Compare commits
5 commits
unprivileg
...
master
| Author | SHA1 | Date | |
|---|---|---|---|
|
40c7fda267 | ||
|
|
2802008032 | ||
|
|
552f378613 | ||
|
|
00a4664d73 | ||
|
|
cb8b3e3df2 |
21 changed files with 268 additions and 189 deletions
14
Makefile
14
Makefile
|
|
@ -1,7 +1,7 @@
|
|||
UBUNTU_BOXES= precise quantal raring saucy trusty utopic vivid wily xenial
|
||||
DEBIAN_BOXES= squeeze wheezy jessie stretch sid
|
||||
CENTOS_BOXES= 6 7
|
||||
FEDORA_BOXES= rawhide 23 22 21 20 19
|
||||
UBUNTU_BOXES= trusty xenial
|
||||
DEBIAN_BOXES= jessie stretch sid
|
||||
CENTOS_BOXES= 7
|
||||
FEDORA_BOXES= 27
|
||||
TODAY=$(shell date -u +"%Y-%m-%d")
|
||||
|
||||
# Replace i686 with i386 and x86_64 with amd64
|
||||
|
|
@ -46,11 +46,15 @@ $(FEDORA_BOXES):
|
|||
@sudo chmod +rw $(PACKAGE)
|
||||
@sudo chown ${USER}: $(PACKAGE)
|
||||
|
||||
.PHONY: gentoo
|
||||
gentoo:
|
||||
@sudo -E ./mk-gentoo.sh
|
||||
|
||||
acceptance: CONTAINER = "vagrant-base-acceptance-$(ARCH)"
|
||||
acceptance: PACKAGE = "output/${TODAY}/vagrant-lxc-acceptance-$(ARCH).box"
|
||||
acceptance:
|
||||
@mkdir -p $$(dirname $(PACKAGE))
|
||||
@PUPPET=1 CHEF=1 sudo -E ./mk-debian.sh ubuntu precise $(ARCH) $(CONTAINER) $(PACKAGE)
|
||||
@PUPPET=1 CHEF=1 sudo -E ./mk-debian.sh ubuntu xenial $(ARCH) $(CONTAINER) $(PACKAGE)
|
||||
@sudo chmod +rw $(PACKAGE)
|
||||
@sudo chown ${USER}: $(PACKAGE)
|
||||
|
||||
|
|
|
|||
65
README.md
65
README.md
|
|
@ -1,37 +1,29 @@
|
|||
# vagrant-lxc base boxes
|
||||
|
||||
This repository contains a set of scripts for creating base boxes for usage with
|
||||
[vagrant-lxc](https://github.com/fgrehm/vagrant-lxc) 1.0+.
|
||||
[vagrant-lxc](https://github.com/fgrehm/vagrant-lxc) 1.4+.
|
||||
|
||||
## What distros / versions can I build with this?
|
||||
|
||||
* Ubuntu
|
||||
- Precise 12.04 x86_64
|
||||
- Quantal 12.10 x86_64
|
||||
- Raring 13.04 x86_64
|
||||
- Saucy 13.10 x86_64
|
||||
- Trusty 14.04 x86_64
|
||||
- Utopic 14.10 x86_64
|
||||
- Vivid 15.04 x86_64
|
||||
- Wily 15.10 x86_64
|
||||
- Xenial 16.04 x86_64
|
||||
* Debian
|
||||
- Squeeze x86_64
|
||||
- Wheezy x86_64
|
||||
- Jessie x86_64
|
||||
- Stretch x86_64
|
||||
- Sid x86_64
|
||||
* Fedora
|
||||
- 19 x86_64
|
||||
- 20 x86_64
|
||||
- 21 x86_64
|
||||
- 22 x86_64
|
||||
- 23 x86_64
|
||||
- rawhide x86_64
|
||||
* CentOS
|
||||
- 6 x86_64
|
||||
- 7 x86_64
|
||||
|
||||
## Status
|
||||
|
||||
This is a fork of `obnoxxx/vagrant-lxc-base-boxes` which itself was a fork for
|
||||
`fgrehm/vagrant-lxc-base-boxes`. The goal is to make LXC box generation work for LXC 3.0+. The
|
||||
repo is not in top shape, but it works `make stretch` (which is what I use myself).
|
||||
|
||||
It should be easy enough for you to add support for distros you use (PR welcome).
|
||||
|
||||
## Building the boxes
|
||||
|
||||
_In order to build the boxes you need to have the `lxc-download`
|
||||
|
|
@ -40,58 +32,43 @@ create one based on [this](https://github.com/lxc/lxc/blob/master/templates/lxc-
|
|||
and drop it on your lxc templates path (usually `/usr/share/lxc/templates`)._
|
||||
|
||||
```sh
|
||||
git clone https://github.com/obnoxxx/vagrant-lxc-base-boxes.git
|
||||
git clone https://github.com/hsoft/vagrant-lxc-base-boxes.git
|
||||
cd vagrant-lxc-base-boxes
|
||||
make precise
|
||||
make stretch
|
||||
```
|
||||
|
||||
By default no provisioning tools will be included but you can pick the ones
|
||||
you want by providing some environmental variables. For example:
|
||||
|
||||
```sh
|
||||
ANSIBLE=1 PUPPET=1 CHEF=1 SALT=1 BABUSHKA=1 \
|
||||
make precise
|
||||
ANSIBLE=1 PUPPET=1 CHEF=1 \
|
||||
make stretch
|
||||
```
|
||||
|
||||
Will build a Ubuntu Precise x86_64 box with latest Ansible, Puppet, Chef, Salt and
|
||||
Babushka pre-installed.
