diff --git a/roles/ariane/files/lxc-voidlinux b/roles/ariane/files/lxc-voidlinux new file mode 100644 index 0000000..0259d0b --- /dev/null +++ b/roles/ariane/files/lxc-voidlinux @@ -0,0 +1,199 @@ +#!/bin/bash + +# https://github.com/lxc/lxc/raw/stable-2.1/templates/lxc-voidlinux.in +# template script for generating Void Linux container for LXC +# + +# +# lxc: linux Container library + +# Authors: +# Gregor Reitzenstein + +# Based on lxc-archlinux template by: +# Alexander Vladimirov +# John Lane + +# This library is free software; you can redistribute it and/or +# modify it under the terms of the GNU Lesser General Public +# License as published by the Free Software Foundation; either +# version 2.1 of the License, or (at your option) any later version. + +# This library is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# Lesser General Public License for more details. + +# You should have received a copy of the GNU Lesser General Public +# License along with this library; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA + +# Utility functions + +# Check if array $2 contains item $1 +containsElement() { + local e + for e in "${@:2}"; do [[ "$1" == "$e" ]] && return 0; done + return 1 +} + +# split comma-separated string into an array +# ${1} - string to split +# ${2} - separator (default is ",") +# ${result} - result value on success +split_string() { + local ifs=${IFS} + IFS="${2:-,}" + read -ra result < <(echo "${1}") + IFS=${ifs} + return 0 +} + +# Make sure the usual locations are in PATH +export PATH=$PATH:/usr/sbin:/usr/bin:/sbin:/bin + +# defaults +default_path="/var/lib/lxc" +default_path="@LXCPATH@" +shared_config="/usr/share/lxc/config/voidlinux.common.conf" +userns_config="/usr/share/lxc/config/voidlinux.userns.conf" + +pkg_blacklist=("linux>=0" "e2fsprogs>=0" "btrfs-progs>=0" "xfsprogs>=0" "f2fs-tools>=0" "dosfstools>=0") +base_packages=() +for pkg in $(xbps-query -Mv --repository="http://repo2.voidlinux.eu/current/" -x base-system); do + containsElement "$pkg" "${pkg_blacklist[@]}" || base_packages+=($pkg) +done +declare -a additional_packages + +copy_configuration() { + mkdir -p "${config_path}" + local config="${config_path}/config" + echo "lxc.utsname = ${name}" >> "${config}" + grep -q "^lxc.rootfs.path" "${config}" 2>/dev/null \ + || echo "lxc.rootfs.path = ${rootfs_path}" >> "${config}" + + # Detect if were in a UserNS and include the right config + if [ -z "${LXC_MAPPED_GID+x}" ] || [ -z "${LXC_MAPPED_UID+x}" ]; then + echo "lxc.include = ${userns_config}" >> "${config}" + else + echo "lxc.include = ${shared_config}" >> "${config}" + fi + + if [ $? -ne 0 ]; then + echo "Failed to configure container" + return 1 + fi + return 0 +} + +install_void() { + if ! yes | xbps-install -Sy -R http://repo2.voidlinux.eu/current -r "${rootfs_path}" "${base_packages[@]}" + then + echo "Failed to install container packages" + return 1 + fi +} + +usage() { + cat < [-p|--path=] [-a|--arch=] + [-r|--root_password=] [-P|--packages=] [-h|--help] + +Mandatory args: + -n,--name container name, used to as an identifier for that container from now on +Optional args: + -p,--path path to where the container rootfs will be created (${default_path}) + --rootfs path for actual container rootfs, (${default_path}/rootfs) + -P,--packages preinstall additional packages, comma-separated list + -c,--config use specified pacman config when installing container packages + -a,--arch use specified architecture instead of host's architecture + -r,--root_password set container root password + -h,--help print this help +EOF + return 0 +} + +options=$(getopt -o hp:P:n:c:r: -l help,rootfs:,path:,packages:,name:,config:,root_password:,mapped-uid:,mapped-gid: -- "${@}") +if [ ${?