zaclys/searxng
1
0
Fork 1
mirror of https://github.com/searxng/searxng synced 2024-01-01 19:24:07 +01:00
Code Issues Projects Releases Packages Wiki Activity

LXC: fixed raw.idmap & removed obsolete uid/gid subordinate

Browse source 
Signed-off-by: Markus Heiser <markus.heiser@darmarit.de>
This commit is contained in:
Markus Heiser 2020-03-08 18:30:25 +01:00
parent e7f69b63f1
commit d48c7bf678
1 changed files with 7 additions and 60 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

67
utils/lxc.sh
View file

@ -78,11 +78,10 @@ usage::
$_cmd build [containers] $_cmd build [containers]
$_cmd copy [images] $_cmd copy [images]
$_cmd remove [containers|<name>|images|subordinate] $_cmd remove [containers|<name>|images]
$_cmd add [subordinate]
$_cmd [start|stop] [containers|<name>] $_cmd [start|stop] [containers|<name>]
$_cmd show [info|config|suite|images] $_cmd show [info|config|suite|images]
$_cmd cmd [--|<name>] ... $_cmd cmd [--|<name>] '...'
$_cmd install [suite] $_cmd install [suite]
build build
@ -92,8 +91,6 @@ copy:
remove remove
:containers: delete all 'containers' or only <container-name> :containers: delete all 'containers' or only <container-name>
:images: delete local images of the suite :images: delete local images of the suite
add / remove
:subordinate: LXD permission to map ${HOST_USER}'s user/group id through
start/stop start/stop
:containers: start/stop all 'containers' from the suite :containers: start/stop all 'containers' from the suite
:<name>: start/stop conatiner <name> from suite :<name>: start/stop conatiner <name> from suite
@ -103,8 +100,9 @@ show
:suite: show services of all the containers from the LXC suite :suite: show services of all the containers from the LXC suite
:images: show information of local images :images: show information of local images
cmd cmd
-- run command ... in all containers of the LXC suite use single qoutes to evaluate in container's bash, e.g. 'echo $(hostname)'
:<name>: run command ... in container <name> -- run command '...' in all containers of the LXC suite
:<name>: run command '...' in container <name>
install install
:suite: install LXC suite, includes morty & filtron :suite: install LXC suite, includes morty & filtron
@ -176,7 +174,6 @@ main() {
case $2 in case $2 in
''|containers) remove_instances ;; ''|containers) remove_instances ;;
images) lxc_delete_images_localy ;; images) lxc_delete_images_localy ;;
subordinate) echo; del_subordinate_ids ;;
${LXC_HOST_PREFIX}-*) ${LXC_HOST_PREFIX}-*)
! lxc_exists "$2" && usage_containers "unknown container: $2" && exit 42 ! lxc_exists "$2" && usage_containers "unknown container: $2" && exit 42
if ask_yn "Do you really want to delete conatiner $2"; then if ask_yn "Do you really want to delete conatiner $2"; then
@ -186,13 +183,6 @@ main() {
*) usage "uknown or missing container <name> $2"; exit 42;; *) usage "uknown or missing container <name> $2"; exit 42;;
esac esac
;; ;;
add)
sudo_or_exit
case $2 in
subordinate) echo; add_subordinate_ids ;;
*) usage "$_usage"; exit 42;;
esac
;;
start|stop) start|stop)
sudo_or_exit sudo_or_exit
case $2 in case $2 in
@ -274,7 +264,6 @@ main() {
build_instances() { build_instances() {
rst_title "Build LXC instances" rst_title "Build LXC instances"
echo echo
add_subordinate_ids
lxc_copy_images_localy lxc_copy_images_localy
echo echo
rst_title "build containers" section rst_title "build containers" section
@ -400,7 +389,7 @@ lxc_exec_cmd() {
shift shift
exit_val= exit_val=
info_msg "[${_BBlue}${name}${_creset}] ${_BGreen}${*}${_creset}" info_msg "[${_BBlue}${name}${_creset}] ${_BGreen}${*}${_creset}"
lxc exec --cwd "${LXC_REPO_ROOT}" "${name}" -- "$@" lxc exec --cwd "${LXC_REPO_ROOT}" "${name}" -- bash -c "$*"
exit_val=$? exit_val=$?
if [[ $exit_val -ne 0 ]]; then if [[ $exit_val -ne 0 ]]; then
warn_msg "[${_BBlue}${name}${_creset}] exit code (${_BRed}${exit_val}${_creset}) from ${_BGreen}${*}${_creset}" warn_msg "[${_BBlue}${name}${_creset}] exit code (${_BRed}${exit_val}${_creset}) from ${_BGreen}${*}${_creset}"
@ -435,7 +424,7 @@ lxc_config_containers() {
info_msg "[${_BBlue}${i}${_creset}] map uid/gid from host to container" info_msg "[${_BBlue}${i}${_creset}] map uid/gid from host to container"
# https://lxd.readthedocs.io/en/latest/userns-idmap/#custom-idmaps # https://lxd.readthedocs.io/en/latest/userns-idmap/#custom-idmaps
echo -e -n "uid $HOST_USER_ID 1000\\ngid $HOST_GROUP_ID 1000"\ echo -e -n "uid $HOST_USER_ID 0\\ngid $HOST_GROUP_ID 0"\
| lxc config set "$i" raw.idmap - | lxc config set "$i" raw.idmap -
info_msg "[${_BBlue}${i}${_creset}] share ${REPO_ROOT} (repo_share) from HOST into container" info_msg "[${_BBlue}${i}${_creset}] share ${REPO_ROOT} (repo_share) from HOST into container"
@ -475,48 +464,6 @@ lxc_boilerplate_containers() {
done done
} }
# subordinates
# ------------
#
# see man: subgid(5), subuid(5), https://lxd.readthedocs.io/en/latest/userns-idmap
#
# E.g. in the HOST you have uid=1001(user) and/or gid=1001(user) ::
#
# root:1001:1
#
# in the CONTAINER::
#
# config:
# raw.idmap: |
# uid 1001 1000
# gid 1001 1000
add_subordinate_ids() {
if grep "root:${HOST_USER_ID}:1" /etc/subuid -qs; then
info_msg "lxd already has permission to map ${HOST_USER_ID}'s user/group id through"
else
info_msg "add lxd permission to map ${HOST_USER_ID}'s user/group id through"
usermod --add-subuids "${HOST_USER_ID}-${HOST_USER_ID}" \
--add-subgids "${HOST_GROUP_ID}-${HOST_GROUP_ID}" root
fi
}
del_subordinate_ids() {
local out
local exit_val
if grep "root:${HOST_USER_ID}:1" /etc/subuid -qs; then
# TODO: root user is always in use by process 1, how can we remove subordinates?
info_msg "remove lxd permission to map ${HOST_USER_ID}'s user/group id through"
out=$(usermod --del-subuids "${HOST_USER_ID}-${HOST_USER_ID}" --del-subgids "${HOST_GROUP_ID}-${HOST_GROUP_ID}" root 2>&1)
exit_val=$?
if [ $exit_val -ne 0 ]; then
err_msg "$out"
fi
else
info_msg "lxd does not have permission to map ${HOST_USER_ID}'s user/group id through"
fi
}
# ---------------------------------------------------------------------------- # ----------------------------------------------------------------------------
main "$@" main "$@"