|
||||
Will build a Debian Stretch x86_64 box with latest Ansible, Puppet and Chef pre-installed.
|
||||
|
||||
When using ANSIBLE=1, an optional ANSIBLE_VERSION parameter may be passed that will specify which version of ansible to install. By default it will install the latest Ansible.
|
||||
When using ANSIBLE=1, an optional ANSIBLE_VERSION parameter may be passed that
|
||||
will specify which version of ansible to install. By default it will install
|
||||
the latest Ansible.
|
||||
|
||||
Additional packages to be installed can be specified with the ADDPACKAGES variable:
|
||||
|
||||
```sh
|
||||
ADDPACKAGES="aptitude htop" \
|
||||
make trusty
|
||||
make xenial
|
||||
```
|
||||
|
||||
Will build a Ubuntu Trusty x86_64 box with aptitude and htop as additional
|
||||
Will build a Ubuntu Xenial x86_64 box with aptitude and htop as additional
|
||||
packages pre-installed. You can also specify the packages in a file
|
||||
trusty_packages.
|
||||
xenial_packages.
|
||||
|
||||
Note: ADDPACKAGES is currently only implemented for flavors of debian.
|
||||
|
||||
## Pre built base boxes
|
||||
|
||||
_**NOTE:** None of the base boxes below have a provisioner pre-installed_
|
||||
|
||||
| Distribution | VagrantCloud box |
|
||||
| ------------ | ---------------- |
|
||||
| Ubuntu Precise 12.04 x86_64 | [fgrehm/precise64-lxc](https://vagrantcloud.com/fgrehm/precise64-lxc) |
|
||||
| Ubuntu Trusty 14.04 x86_64 | [fgrehm/trusty64-lxc](https://vagrantcloud.com/fgrehm/trusty64-lxc) |
|
||||
| Debian Wheezy 7 x86_64 | [fgrehm/wheezy64-lxc](https://vagrantcloud.com/fgrehm/wheezy64-lxc) |
|
||||
| Debian Jessie 8 x86_64 | [glenux/jessie64-lxc](https://atlas.hashicorp.com/glenux/boxes/jessie64-lxc) |
|
||||
| CentOS 6 x86_64 | [fgrehm/centos-6-64-lxc](https://vagrantcloud.com/fgrehm/centos-6-64-lxc) |
|
||||
|
||||
There are no pre-built base boxes for this repo. You have to build them yourself.
|
||||
|
||||
## What makes up for a vagrant-lxc base box?
|
||||
|
||||
See [vagrant-lxc/BOXES.md](https://github.com/fgrehm/vagrant-lxc/blob/master/BOXES.md)
|
||||
|
||||
|
||||
## Known issues
|
||||
|
||||
* We can't get the NFS client to be installed on the containers used for building
|
||||
Ubuntu 13.04 / 13.10 / 14.04 base boxes.
|
||||
* Puppet can't be installed on Debian Sid
|
||||
* Salt can't be installed on Ubuntu 13.04
|
||||
|
|
|
|||
|
|
@ -26,34 +26,15 @@ fi
|
|||
|
||||
# If we got to this point, we need to create the container
|
||||
log "Creating container..."
|
||||
if [ $RELEASE = 'raring' ] || [ $RELEASE = 'wily' ] || [ $RELEASE = 'xenial' ]; then
|
||||
utils.lxc.create -t ubuntu -- \
|
||||
--release ${RELEASE} \
|
||||
--arch ${ARCH}
|
||||
elif [ $RELEASE = 'squeeze' ] || [ $RELEASE = 'wheezy' ]; then
|
||||
utils.lxc.create -t debian -- \
|
||||
--release ${RELEASE} \
|
||||
--arch ${ARCH}
|
||||
elif [ ${DISTRIBUTION} = 'fedora' ] && [ "${RELEASE}" = 'rawhide' ]; then
|
||||
ARCH=$(echo ${ARCH} | sed -e "s/38/68/" | sed -e "s/amd64/x86_64/")
|
||||
utils.lxc.create -t fedora --\
|
||||
--release ${RELEASE} \
|
||||
--arch ${ARCH}
|
||||
elif [ ${DISTRIBUTION} = 'fedora' ] && [ ${RELEASE} -ge 21 ]; then
|
||||
ARCH=$(echo ${ARCH} | sed -e "s/38/68/" | sed -e "s/amd64/x86_64/")
|
||||
utils.lxc.create -t fedora --\
|
||||
--release ${RELEASE} \
|
||||
--arch ${ARCH}
|
||||
else
|
||||
|
||||
utils.lxc.create -t download -- \
|
||||
--dist ${DISTRIBUTION} \
|
||||
--release ${RELEASE} \
|
||||
--arch ${ARCH}
|
||||
fi
|
||||
|
||||
if [ ${DISTRIBUTION} = 'fedora' ] ||\
|
||||
[ ${DISTRIBUTION} = 'ubuntu' -a ${RELEASE} = 'wily' ] ||\
|
||||
[ ${DISTRIBUTION} = 'debian' -a ${RELEASE} = 'jessie' ] ||\
|
||||
[ ${DISTRIBUTION} = 'debian' -a ${RELEASE} = 'stretch' ]
|
||||
[ ${DISTRIBUTION} = 'ubuntu' ] ||\
|
||||
[ ${DISTRIBUTION} = 'debian' ]
|
||||
then
|
||||
# Improve systemd support:
|
||||
# - The fedora template does it but the fedora images from the download
|
||||
|
|
@ -63,7 +44,6 @@ then
|
|||
utils.lxc.stop
|
||||
echo >> /var/lib/lxc/${CONTAINER}/config
|
||||
echo "# settings for systemd with PID 1:" >> /var/lib/lxc/${CONTAINER}/config
|
||||
echo "lxc.kmsg = 0" >> /var/lib/lxc/${CONTAINER}/config
|
||||
echo "lxc.autodev = 1" >> /var/lib/lxc/${CONTAINER}/config
|
||||
utils.lxc.start
|
||||
utils.lxc.attach rm -f /dev/kmsg
|
||||
|
|
|
|||
|
|
@ -3,6 +3,13 @@ set -e
|
|||
|
||||
source common/ui.sh
|
||||
|
||||
ROOTFS="/var/lib/lxc/${CONTAINER}/rootfs"
|
||||
WORKING_DIR="/tmp/${CONTAINER}"
|
||||
|
||||
debug "Creating ${WORKING_DIR}"
|
||||
mkdir -p ${WORKING_DIR}
|
||||
mkdir -p $(dirname ${PACKAGE})
|
||||
|
||||
# TODO: Create file with build date / time on container
|
||||
|
||||
info "Packaging '${CONTAINER}' to '${PACKAGE}'..."
