Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Closes #1813 This adds preliminary (but working) support for creating application containers from OCI formats. Examples: create a container from a local OCI layout in ../oci: sudo lxc-create -t oci -n a1 -- -u oci:../oci:alpine Or, create a container pulling from the docker hub. sudo lxc-create -t oci -n u1 -- -u docker://ubuntu The url is specified in the same format as for 'skopeo copy'. Comments appreciated. Signed-off-by: Serge Hallyn <shallyn@cisco.com>
- Loading branch information
Showing
3 changed files
with
214 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,212 @@ | ||
#!/bin/bash | ||
|
||
# Create application containers from OCI images | ||
|
||
# Copyright © 2014 Stéphane Graber <stgraber@ubuntu.com> | ||
# Copyright © 2017 Serge Hallyn <serge@hallyn.com> | ||
# | ||
# This library is free software; you can redistribute it and/or | ||
# modify it under the terms of the GNU Lesser General Public | ||
# License as published by the Free Software Foundation; either | ||
# version 2.1 of the License, or (at your option) any later version. | ||
|
||
# This library is distributed in the hope that it will be useful, | ||
# but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU | ||
# Lesser General Public License for more details. | ||
|
||
# You should have received a copy of the GNU Lesser General Public | ||
# License along with this library; if not, write to the Free Software | ||
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 | ||
# USA | ||
|
||
set -eu | ||
# set -x # debug | ||
|
||
# Make sure the usual locations are in PATH | ||
export PATH=$PATH:/usr/sbin:/usr/bin:/sbin:/bin | ||
|
||
# Check for required binaries | ||
for bin in skopeo umoci jq; do | ||
if ! type $bin >/dev/null 2>&1; then | ||
echo "ERROR: Missing required tool: $bin" 1>&2 | ||
exit 1 | ||
fi | ||
done | ||
|
||
# Some useful functions | ||
cleanup() { | ||
if [ -d "$DOWNLOAD_TEMP" ]; then | ||
rm -Rf $DOWNLOAD_TEMP | ||
fi | ||
} | ||
|
||
in_userns() { | ||
[ -e /proc/self/uid_map ] || { echo no; return; } | ||
while read line; do | ||
fields=$(echo $line | awk '{ print $1 " " $2 " " $3 }') | ||
[ "$fields" = "0 0 4294967295" ] && { echo no; return; } || true | ||
echo $fields | grep -q " 0 1$" && { echo userns-root; return; } || true | ||
done < /proc/self/uid_map | ||
|
||
[ "$(cat /proc/self/uid_map)" = "$(cat /proc/1/uid_map)" ] && \ | ||
{ echo userns-root; return; } | ||
echo yes | ||
} | ||
|
||
# get entrypoint from oci image. Use sh if unspecified | ||
# TODO - we can get other things like resource limits here | ||
getep() { | ||
basedir="$1" | ||
q="$2" | ||
|
||
|
||
digest=`cat "${basedir}/index.json" | jq --arg q "$q" '.manifests[] | if .annotations."org.opencontainers.image.ref.name" == $q then .digest else null end' | sed -e 's/"//g'` | ||
if [ -z "${digest}" ]; then | ||
echo "$q not found in index.json" >&2 | ||
echo "/bin/sh" | ||
return | ||
fi | ||
|
||
# Ok we have the image config digest, now get the config from that, | ||
d=${digest:7} | ||
cdigest=`cat "${basedir}/blobs/sha256/${d}" | jq '.config.digest' | sed -e 's/"//g'` | ||
if [ -z "${cdigest}" ]; then | ||
echo "container config not found" >&2 | ||
echo "/bin/sh" | ||
return | ||
fi | ||
|
||
d2=${cdigest:7} | ||
ep=`cat "${basedir}/blobs/sha256/${d2}" | jq -c '.config.Entrypoint' | sed -e 's/^\[//; s/\]$//; s/","/" "/'` | ||
cmd=`cat "${basedir}/blobs/sha256/${d2}" | jq -c '.config.Cmd' | sed -e 's/^\[//; s/\]$//; s/","/" "/'` | ||
