Merge pull request 'sync lxc-helpers 529f2049d039091f4a5b4d8f42c335c7c65ab115' (#101) from earl-warren/setup-forgejo:wip-lxc-helpers into main

Reviewed-on: https://code.forgejo.org/actions/setup-forgejo/pulls/101
Reviewed-by: dachary <dachary@noreply.code.forgejo.org>
This commit is contained in:
earl-warren 2023-11-11 23:46:09 +00:00
commit 75cc10f9ca

View file

@ -1,11 +1,16 @@
#!/bin/bash #!/bin/bash
# SPDX-License-Identifier: MIT # SPDX-License-Identifier: MIT
export DEBIAN_FRONTEND=noninteractive
LXC_SELF_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" LXC_SELF_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
LXC_BIN=/usr/local/bin LXC_BIN=/usr/local/bin
LXC_CONTAINER_CONFIG_ALL="unprivileged lxc libvirt docker k8s"
LXC_CONTAINER_CONFIG_DEFAULT="lxc libvirt docker"
: ${LXC_SUDO:=} : ${LXC_SUDO:=}
: ${LXC_CONTAINER_RELEASE:=bookworm} : ${LXC_CONTAINER_RELEASE:=bookworm}
: ${LXC_CONTAINER_CONFIG:=$LXC_CONTAINER_CONFIG_DEFAULT}
: ${LXC_HOME:=/home} : ${LXC_HOME:=/home}
: ${LXC_VERBOSE:=false} : ${LXC_VERBOSE:=false}
@ -103,42 +108,138 @@ function lxc_prepare_environment() {
fi fi
} }
function lxc_container_configure() { function lxc_container_config_nesting() {
local name="$1" echo 'security.nesting = true'
}
$LXC_SUDO tee -a $(lxc_config $name) > /dev/null <<'EOF' function lxc_container_config_cap() {
security.nesting = true echo 'lxc.cap.drop ='
lxc.cap.drop = }
lxc.apparmor.profile = unconfined
function lxc_container_config_net() {
cat <<EOF
# #
# /dev/net (docker won't work without /dev/net/tun) # /dev/net
# #
lxc.cgroup2.devices.allow = c 10:200 rwm lxc.cgroup2.devices.allow = c 10:200 rwm
lxc.mount.entry = /dev/net dev/net none bind,create=dir 0 0 lxc.mount.entry = /dev/net dev/net none bind,create=dir 0 0
EOF
}
function lxc_container_config_kvm() {
cat <<EOF
# #
# /dev/kvm (libvirt / kvm won't work without /dev/kvm) # /dev/kvm
# #
lxc.cgroup2.devices.allow = c 10:232 rwm lxc.cgroup2.devices.allow = c 10:232 rwm
lxc.mount.entry = /dev/kvm dev/kvm none bind,create=file 0 0 lxc.mount.entry = /dev/kvm dev/kvm none bind,create=file 0 0
EOF
}
function lxc_container_config_loop() {
cat <<EOF
# #
# /dev/loop # /dev/loop
# #
lxc.cgroup2.devices.allow = c 10:237 rwm lxc.cgroup2.devices.allow = c 10:237 rwm
lxc.cgroup2.devices.allow = b 7:* rwm lxc.cgroup2.devices.allow = b 7:* rwm
lxc.mount.entry = /dev/loop-control dev/loop-control none bind,create=file 0 0 lxc.mount.entry = /dev/loop-control dev/loop-control none bind,create=file 0 0
EOF
}
function lxc_container_config_mapper() {
cat <<EOF
# #
# /dev/mapper # /dev/mapper
# #
lxc.cgroup2.devices.allow = c 10:236 rwm lxc.cgroup2.devices.allow = c 10:236 rwm
lxc.mount.entry = /dev/mapper dev/mapper none bind,create=dir 0 0 lxc.mount.entry = /dev/mapper dev/mapper none bind,create=dir 0 0
EOF
}
function lxc_container_config_fuse() {
cat <<EOF
# #
# /dev/fuse # /dev/fuse
# #
lxc.cgroup2.devices.allow = b 10:229 rwm lxc.cgroup2.devices.allow = b 10:229 rwm
lxc.mount.entry = /dev/fuse dev/fuse none bind,create=file 0 0 lxc.mount.entry = /dev/fuse dev/fuse none bind,create=file 0 0
EOF EOF
}
function lxc_container_config_kmsg() {
cat <<EOF
#
# kmsg
#
lxc.cgroup2.devices.allow = c 1:11 rwm
lxc.mount.entry = /dev/kmsg dev/kmsg none bind,create=file 0 0
EOF
}
function lxc_container_config_proc() {
cat <<EOF
#
# /proc
#
#
# Only because k8s tries to write /proc/sys/vm/overcommit_memory
# is there a way to only allow that? Would it be enough for k8s?
#
lxc.mount.auto = proc:rw
EOF
}
function lxc_container_config() {
for config in "$@" ; do
case $config in
unprivileged)
;;
lxc)
echo nesting
echo cap
;;
docker)
echo net
;;
libvirt)
echo cap
echo kvm
echo loop
echo mapper
echo fuse
;;
k8s)
echo cap
echo loop
echo mapper
echo fuse
echo kmsg
echo proc
;;
*)
echo "$config unknown ($LXC_CONTAINER_CONFIG_ALL)"
return 1
;;
esac
done | sort -u | while read config ; do
echo "#"
echo "# include $config config snippet"