|
||||
|
|
@ -16,10 +23,10 @@ if [ -f ${WORKING_DIR}/rootfs.tar.gz ]; then
|
|||
fi
|
||||
|
||||
log "Compressing container's rootfs"
|
||||
pushd $(dirname ${ROOTFS}) &>>${LOG}
|
||||
pushd $(dirname ${ROOTFS})
|
||||
tar --numeric-owner --anchored --exclude=./rootfs/dev/log -czf \
|
||||
${WORKING_DIR}/rootfs.tar.gz ./rootfs/*
|
||||
popd &>>${LOG}
|
||||
popd
|
||||
|
||||
# Prepare package contents
|
||||
log 'Preparing box package contents'
|
||||
|
|
@ -35,3 +42,6 @@ sed -i "s/<TODAY>/${NOW}/" ${WORKING_DIR}/metadata.json
|
|||
log 'Packaging box'
|
||||
TARBALL=$(readlink -f ${PACKAGE})
|
||||
(cd ${WORKING_DIR} && tar -czf $TARBALL ./*)
|
||||
|
||||
chmod +rw ${PACKAGE}
|
||||
chown ${USER}: ${PACKAGE}
|
||||
|
|
|
|||
|
|
@ -3,7 +3,8 @@ set -e
|
|||
|
||||
source common/ui.sh
|
||||
|
||||
export VAGRANT_KEY="ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA6NF8iallvQVp22WDkTkyrtvp9eWW6A8YVr+kz4TjGYe7gHzIw+niNltGEFHzD8+v1I2YJ6oXevct1YeS0o9HZyN1Q9qgCgzUFtdOKLv6IedplqoPkcmF0aYet2PkEDo3MlTBckFXPITAMzF8dJSIFo9D8HfdOV0IAdx4O7PtixWKn5y2hMNG0zQPyUecp4pzC6kivAIhyfHilFR61RGL+GPXQ2MWZWFYbAGjyiYJnAmCP3NOTd0jMZEnDkbUvxhMmBYSdETk1rRgm+R4LOzFUGaHqHDLKLX+FIPKcF96hrucXzcWyLbIbEgE98OHlnVYCzRdK8jlqm8tehUc9c9WhQ== vagrant insecure public key"
|
||||
ROOTFS="/var/lib/lxc/${CONTAINER}/rootfs"
|
||||
VAGRANT_KEY="ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA6NF8iallvQVp22WDkTkyrtvp9eWW6A8YVr+kz4TjGYe7gHzIw+niNltGEFHzD8+v1I2YJ6oXevct1YeS0o9HZyN1Q9qgCgzUFtdOKLv6IedplqoPkcmF0aYet2PkEDo3MlTBckFXPITAMzF8dJSIFo9D8HfdOV0IAdx4O7PtixWKn5y2hMNG0zQPyUecp4pzC6kivAIhyfHilFR61RGL+GPXQ2MWZWFYbAGjyiYJnAmCP3NOTd0jMZEnDkbUvxhMmBYSdETk1rRgm+R4LOzFUGaHqHDLKLX+FIPKcF96hrucXzcWyLbIbEgE98OHlnVYCzRdK8jlqm8tehUc9c9WhQ== vagrant insecure public key"
|
||||
|
||||
info "Preparing vagrant user..."
|
||||
|
||||
|
|
@ -13,13 +14,13 @@ if $(grep -q 'vagrant' ${ROOTFS}/etc/shadow); then
|
|||
elif $(grep -q 'ubuntu' ${ROOTFS}/etc/shadow); then
|
||||
debug 'vagrant user does not exist, renaming ubuntu user...'
|
||||
mv ${ROOTFS}/home/{ubuntu,vagrant}
|
||||
chroot ${ROOTFS} usermod -l vagrant -d /home/vagrant ubuntu &>> ${LOG}
|
||||
chroot ${ROOTFS} groupmod -n vagrant ubuntu &>> ${LOG}
|
||||
chroot ${ROOTFS} usermod -l vagrant -d /home/vagrant ubuntu
|
||||
chroot ${ROOTFS} groupmod -n vagrant ubuntu
|
||||
echo -n 'vagrant:vagrant' | chroot ${ROOTFS} chpasswd
|
||||
log 'Renamed ubuntu user to vagrant and changed password.'
|
||||
elif [ ${DISTRIBUTION} = 'centos' -o ${DISTRIBUTION} = 'fedora' ]; then
|
||||
debug 'Creating vagrant user...'