} -ne 0 ]; then + usage "$(basename "${0}")" + exit 1 +fi +eval set -- "${options}" + +while true +do + case "${1}" in + -h|--help) usage "${0}" && exit 0;; + -p|--path) path=${2}; shift 2;; + -n|--name) name=${2}; shift 2;; + -c|--config) config_path=${2}; shift 2;; + --rootfs) rootfs_path=${2}; shift 2;; + -P|--packages) additional_packages=${2}; shift 2;; + -r|--root_password) root_passwd=${2}; shift 2;; + --mapped-uid) LXC_MAPPED_UID=$2; shift 2;; + --mapped-gid) LXC_MAPPED_GID=$2; shift 2;; + --) shift 1; break ;; + *) break ;; + esac +done + +if [ -z "${name}" ]; then + echo "missing required 'name' parameter" + exit 1 +fi + +type xbps-install >/dev/null 2>&1 +if [ ${?} -ne 0 ]; then + echo "'xbps-install' command is missing." +fi +type xbps-query >/dev/null 2>&1 +if [ ${?} -ne 0 ]; then + echo "'xbps-query' command is missing." +fi + +if [ -z "${rootfs_path}" ]; then + rootfs_path="${path}/rootfs" +fi +config_path="${path}" + +revert() { + echo "Interrupted, cleaning up" + lxc-destroy -n "${name}" + rm -rf "${path:?}/${name}" + rm -rf "${default_path:?}/${name}" + exit 1 +} +trap revert SIGHUP SIGINT SIGTERM + +copy_configuration +if [ $? -ne 0 ]; then + echo "Failed to write configuration file" + rm -rf "${config_path}" + exit 1 +fi + +if [ ${#additional_packages[@]} -gt 0 ]; then + split_string "${additional_packages}" + base_packages+=(${result[@]}) +fi + +mkdir -p "${rootfs_path}" +install_void +if [ ${?} -ne 0 ]; then + echo "Failed to install Void Linux" + rm -rf "${config_path}" "${path}" + exit 1 +fi + + + +if [ -n "${root_passwd}" ]; then + echo "root:${root_passwd}" | chroot "${rootfs_path}" chpasswd +fi + +cat << EOF +Void Linux Container ${name} has been successfully created. The configuration is +stored in ${config_path}/config. Please refer to https://wiki.voidlinux.eu for +information regarding Void Linux. +EOF diff --git a/roles/ariane/files/voidlinux.common.conf b/roles/ariane/files/voidlinux.common.conf new file mode 100644 index 0000000..5638df8 --- /dev/null +++ b/roles/ariane/files/voidlinux.common.conf @@ -0,0 +1,36 @@ +# https://github.com/lxc/lxc/raw/stable-2.1/config/templates/voidlinux.common.conf.in +# This derives from the global common config +lxc.include = /usr/share/lxc/config/common.conf + +# Allow for 6 tty devices by default +lxc.tty.max = 6 + +# Set $VIRTUALIZATION so runit doesn't try to mount filesystems or start udevd +lxc.environment=VIRTUALIZATION=lxc + +# Set the halt/stop signals +lxc.haltsignal=SIGCONT + + +# Uncomment to disable creating tty devices subdirectory in /dev +# lxc.tty.dir = + +# Capabilities +# Uncomment these if you don't run anything that needs the capability, and +# would like the container to run with less privilege. +# +# Dropping sys_admin disables container root from doing a lot of things +# that could be bad like re-mounting lxc fstab entries rw for example, +# but also