echo "#"
lxc_container_config_$config
done
}
function lxc_container_configure() {
local name="$1"
lxc_container_config $LXC_CONTAINER_CONFIG | $LXC_SUDO tee -a $(lxc_config $name)
}
function lxc_container_install_lxc_helpers() {
local name="$1"
$LXC_SUDO cp -a $LXC_SELF_DIR/lxc-helpers*.sh $root/$LXC_BIN
# #
# Wait for the network to come up # Wait for the network to come up
# #
@ -154,6 +255,13 @@ EOF
$LXC_SUDO chmod +x $wait_networking $LXC_SUDO chmod +x $wait_networking
} }
function lxc_container_create() {
local name="$1"
lxc_prepare_environment
lxc_build_template $(lxc_template_release) "$name"
}
function lxc_container_mount() { function lxc_container_mount() {
local name="$1" local name="$1"
local dir="$2" local dir="$2"
@ -205,13 +313,13 @@ function lxc_container_destroy() {
function lxc_exists() { function lxc_exists() {
local name="$1" local name="$1"
test "$($LXC_SUDO lxc-ls --filter=^$name)" test "$($LXC_SUDO lxc-ls --filter=^$name\$)"
} }
function lxc_running() { function lxc_running() {
local name="$1" local name="$1"
test "$($LXC_SUDO lxc-ls --running --filter=^$name)" test "$($LXC_SUDO lxc-ls --running --filter=^$name\$)"
} }
function lxc_build_template_release() { function lxc_build_template_release() {
@ -222,10 +330,13 @@ function lxc_build_template_release() {
fi fi
local root=$(lxc_root $name) local root=$(lxc_root $name)
local packages="sudo,git,python3" $LXC_SUDO lxc-create --name $name --template debian -- --release=$LXC_CONTAINER_RELEASE
$LXC_SUDO lxc-create --name $name --template debian -- --release=$LXC_CONTAINER_RELEASE --packages="$packages" echo 'lxc.apparmor.profile = unconfined' | $LXC_SUDO tee -a $(lxc_config $name)
$LXC_SUDO cp -a $LXC_SELF_DIR/lxc-helpers*.sh $root/$LXC_BIN lxc_container_install_lxc_helpers $name
lxc_container_configure $name lxc_container_start $name
lxc_container_run $name apt-get update -qq
lxc_apt_install $name sudo git python3
lxc_container_stop $name
} }
function lxc_build_template() { function lxc_build_template() {
@ -240,7 +351,11 @@ function lxc_build_template() {
lxc_build_template_release lxc_build_template_release
fi fi
$LXC_SUDO lxc-copy --name=$name --newname=$newname if ! $LXC_SUDO lxc-copy --name=$name --newname=$newname ; then
echo lxc-copy --name=$name --newname=$newname failed
return 1
fi
lxc_container_configure $newname
} }
function lxc_apt_install() { function lxc_apt_install() {
@ -251,7 +366,7 @@ function lxc_apt_install() {
} }
function lxc_apt_install_inside() { function lxc_apt_install_inside() {
DEBIAN_FRONTEND=noninteractive apt-get install -y -qq "$@" apt-get install -y -qq "$@"
} }
function lxc_install_lxc() { function lxc_install_lxc() {
@ -264,18 +379,18 @@ function lxc_install_lxc() {
function lxc_install_lxc_inside() { function lxc_install_lxc_inside() {
local prefix="$1" local prefix="$1"
local packages="make git libvirt0 libpam-cgfs bridge-utils uidmap dnsmasq-base dnsmasq dnsmasq-utils qemu-user-static" local packages="make git libvirt0 libpam-cgfs bridge-utils uidmap dnsmasq-base dnsmasq dnsmasq-utils qemu-user-static lxc-templates debootstrap"
if test "$(lxc_release)" = bookworm ; then if test "$(lxc_release)" = bookworm ; then
packages="$packages lxc-templates debootstrap distro-info" packages="$packages distro-info"
fi fi
lxc_apt_install_inside $packages lxc_apt_install_inside $packages
if ! systemctl is-active --quiet lxc-net; then if ! grep --quiet LXC_ADDR=.$prefix.1. /etc/default/lxc-net ; then
systemctl disable --now dnsmasq systemctl disable --now dnsmasq
apt-get install -y -qq lxc apt-get install -y -qq lxc
systemctl stop lxc-net systemctl stop lxc-net
sed -i -e '/ConditionVirtualization/d' $root/usr/lib/systemd/system/lxc-net.service sed -i -e '/ConditionVirtualization/d' /usr/lib/systemd/system/lxc-net.service
systemctl daemon-reload systemctl daemon-reload
cat >> /etc/default/lxc-net <<EOF cat >> /etc/default/lxc-net <<EOF
LXC_ADDR="$prefix.1" LXC_ADDR="$prefix.1"