|
||||
chroot ${ROOTFS} useradd --create-home -s /bin/bash -u 1000 vagrant &>> ${LOG}
|
||||
chroot ${ROOTFS} useradd --create-home -s /bin/bash -u 1000 vagrant
|
||||
echo -n 'vagrant:vagrant' | chroot ${ROOTFS} chpasswd
|
||||
sed -i 's/^Defaults\s\+requiretty/# Defaults requiretty/' $ROOTFS/etc/sudoers
|
||||
if [ ${RELEASE} -eq 6 ]; then
|
||||
|
|
@ -30,13 +31,12 @@ elif [ ${DISTRIBUTION} = 'centos' -o ${DISTRIBUTION} = 'fedora' ]; then
|
|||
fi
|
||||
else
|
||||
debug 'Creating vagrant user...'
|
||||
chroot ${ROOTFS} useradd --create-home -s /bin/bash vagrant &>> ${LOG}
|
||||
chroot ${ROOTFS} adduser vagrant sudo &>> ${LOG}
|
||||
chroot ${ROOTFS} useradd --create-home -s /bin/bash vagrant
|
||||
echo -n 'vagrant:vagrant' | chroot ${ROOTFS} chpasswd
|
||||
fi
|
||||
|
||||
# Configure SSH access
|
||||
if [ -d ${ROOTFS}/home/vagrant/.ssh ]; then
|
||||
if [ -d ${ROOTFS}/home/vagrant/.ssh/authorized_keys ]; then
|
||||
log 'Skipping vagrant SSH credentials configuration'
|
||||
else
|
||||
debug 'SSH key has not been set'
|
||||
|
|
|
|||
|
|
@ -7,19 +7,16 @@ export WARN_COLOR='\033[33;01m'
|
|||
|
||||
log() {
|
||||
LOG_PREFIX="${DISTRIBUTION}-${RELEASE}"
|
||||
echo " [${LOG_PREFIX}] ${1}" >>${LOG}
|
||||
echo " [${LOG_PREFIX}] ${1}" >&2
|
||||
echo " [${LOG_PREFIX}] ${1}"
|
||||
}
|
||||
|
||||
warn() {
|
||||
LOG_PREFIX="${DISTRIBUTION}-${RELEASE}"
|
||||
echo "==> [${LOG_PREFIX}] [WARN] ${1}" >>${LOG}
|
||||
echo -e "${WARN_COLOR}==> [${LOG_PREFIX}] ${1}${NO_COLOR}"
|
||||
}
|
||||
|
||||
info() {
|
||||
LOG_PREFIX="${DISTRIBUTION}-${RELEASE}"
|
||||
echo "==> [${LOG_PREFIX}] [INFO] ${1}" >>${LOG}
|
||||
echo -e "${OK_COLOR}==> [${LOG_PREFIX}] ${1}${NO_COLOR}"
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -3,21 +3,31 @@
|
|||
utils.lxc.attach() {
|
||||
cmd="$@"
|
||||
log "Running [${cmd}] inside '${CONTAINER}' container..."
|
||||
(lxc-attach -n ${CONTAINER} -- $cmd) &>> ${LOG}
|
||||
lxc-attach -n ${CONTAINER} -- $cmd
|
||||
}
|
||||
|
||||
utils.lxc.pipetofile() {
|
||||
lxc-attach -n ${CONTAINER} -- /bin/bash -c "tee $1 > /dev/null"
|
||||
}
|
||||
|
||||
utils.lxc.runscript() {
|
||||
log "Running $1 inside '${CONTAINER}'..."
|
||||
cat $1 | utils.lxc.pipetofile /script.sh
|
||||
utils.lxc.attach /bin/bash /script.sh
|
||||
}
|
||||
|
||||
utils.lxc.start() {
|
||||
lxc-start -d -n ${CONTAINER} &>> ${LOG} || true
|
||||
lxc-start -d -n ${CONTAINER} || true
|
||||
}
|
||||
|
||||
utils.lxc.stop() {
|
||||
lxc-stop -n ${CONTAINER} &>> ${LOG} || true
|
||||
lxc-stop -n ${CONTAINER} || true
|
||||
}
|
||||
|
||||
utils.lxc.destroy() {
|
||||
lxc-destroy -n ${CONTAINER} &>> ${LOG}
|
||||
lxc-destroy -n ${CONTAINER}
|
||||
}
|
||||
|
||||
utils.lxc.create() {
|
||||
lxc-create -n ${CONTAINER} "$@" &>> ${LOG}
|
||||
lxc-create -n ${CONTAINER} "$@"