if [ "${ep}" = "null" ]; then | ||
ep="${cmd}" | ||
if [ "${ep}" = "null" ]; then | ||
ep="/bin/sh" | ||
fi | ||
elif [ "${cmd}" != "null" ]; then | ||
ep="${ep} ${cmd}" | ||
fi | ||
|
||
if [ -z "${ep}" ]; then | ||
echo "/bin/sh" | ||
return | ||
fi | ||
echo "${ep}" | ||
return | ||
} | ||
|
||
usage() { | ||
cat <<EOF | ||
LXC container template for OCI images | ||
Special arguments: | ||
[ -h | --help ]: Print this help message and exit. | ||
Required arguments: | ||
[ -u | --url <url> ]: The OCI image URL | ||
LXC internal arguments (do not pass manually!): | ||
[ --name <name> ]: The container name | ||
[ --path <path> ]: The path to the container | ||
[ --rootfs <rootfs> ]: The path to the container's rootfs | ||
[ --mapped-uid <map> ]: A uid map (user namespaces) | ||
[ --mapped-gid <map> ]: A gid map (user namespaces) | ||
EOF | ||
return 0 | ||
} | ||
|
||
options=$(getopt -o u:h -l help,name:,path:,\ | ||
rootfs:,mapped-uid:,mapped-gid: -- "$@") | ||
|
||
if [ $? -ne 0 ]; then | ||
usage | ||
exit 1 | ||
fi | ||
eval set -- "$options" | ||
|
||
OCI_URL="" | ||
LXC_MAPPED_GID= | ||
LXC_MAPPED_UID= | ||
LXC_NAME= | ||
LXC_PATH= | ||
LXC_ROOTFS= | ||
|
||
while :; do | ||
case "$1" in | ||
-h|--help) usage && exit 1;; | ||
-u|--url) OCI_URL=$2; shift 2;; | ||
--name) LXC_NAME=$2; shift 2;; | ||
--path) LXC_PATH=$2; shift 2;; | ||
--rootfs) LXC_ROOTFS=$2; shift 2;; | ||
--mapped-uid) LXC_MAPPED_UID=$2; shift 2;; | ||
--mapped-gid) LXC_MAPPED_GID=$2; shift 2;; | ||
*) break;; | ||
esac | ||
done | ||
|
||
# Check that we have all variables we need | ||
if [ -z "$LXC_NAME" ] || [ -z "$LXC_PATH" ] || [ -z "$LXC_ROOTFS" ]; then | ||
echo "ERROR: Not running through LXC." 1>&2 | ||
exit 1 | ||
fi | ||
|
||
if [ -z "$OCI_URL" ]; then | ||
echo "ERROR: no OCI URL given" | ||
exit 1 | ||
fi | ||
|
||
USERNS=$(in_userns) | ||
|
||
if [ "$USERNS" != "no" ]; then | ||
if [ "$USERNS" = "yes" ]; then | ||
if [ -z "$LXC_MAPPED_UID" ] || [ "$LXC_MAPPED_UID" = "-1" ]; then | ||
echo "ERROR: In a user namespace without a map." 1>&2 | ||
exit 1 | ||
fi | ||
DOWNLOAD_MODE="user" | ||
DOWNLOAD_TARGET="user" | ||
else | ||
DOWNLOAD_MODE="user" | ||
DOWNLOAD_TARGET="system" | ||
fi | ||
fi | ||
|
||
# Trap all exit signals | ||
trap cleanup EXIT HUP INT TERM | ||
|
||
if ! type mktemp >/dev/null 2>&1; then | ||
DOWNLOAD_TEMP=/tmp/lxc-oci.$$ | ||
mkdir -p $DOWNLOAD_TEMP | ||
else | ||
DOWNLOAD_TEMP=$(mktemp -d) | ||
fi | ||
|
||
# Download the image - TODO - cache | ||
skopeo copy "${OCI_URL}" "oci:${DOWNLOAD_TEMP}:latest" | ||
|
||
# Unpack the rootfs | ||
echo "Unpacking the rootfs" | ||
|
||
umoci unpack --image "${DOWNLOAD_TEMP}:latest" "${LXC_ROOTFS}.tmp" | ||
rmdir "${LXC_ROOTFS}" | ||
mv "${LXC_ROOTFS}.tmp/rootfs" "${LXC_ROOTFS}" | ||
entrypoint=$(getep ${DOWNLOAD_TEMP} latest) | ||
rm -rf "${LXC_ROOTFS}.tmp" | ||
|
||
LXC_CONF_FILE="${LXC_PATH}/config" | ||
echo "lxc.execute.cmd = ${entrypoint}" >> "${LXC_CONF_FILE}" | ||
echo "lxc.mount.auto = proc:mixed sys:mixed cgroup:mixed" >> "${LXC_CONF_FILE}" | ||
|
||
echo "lxc.uts.name = ${LXC_NAME}" >> ${LXC_PATH}/config | ||
|
||
if [ -n "$LXC_MAPPED_UID" ] && [ "$LXC_MAPPED_UID" != "-1" ]; then | ||
chown $LXC_MAPPED_UID $LXC_PATH/config $LXC_PATH/fstab >/dev/null 2>&1 || true | ||
fi | ||
if [ -n "$LXC_MAPPED_GID" ] && [ "$LXC_MAPPED_GID" != "-1" ]; then | ||
chgrp $LXC_MAPPED_GID $LXC_PATH/config $LXC_PATH/fstab >/dev/null 2>&1 || true | ||
fi | ||
|
||
exit 0 |