disables some useful things like being able to nfs mount, and +# things that are already namespaced with ns_capable() kernel checks, like +# hostname(1). +# lxc.cap.drop = sys_admin +# lxc.cap.drop = net_raw # breaks dhcp/ping +# lxc.cap.drop = setgid # breaks login (initgroups/setgroups) +# lxc.cap.drop = dac_read_search # breaks login (pam unix_chkpwd) +# lxc.cap.drop = setuid # breaks sshd,nfs statd +# lxc.cap.drop = audit_control # breaks sshd (set_loginuid failed) +# lxc.cap.drop = audit_write +# lxc.cap.drop = setpcap # big big login delays in Fedora 20 systemd +# +lxc.cap.drop = setfcap sys_nice sys_pacct sys_rawio diff --git a/roles/ariane/files/voidlinux.userns.conf b/roles/ariane/files/voidlinux.userns.conf new file mode 100644 index 0000000..0744229 --- /dev/null +++ b/roles/ariane/files/voidlinux.userns.conf @@ -0,0 +1,9 @@ +# https://github.com/lxc/lxc/raw/stable-2.1/config/templates/voidlinux.userns.conf.in +# This derives from the global userns config +lxc.include = /usr/share/lxc/config/userns.conf + +# Set $VIRTUALIZATION so runit doesn't try to mount filesystems or start udevd +lxc.environment=VIRTUALIZATION=lxc + +# Set the halt/stop signals +lxc.haltsignal=SIGCONT diff --git a/roles/ariane/tasks/lxc.yml b/roles/ariane/tasks/lxc.yml index 039e1a8..88ddb1c 100644 --- a/roles/ariane/tasks/lxc.yml +++ b/roles/ariane/tasks/lxc.yml @@ -21,13 +21,7 @@ backup: yes - name: lxc - /etc/lxc/default.conf - copy: - dest: /etc/lxc/default.conf - src: lxc_default.conf - owner: root - group: root - mode: 0644 - backup: yes + copy: dest=/etc/lxc/default.conf src=lxc_default.conf owner=root group=root mode=0644 backup=yes - name: lxc - create container lxc_container: diff --git a/roles/ariane/tasks/lxc_void.yml b/roles/ariane/tasks/lxc_void.yml new file mode 100644 index 0000000..a3e9829 --- /dev/null +++ b/roles/ariane/tasks/lxc_void.yml @@ -0,0 +1,28 @@ +--- +- name: lxc - install xbps build depencies + package: name="{{ item }}" + with_items: + - zlib1g-dev + - pkg-config + - libarchive-dev + - libssl1.0-dev + +- name: lxc - xbps git + git: + repo: https://github.com/voidlinux/xbps.git + dest: /opt/xbps + force: yes + register: git_clone + +- name: lxc - xbps build and install + shell: cd /opt/xbps && /opt/xbps/configure --enable-debug && make && make install clean && ldconfig + when: git_clone.changed + +- name: lxc - /usr/share/lxc/templates/lxc-voidlinux + copy: dest=/usr/share/lxc/templates/lxc-voidlinux src=lxc-voidlinux owner=root group=root mode=0755 backup=yes + +- name: lxc - /usr/share/lxc/config/voidlinux.common.conf + copy: dest=/usr/share/lxc/config/voidlinux.common.conf src=voidlinux.common.conf owner=root group=root mode=0644 backup=yes + +- name: lxc - /usr/share/lxc/config/voidlinux.userns.conf + copy: dest=/usr/share/lxc/config/voidlinux.userns.conf src=voidlinux.userns.conf owner=root group=root mode=0644 backup=yes diff --git a/roles/ariane/tasks/main.yml b/roles/ariane/tasks/main.yml index 487eb6c..01ba6fe 100644 --- a/roles/ariane/tasks/main.yml +++ b/roles/ariane/tasks/main.yml @@ -23,6 +23,10 @@ when: ariane_lxc tags: ['ariane_lxc', 'lxc'] +- include_tasks: lxc_void.yml + when: ariane_lxc_void + tags: ['ariane_lxc_void', 'lxc', 'lxc_void'] + - include_tasks: snapper.yml when: ariane_snapper tags: ['ariane_snapper', 'snapper']