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,9 +1,9 @@
|
|||
# Taken from the oracle.common.conf.in
|
||||
# Console settings
|
||||
|
||||
lxc.devttydir = lxc
|
||||
lxc.tty = 4
|
||||
lxc.pts = 1024
|
||||
lxc.tty.dir = lxc
|
||||
lxc.tty.max = 4
|
||||
lxc.pty.max = 1024
|
||||
|
||||
# Mount entries
|
||||
lxc.mount.auto = proc:mixed sys:ro
|
||||
|
|
@ -54,4 +54,4 @@ lxc.cgroup.devices.allow = c 10:200 rwm # /dev/net/tun
|
|||
|
||||
# Blacklist some syscalls which are not safe in privileged
|
||||
# containers
|
||||
lxc.seccomp = /usr/share/lxc/config/common.seccomp
|
||||
lxc.seccomp.profile = /usr/share/lxc/config/common.seccomp
|
||||
|
|
|
|||
12
conf/debian
12
conf/debian
|
|
@ -1,36 +1,34 @@
|
|||
# Default pivot location
|
||||
lxc.pivotdir = lxc_putold
|
||||
|
||||
# Default mount entries
|
||||
lxc.mount.entry = proc proc proc nodev,noexec,nosuid 0 0
|
||||
lxc.mount.entry = sysfs sys sysfs defaults 0 0
|
||||
|
||||
# Default console settings
|
||||
lxc.tty = 4
|
||||
lxc.pts = 1024
|
||||
lxc.tty.max = 4
|
||||
lxc.pty.max = 1024
|
||||
|
||||
# Default capabilities
|
||||
lxc.cap.drop = sys_module mac_admin mac_override sys_time
|
||||
|
||||
# Prevent systemd-journald from burning 100% of CPU
|
||||
# See https://wiki.debian.org/LXC#Incompatibility_with_systemd
|
||||
lxc.kmsg = 0
|
||||
lxc.autodev = 1
|
||||
|
||||
# When using LXC with apparmor, the container will be confined by default.
|
||||
# If you wish for it to instead run unconfined, copy the following line
|
||||
# (uncommented) to the container's configuration file.
|
||||
#lxc.aa_profile = unconfined
|
||||
#lxc.apparmor.profile = unconfined
|
||||
|
||||
# To support container nesting on an Ubuntu host while retaining most of
|
||||
# apparmor's added security, use the following two lines instead.
|
||||
#lxc.aa_profile = lxc-container-default-with-nesting
|
||||
#lxc.apparmor.profile = lxc-container-default-with-nesting
|
||||
#lxc.hook.mount = /usr/share/lxc/hooks/mountcgroups
|
||||
|
||||
# If you wish to allow mounting block filesystems, then use the following
|
||||
# line instead, and make sure to grant access to the block device and/or loop
|
||||
# devices below in lxc.cgroup.devices.allow.
|
||||
#lxc.aa_profile = lxc-container-default-with-mounting
|
||||
#lxc.apparmor.profile = lxc-container-default-with-mounting
|
||||
|
||||
# Default cgroup limits
|
||||
lxc.cgroup.devices.deny = a
|
||||
|
|
|
|||
|
|
@ -1,17 +1,15 @@
|
|||
# support systemd as PID 1
|
||||
lxc.autodev = 1
|
||||
lxc.kmsg = 0
|
||||
|
||||
# Default pivot location
|
||||
lxc.pivotdir = lxc_putold
|
||||
|
||||
# Default mount entries
|
||||
lxc.mount.auto = cgroup:mixed proc:mixed sys:mixed
|
||||
lxc.mount.entry = /sys/fs/fuse/connections sys/fs/fuse/connections none bind,optional 0 0
|
||||
|
||||
# Default console settings
|
||||
lxc.tty = 4
|
||||
lxc.pts = 1024
|
||||
lxc.tty.max = 4
|
||||
lxc.pty.max = 1024
|
||||
|
||||
# Default capabilities
|
||||
lxc.cap.drop = sys_module mac_admin mac_override sys_time sys_rawio
|
||||
|
|
@ -19,17 +17,17 @@ lxc.cap.drop = sys_module mac_admin mac_override sys_time sys_rawio
|
|||
# When using LXC with apparmor, the container will be confined by default.
|
||||
# If you wish for it to instead run unconfined, copy the following line
|
||||
# (uncommented) to the container's configuration file.
|
||||
#lxc.aa_profile = unconfined
|
||||
#lxc.apparmor.profile = unconfined
|
||||
|
||||
# To support container nesting on an Ubuntu host while retaining most of
|
||||
# apparmor's added security, use the following two lines instead.
|
||||
#lxc.aa_profile = lxc-container-default-with-nesting
|
||||
#lxc.apparmor.profile = lxc-container-default-with-nesting
|
||||
#lxc.hook.mount = /usr/share/lxc/hooks/mountcgroups
|
||||
|
||||
# If you wish to allow mounting block filesystems, then use the following
|
||||
# line instead, and make sure to grant access to the block device and/or loop
|
||||
# devices below in lxc.cgroup.devices.allow.
|
||||
#lxc.aa_profile = lxc-container-default-with-mounting
|
||||
#lxc.apparmor.profile = lxc-container-default-with-mounting
|
||||
|
||||
# Default cgroup limits
|
||||
lxc.cgroup.devices.deny = a
|
||||
|
|
|
|||
|
|
@ -1 +0,0 @@
|
|||
debian-jessie
|
||||
63
conf/debian-stretch
Normal file
63
conf/debian-stretch
Normal file
|
|
@ -0,0 +1,63 @@
|
|||
# support systemd as PID 1
|
||||
lxc.autodev = 1
|
||||
|
||||
# Default pivot location
|
||||
|
||||
# Default mount entries
|
||||
lxc.mount.auto = cgroup:mixed proc:mixed sys:mixed
|
||||
lxc.mount.entry = /sys/fs/fuse/connections sys/fs/fuse/connections none bind,optional 0 0
