Re: [lxc-devel] [PATCH 1/2] busybox template: support for unprivileged containers

2014-10-22 Thread Serge Hallyn 
Quoting Bogdan Purcareata (bogdan.purcare...@freescale.com):
> Apply the changes found in templates/lxc-download to the busybox template as
> well. Change ownership of the config and fstab files to the unprivileged user,
> and the ownership of the rootfs to root in the new user namespace.
> 
> Eliminate the "unsupported for userns" flag.
> 
> Signed-off-by: Bogdan Purcareata 

Acked-by: Serge E. Hallyn 

> ---
>  templates/lxc-busybox.in | 36 ++--
>  1 file changed, 26 insertions(+), 10 deletions(-)
> 
> diff --git a/templates/lxc-busybox.in b/templates/lxc-busybox.in
> index 246e743..ca2dd43 100644
> --- a/templates/lxc-busybox.in
> +++ b/templates/lxc-busybox.in
> @@ -20,15 +20,8 @@
>  # License along with this library; if not, write to the Free Software
>  # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 
> USA
>  
> -# Detect use under userns (unsupported)
> -for arg in "$@"; do
> -[ "$arg" = "--" ] && break
> -if [ "$arg" = "--mapped-uid" -o "$arg" = "--mapped-gid" ]; then
> -echo "This template can't be used for unprivileged containers." 1>&2
> -echo "You may want to try the \"download\" template instead." 1>&2
> -exit 1
> -fi
> -done
> +LXC_MAPPED_UID=
> +LXC_MAPPED_GID=
>  
>  # Make sure the usual locations are in PATH
>  export PATH=$PATH:/usr/sbin:/usr/bin:/sbin:/bin
> @@ -310,6 +303,21 @@ EOF
>  echo "lxc.mount.auto = proc:mixed sys" >>$path/config
>  }
>  
> +remap_userns()
> +{
> +path=$1
> +
> +if [ -n "$LXC_MAPPED_UID" ] && [ "$LXC_MAPPED_UID" != "-1" ]; then
> +chown $LXC_MAPPED_UID $path/config $path/fstab >/dev/null 2>&1
> +chown -R root $path/rootfs >/dev/null 2>&1
> +fi
> +
> +if [ -n "$LXC_MAPPED_GID" ] && [ "$LXC_MAPPED_GID" != "-1" ]; then
> +chgrp $LXC_MAPPED_GID $path/config $path/fstab >/dev/null 2>&1
> +chgrp -R root $path/rootfs >/dev/null 2>&1
> +fi
> +}
> +
>  usage()
>  {
>  cat < @@ -318,7 +326,7 @@ EOF
>  return 0
>  }
>  
> -options=$(getopt -o hp:n: -l help,rootfs:,path:,name: -- "$@")
> +options=$(getopt -o hp:n: -l 
> help,rootfs:,path:,name:,mapped-uid:,mapped-gid: -- "$@")
>  if [ $? -ne 0 ]; then
>  usage $(basename $0)
>  exit 1
> @@ -332,6 +340,8 @@ do
>  -p|--path)  path=$2; shift 2;;
>  --rootfs)   rootfs=$2; shift 2;;
>  -n|--name)  name=$2; shift 2;;
> +--mapped-uid)   LXC_MAPPED_UID=$2; shift 2;;
> +--mapped-gid)   LXC_MAPPED_GID=$2; shift 2;;
>  --) shift 1; break ;;
>  *)  break ;;
>  esac
> @@ -374,3 +384,9 @@ if [ $? -ne 0 ]; then
>  echo "failed to write configuration file"
>  exit 1
>  fi
> +
> +remap_userns $path
> +if [ $? -ne 0 ]; then
> +echo "failed to remap files to user"
> +exit 1
> +fi
> -- 
> 1.9.rc1
> 
> ___
> lxc-devel mailing list
> lxc-devel@lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-devel
___
lxc-devel mailing list
lxc-devel@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel

[lxc-devel] [PATCH 1/2] busybox template: support for unprivileged containers

2014-10-20 Thread Bogdan Purcareata 
Apply the changes found in templates/lxc-download to the busybox template as
well. Change ownership of the config and fstab files to the unprivileged user,
and the ownership of the rootfs to root in the new user namespace.

Eliminate the "unsupported for userns" flag.

Signed-off-by: Bogdan Purcareata 
---
 templates/lxc-busybox.in | 36 ++--
 1 file changed, 26 insertions(+), 10 deletions(-)

diff --git a/templates/lxc-busybox.in b/templates/lxc-busybox.in
index 246e743..ca2dd43 100644
--- a/templates/lxc-busybox.in
+++ b/templates/lxc-busybox.in
@@ -20,15 +20,8 @@
 # License along with this library; if not, write to the Free Software
 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
 
-# Detect use under userns (unsupported)
-for arg in "$@"; do
-[ "$arg" = "--" ] && break
-if [ "$arg" = "--mapped-uid" -o "$arg" = "--mapped-gid" ]; then
-echo "This template can't be used for unprivileged containers." 1>&2
-echo "You may want to try the \"download\" template instead." 1>&2
-exit 1
-fi
-done
+LXC_MAPPED_UID=
+LXC_MAPPED_GID=
 
 # Make sure the usual locations are in PATH
 export PATH=$PATH:/usr/sbin:/usr/bin:/sbin:/bin
@@ -310,6 +303,21 @@ EOF
 echo "lxc.mount.auto = proc:mixed sys" >>$path/config
 }
 
+remap_userns()
+{
+path=$1
+
+if [ -n "$LXC_MAPPED_UID" ] && [ "$LXC_MAPPED_UID" != "-1" ]; then
+chown $LXC_MAPPED_UID $path/config $path/fstab >/dev/null 2>&1
+chown -R root $path/rootfs >/dev/null 2>&1
+fi
+
+if [ -n "$LXC_MAPPED_GID" ] && [ "$LXC_MAPPED_GID" != "-1" ]; then
+chgrp $LXC_MAPPED_GID $path/config $path/fstab >/dev/null 2>&1
+chgrp -R root $path/rootfs >/dev/null 2>&1
+fi
+}
+
 usage()
 {
 cat