () {
 	if [ "$UMOUNT_DIRS" ]; then
-		UMOUNT_DIRS="$UMOUNT_DIRS $1"
+		UMOUNT_DIRS="$1 $UMOUNT_DIRS"
 	else
 		UMOUNT_DIRS="$1"
 		on_exit umount_exit_function
@@ -1103,8 +1103,8 @@ setup_proc () {
 	*)
 		umount_on_exit /dev/pts
 		umount_on_exit /dev/shm
-		umount_on_exit /proc/bus/usb
 		umount_on_exit /proc
+		umount_on_exit /proc/bus/usb
 		umount "$TARGET/proc" 2>/dev/null || true
 		in_target mount -t proc proc /proc
 		if [ -d "$TARGET/sys" ] && \
-- 
2.14.3