|
||||
|
||||
# Default console settings
|
||||
lxc.tty.max = 4
|
||||
lxc.pty.max = 1024
|
||||
|
||||
# Default capabilities
|
||||
lxc.cap.drop = sys_module mac_admin mac_override sys_time sys_rawio
|
||||
|
||||
# When using LXC with apparmor, the container will be confined by default.
|
||||
# If you wish for it to instead run unconfined, copy the following line
|
||||
# (uncommented) to the container's configuration file.
|
||||
#lxc.apparmor.profile = unconfined
|
||||
|
||||
# To support container nesting on an Ubuntu host while retaining most of
|
||||
# apparmor's added security, use the following two lines instead.
|
||||
#lxc.apparmor.profile = lxc-container-default-with-nesting
|
||||
#lxc.hook.mount = /usr/share/lxc/hooks/mountcgroups
|
||||
|
||||
# If you wish to allow mounting block filesystems, then use the following
|
||||
# line instead, and make sure to grant access to the block device and/or loop
|
||||
# devices below in lxc.cgroup.devices.allow.
|
||||
#lxc.apparmor.profile = lxc-container-default-with-mounting
|
||||
|
||||
# Default cgroup limits
|
||||
lxc.cgroup.devices.deny = a
|
||||
## Allow any mknod (but not using the node)
|
||||
lxc.cgroup.devices.allow = c *:* m
|
||||
lxc.cgroup.devices.allow = b *:* m
|
||||
## /dev/null and zero
|
||||
lxc.cgroup.devices.allow = c 1:3 rwm
|
||||
lxc.cgroup.devices.allow = c 1:5 rwm
|
||||
## consoles
|
||||
lxc.cgroup.devices.allow = c 5:0 rwm
|
||||
lxc.cgroup.devices.allow = c 5:1 rwm
|
||||
## /dev/{,u}random
|
||||
lxc.cgroup.devices.allow = c 1:8 rwm
|
||||
lxc.cgroup.devices.allow = c 1:9 rwm
|
||||
## /dev/pts/*
|
||||
lxc.cgroup.devices.allow = c 5:2 rwm
|
||||
lxc.cgroup.devices.allow = c 136:* rwm
|
||||
## rtc
|
||||
lxc.cgroup.devices.allow = c 254:0 rm
|
||||
## fuse
|
||||
lxc.cgroup.devices.allow = c 10:229 rwm
|
||||
## tun
|
||||
lxc.cgroup.devices.allow = c 10:200 rwm
|
||||
## full
|
||||
lxc.cgroup.devices.allow = c 1:7 rwm
|
||||
## hpet
|
||||
lxc.cgroup.devices.allow = c 10:228 rwm
|
||||
## kvm
|
||||
lxc.cgroup.devices.allow = c 10:232 rwm
|
||||
## To use loop devices, copy the following line to the container's
|
||||
## configuration file (uncommented).
|
||||
#lxc.cgroup.devices.allow = b 7:* rwm
|
||||
|
|
@ -1,13 +1,12 @@
|
|||
# work better with systemd:
|
||||
lxc.autodev = 1
|
||||
lxc.kmsg = 0
|
||||
|
||||
# Taken from the oracle.common.conf.in
|
||||
# Console settings
|
||||
|
||||
lxc.devttydir = lxc
|
||||
lxc.tty = 4
|
||||
lxc.pts = 1024
|
||||
lxc.tty.dir = lxc
|
||||
lxc.tty.max = 4
|
||||
lxc.pty.max = 1024
|
||||
|
||||
# Mount entries
|
||||
lxc.mount.auto = proc:mixed sys:ro
|
||||
|
|
@ -66,4 +65,4 @@ lxc.cgroup.devices.allow = c 5:2 rwm
|
|||
|
||||
# Blacklist some syscalls which are not safe in privileged
|
||||
# containers
|
||||
lxc.seccomp = /usr/share/lxc/config/common.seccomp
|
||||
lxc.seccomp.profile = /usr/share/lxc/config/common.seccomp
|
||||
|
|
|
|||
5
conf/gentoo
Normal file
5
conf/gentoo
Normal file
|
|
@ -0,0 +1,5 @@
|
|||
lxc.mount.auto = cgroup:mixed proc:mixed sys:mixed
|
||||
|
||||
# Default console settings
|
||||
lxc.tty.max = 4
|
||||
lxc.pty.max = 1024
|
||||
13
conf/ubuntu
13
conf/ubuntu
|
|
@ -1,14 +1,13 @@
|
|||
# Default pivot location
|
||||
lxc.pivotdir = lxc_putold
|
||||
|
||||
# Default mount entries
|
||||
lxc.mount.entry = proc proc proc nodev,noexec,nosuid 0 0
|
||||
lxc.mount.entry = sysfs sys sysfs defaults 0 0
|
||||
|
||||
# Default console settings
|
||||
lxc.devttydir = lxc
|
||||
lxc.tty = 4
|
||||
lxc.pts = 1024
|
||||
lxc.tty.dir = lxc
|
||||
lxc.tty.max = 4
|
||||
lxc.pty.max = 1024
|
||||
|
||||
# Default capabilities
|
||||
lxc.cap.drop = sys_module mac_admin mac_override sys_time
|
||||
|
|
@ -16,11 +15,11 @@ lxc.cap.drop = sys_module mac_admin mac_override sys_time
|
|||
# When using LXC with apparmor, the container will be confined by default.
|
||||
# If you wish for it to instead run unconfined, copy the following line
|
||||
# (uncommented) to the container's configuration file.
|
||||
#lxc.aa_profile = unconfined
|
||||
#lxc.apparmor.profile = unconfined
|
||||
|
||||
# To support container nesting on an Ubuntu host while retaining most of
|
||||
