Bug#890419: [PATCH] Fix boostrapping libvirt LXC containers

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#890419: [PATCH] Fix boostrapping libvirt LXC containers
From: Lubomir Rintel <lkundrak@v3.sk>
Date: Wed, 14 Feb 2018 15:48:41 +0100
Message-id: <[🔎] 1518619721.15296.6.camel@v3.sk>
Reply-to: Lubomir Rintel <lkundrak@v3.sk>, 890419@bugs.debian.org

Package: debootstrap
Severity: normal

Hi,

I'm attaching a patch set I'm using to bootstrap Debian in LXC
containers (managed by libvirtd).

Cheers,
Lubo

From 6b3b08f72331d533bfceb5e3cced6906027b665f Mon Sep 17 00:00:00 2001
From: Lubomir Rintel <lkundrak@v3.sk>
Date: Sat, 27 Jan 2018 13:21:06 +0100
Subject: [PATCH 3/3] Don't insist on preserving resolv.conf and hostname owner

If we're bootstrapping a Debian tree in a new user namespace, the files
from the host filesystem owned by users from outside our user mapping
range seem to be owned by 65534:65534.

We neither not want to create such files. Also, there doesn't seem to
much point in preserving the ownership information -- the alternative to
copying the files (just a couple of lines above) is just cat-ing files
and we're perfectly fine with that.
---
 functions | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/functions b/functions
index aea6ba9..5fb73de 100644
--- a/functions
+++ b/functions
@@ -1017,7 +1017,7 @@ conditional_cp () {
 		if [ -L "$1" ] && [ -e "$1" ]; then
 			cat "$1" >"$2/$1"
 		elif [ -e "$1" ]; then
-			cp -a "$1" "$2/$1"
+			cp "$1" "$2/$1"
 		fi
 	fi
 }
-- 
2.14.3

From 273978f25010b135a66e5c47f4a18e1a0f454caf Mon Sep 17 00:00:00 2001
From: Lubomir Rintel <lkundrak@v3.sk>
Date: Sat, 27 Jan 2018 11:36:46 +0100
Subject: [PATCH 2/3] Make devices setup work in lxc-libvirt containers

We're allowed to use some basic devices, but not to create new device
nodes. No problem, we can just bind the existing ones.

Another alternative would be to bind the whole host /dev. However,
binding just the devices we need ensures everything we need is there and
nothing more (to be consistent with other ways to set up the target
/dev).

The libvirt LXC containers are recognized by the container variable
in PID 1's environment, as defined in the "Container Interface"
specification.
---
 functions | 35 +++++++++++++++++++++++++++++++----
 1 file changed, 31 insertions(+), 4 deletions(-)

diff --git a/functions b/functions
index 27458a9..aea6ba9 100644
--- a/functions
+++ b/functions
@@ -1131,6 +1131,11 @@ setup_devices () {
 		return 0
 	fi
 
+	if grep -q container=lxc-libvirt /proc/1/environ; then
+		setup_devices_bind
+		return 0
+	fi
+
 	case "$HOST_OS" in
 	    kfreebsd*)
 		;;
@@ -1188,6 +1193,26 @@ setup_devices_fakechroot () {
 	ln -s /dev "$TARGET"
 }
 
+setup_devices_bind () {
+	mount -t tmpfs nodev $TARGET/dev
+	umount_on_exit /dev
+	for device in null zero full random urandom tty pts shm ptmx; do
+		if [ -d /dev/$device ]; then
+			mkdir $TARGET/dev/$device
+		elif [ -c /dev/$device ]; then
+			touch $TARGET/dev/$device
+		else
+			continue
+		fi
+		mount -o bind /dev/$device $TARGET/dev/$device
+		umount_on_exit /dev/$device
+	done
+	ln -s /proc/self/fd   $TARGET/dev/fd
+	ln -s /proc/self/fd/0 $TARGET/dev/stdin
+	ln -s /proc/self/fd/1 $TARGET/dev/stdout
+	ln -s /proc/self/fd/2 $TARGET/dev/stderr
+}
+
 setup_dselect_method () {
 	case "$1" in
 	    apt)
@@ -1450,12 +1475,14 @@ check_sane_mount () {
 	    *freebsd*|hurd*)
 		;;
 	    *)
-		mknod "$1/test-dev-null" c 1 3 || return 1
-		if ! echo test > "$1/test-dev-null"; then
+		if ! grep -q container=lxc-libvirt /proc/1/environ; then
+			mknod "$1/test-dev-null" c 1 3 || return 1
+			if ! echo test > "$1/test-dev-null"; then
+				rm -f "$1/test-dev-null"
+				return 1
+			fi
 			rm -f "$1/test-dev-null"
-			return 1
 		fi
-		rm -f "$1/test-dev-null"
 		;;
 	esac
 
-- 
2.14.3

From 1892105130c3302f1fe2eea271b57f257be3e16a Mon Sep 17 00:00:00 2001
From: Lubomir Rintel <lkundrak@v3.sk>
Date: Tue, 13 Feb 2018 15:22:50 +0100
Subject: [PATCH 1/3] Umount filesystems in reverse order than they were
 mounted in

This will allow us to clean up the nested mounts more easily.
---
 functions | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/functions b/functions
index e30687c..27458a9 100644
--- a/functions
+++ b/functions
@@ -1069,7 +1069,7 @@ umount_exit_function () {
 
 umount_on_exit () {
 	if [ "$UMOUNT_DIRS" ]; then
-		UMOUNT_DIRS="$UMOUNT_DIRS $1"
+		UMOUNT_DIRS="$1 $UMOUNT_DIRS"
 	else
 		UMOUNT_DIRS="$1"
 		on_exit umount_exit_function
@@ -1103,8 +1103,8 @@ setup_proc () {
 	    *)
 		umount_on_exit /dev/pts
 		umount_on_exit /dev/shm
-		umount_on_exit /proc/bus/usb
 		umount_on_exit /proc
+		umount_on_exit /proc/bus/usb
 		umount "$TARGET/proc" 2>/dev/null || true
 		in_target mount -t proc proc /proc
 		if [ -d "$TARGET/sys" ] && \
-- 
2.14.3

Reply to:

Prev by Date: Bug#890418: [PATCH] Don't let host PATH leak into the target commands
Next by Date: Bug#861065: please add gnustep
Previous by thread: Bug#890418: [PATCH] Don't let host PATH leak into the target commands
Next by thread: Bug#861065: please add gnustep
Index(es):
- Date
- Thread