# apparmor's added security, use the following two lines instead.
|
||||
#lxc.aa_profile = lxc-container-default-with-nesting
|
||||
#lxc.apparmor.profile = lxc-container-default-with-nesting
|
||||
#lxc.hook.mount = /usr/share/lxc/hooks/mountcgroups
|
||||
|
||||
# Uncomment the following line to autodetect squid-deb-proxy configuration on the
|
||||
|
|
@ -30,7 +29,7 @@ lxc.cap.drop = sys_module mac_admin mac_override sys_time
|
|||
# If you wish to allow mounting block filesystems, then use the following
|
||||
# line instead, and make sure to grant access to the block device and/or loop
|
||||
# devices below in lxc.cgroup.devices.allow.
|
||||
#lxc.aa_profile = lxc-container-default-with-mounting
|
||||
#lxc.apparmor.profile = lxc-container-default-with-mounting
|
||||
|
||||
# Default cgroup limits
|
||||
lxc.cgroup.devices.deny = a
|
||||
|
|
|
|||
|
|
@ -6,5 +6,4 @@
|
|||
lxc.include = /usr/share/lxc/config/ubuntu.common.conf
|
||||
|
||||
# settings for systemd with PID 1:
|
||||
lxc.kmsg = 0
|
||||
lxc.autodev = 1
|
||||
|
|
|
|||
|
|
@ -6,8 +6,7 @@
|
|||
lxc.include = /usr/share/lxc/config/ubuntu.common.conf
|
||||
|
||||
# settings for systemd with PID 1:
|
||||
lxc.kmsg = 0
|
||||
lxc.autodev = 1
|
||||
# allow unconfined and incomplete
|
||||
lxc.aa_profile = unconfined
|
||||
lxc.aa_allow_incomplete = 1
|
||||
lxc.apparmor.profile = unconfined
|
||||
lxc.apparmor.allow_incomplete = 1
|
||||
|
|
|
|||
62
debian/install-extras.sh
vendored
62
debian/install-extras.sh
vendored
|
|
@ -50,7 +50,7 @@ if [ $ANSIBLE = 1 ]; then
|
|||
else
|
||||
info "Installing Ansible"
|
||||
cp debian/install-ansible.sh ${ROOTFS}/tmp/ && chmod +x ${ROOTFS}/tmp/install-ansible.sh
|
||||
utils.lxc.attach /tmp/install-ansible.sh &>>${LOG}
|
||||
utils.lxc.attach /tmp/install-ansible.sh
|
||||
fi
|
||||
else
|
||||
log "Skipping Ansible installation"
|
||||
|
|
@ -79,8 +79,6 @@ if [ $PUPPET = 1 ]; then
|
|||
warn "Puppet can't be installed on Debian sid, skipping"
|
||||
else
|
||||
log "Installing Puppet"
|
||||
wget http://apt.puppetlabs.com/puppetlabs-release-${RELEASE}.deb -O "${ROOTFS}/tmp/puppetlabs-release-stable.deb" &>>${LOG}
|
||||
utils.lxc.attach dpkg -i "/tmp/puppetlabs-release-stable.deb"
|
||||
utils.lxc.attach apt-get update
|
||||
utils.lxc.attach apt-get install puppet -y --force-yes
|
||||
fi
|
||||
|
|
@ -91,68 +89,10 @@ fi
|
|||
if [ $SALT = 1 ]; then
|
||||
if $(lxc-attach -n ${CONTAINER} -- which salt-minion &>/dev/null); then
|
||||
log "Salt has been installed on container, skipping"
|
||||
elif [ ${RELEASE} = 'raring' ]; then
|
||||
warn "Salt can't be installed on Ubuntu Raring 13.04, skipping"
|
||||
else
|
||||
if [ $DISTRIBUTION = 'ubuntu' ]; then
|
||||
if [ $RELEASE = 'precise' ] || [ $RELEASE = 'trusty' ] || [ $RELEASE = 'xenial' ] ; then
|
||||
# For LTS releases we use packages from repo.saltstack.com
|
||||
if [ $RELEASE = 'precise' ]; then
|
||||
SALT_SOURCE_1="deb http://repo.saltstack.com/apt/ubuntu/12.04/amd64/latest precise main"
|
||||
SALT_GPG_KEY="https://repo.saltstack.com/apt/ubuntu/12.04/amd64/latest/SALTSTACK-GPG-KEY.pub"
|
||||
elif [ $RELEASE = 'trusty' ]; then
|
||||
SALT_SOURCE_1="deb http://repo.saltstack.com/apt/ubuntu/14.04/amd64/latest trusty main"
|
||||
SALT_GPG_KEY="https://repo.saltstack.com/apt/ubuntu/14.04/amd64/latest/SALTSTACK-GPG-KEY.pub"
|
||||
elif [ $RELEASE = 'xenial' ]; then
|
||||
SALT_SOURCE_1="deb http://repo.saltstack.com/apt/ubuntu/16.04/amd64/latest xenial main"
|
||||
SALT_GPG_KEY="https://repo.saltstack.com/apt/ubuntu/16.04/amd64/latest/SALTSTACK-GPG-KEY.pub"
|
||||
fi
|
||||
echo $SALT_SOURCE_1 > ${ROOTFS}/etc/apt/sources.list.d/saltstack.list
|
||||
|
||||
utils.lxc.attach wget -q -O /tmp/salt.key $SALT_GPG_KEY
|
||||
utils.lxc.attach apt-key add /tmp/salt.key
|
||||
elif [ $RELEASE = 'quantal' ] || [ $RELEASE = 'saucy' ] ; then
|
||||
utils.lxc.attach add-apt-repository -y ppa:saltstack/salt
|
||||
fi
|
||||
# For Utopic, Vivid and Wily releases use system packages
|
||||
else # DEBIAN
|
||||
if [ $RELEASE == "squeeze" ]; then
|
||||
SALT_SOURCE_1="deb http://debian.saltstack.com/debian squeeze-saltstack main"
|
||||
SALT_SOURCE_2="deb http://backports.debian.org/debian-backports squeeze-backports main contrib non-free"
|
||||
elif [ $RELEASE == "wheezy" ]; then
|
||||
SALT_SOURCE_1="deb http://repo.saltstack.com/apt/debian/7/amd64/latest wheezy main"
|
||||
elif [ $RELEASE == "jessie" ]; then
|
||||
SALT_SOURCE_1="deb http://repo.saltstack.com/apt/debian/8/amd64/latest jessie main"
|
||||
else
|
||||
SALT_SOURCE_1="deb http://debian.saltstack.com/debian unstable main"
|
||||
fi
|
||||
echo $SALT_SOURCE_1 > ${ROOTFS}/etc/apt/sources.list.d/saltstack.list
|
||||
echo $SALT_SOURCE_2 >> ${ROOTFS}/etc/apt/sources.list.d/saltstack.list
|
||||
|
||||
utils.lxc.attach wget -q -O /tmp/salt.key "https://repo.saltstack.com/apt/debian/8/amd64/latest/SALTSTACK-GPG-KEY.pub"
|
||||
utils.lxc.attach apt-key add /tmp/salt.key
|
||||
fi
|
||||
utils.lxc.attach apt-get update
|
||||
utils.lxc.attach apt-get install salt-minion -y --force-yes
|
||||
fi
|
||||
else
|
||||
log "Skipping Salt installation"
|
||||
fi
|
||||
|
||||
if [ $BABUSHKA = 1 ]; then
|
||||
if $(lxc-attach -n ${CONTAINER} -- which babushka &>/dev/null); then
|
||||
log "Babushka has been installed on container, skipping"
|
||||
elif [ ${RELEASE} = 'trusty' ]; then
|
||||
warn "Babushka can't be installed on Ubuntu Trusty 14.04, skipping"
|
||||
else
|
||||
log "Installing Babushka"
|
||||
cat > $ROOTFS/tmp/install-babushka.sh << EOF
|
||||
#!/bin/sh
|
||||
curl https://babushka.me/up | sudo bash
|
||||
EOF
|
||||
chmod +x $ROOTFS/tmp/install-babushka.sh
|
||||
utils.lxc.attach /tmp/install-babushka.sh
|
||||
fi
|
||||
else
|
||||
log "Skipping Babushka installation"
|
||||
fi
|
||||
|
|
|
|||
|
|
@ -17,8 +17,8 @@ sleep $SECS
|
|||
# TODO: Support for appending to this list from outside
|
||||
PACKAGES=(vim-enhanced curl wget man-db bash-completion ca-certificates sudo openssh-server strace python-dnf dnf-plugins-core e2fsprogs net-tools bind-utils)
|
||||
|
||||
utils.lxc.attach yum update -y
|
||||
utils.lxc.attach yum install ${PACKAGES[*]} -y
|
||||
utils.lxc.attach dnf update -y
|
||||
utils.lxc.attach dnf install ${PACKAGES[*]} -y
|
||||
|
||||
|
||||
MASK_TMP=${MASK_TMP:-0}
|
||||
|
|
|
|||
14
gentoo/clean.sh
Normal file
14
gentoo/clean.sh
Normal file
|
|
@ -0,0 +1,14 @@
|
|||
#!/bin/bash
|
||||
set -e
|
||||
source /etc/profile
|
||||
|
||||
echo "Cleaning up"
|
||||
|
||||
rm /script.sh
|
||||
|
||||
echo 'Removing temporary files...'
|
||||
rm -rf /tmp/*
|
||||
|
||||
echo 'cleaning up distfiles'
|
||||
rm -f /usr/portage/distfiles/*
|
||||
|
||||
41
gentoo/install-packages.sh
Executable file
41
gentoo/install-packages.sh
Executable file
|
|
@ -0,0 +1,41 @@
|
|||
#!/bin/bash
|
||||
set -e
|
||||
|
||||
source /etc/profile
|
||||
|
||||
echo 'Installing packages and upgrading'
|
||||
|
||||
PACKAGES=(net-misc/curl wget man-db openssh ca-certificates sudo)
|
||||
|
||||
echo "Installing additional packages: ${ADDPACKAGES}"
|
||||
PACKAGES+=" ${ADDPACKAGES}"
|
||||
|
||||
ANSIBLE=${ANSIBLE:-0}
|
||||
if [[ $ANSIBLE = 1 ]]; then
|
||||
PACKAGES+=' ansible'
|
||||
fi
|
||||
|
||||
CHEF=${CHEF:-0}
|
||||
if [[ $CHEF = 1 ]]; then
|
||||
echo "Chef installation isn't supported on Gentoo"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
PUPPET=${PUPPET:-0}
|
||||
if [[ $PUPPET = 1 ]]; then
|
||||
PACKAGES+=' puppet eix'
|
||||
fi
|
||||
|
||||
SALT=${SALT:-0}
|
||||
if [[ $SALT = 1 ]]; then
|
||||
PACKAGES+=' salt'
|
||||
fi
|
||||
|
||||
# trying to set capabilities on an unprivileged container fails.
|
||||
echo "*/* -filecaps" > /etc/portage/package.use/vagrant_overrides
|
||||
|
||||
emerge --sync
|
||||
emerge --noreplace ${PACKAGES[*]}
|
||||
emerge -uND @world
|
||||
|
||||
rc-config add sshd default
|
||||
47
mk-gentoo.sh
Executable file
47
mk-gentoo.sh
Executable file
|
|
@ -0,0 +1,47 @@
|
|||
#!/bin/bash
|
||||
set -e
|
||||
|
||||
source common/ui.sh
|
||||
source common/utils.sh
|
||||
|
||||
if [ "$(id -u)" != "0" ]; then
|
||||
echo "You should run this script as root (sudo)."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
TODAY=$(date -u +"%Y-%m-%d")
|
||||
export DISTRIBUTION=gentoo
|
||||
export RELEASE=current
|
||||
export ARCH=$(uname -m | sed -e "s/68/38/" | sed -e "s/x86_64/amd64/")
|
||||
export CONTAINER="vagrant-base-${DISTRIBUTION}-${ARCH}"
|
||||
export PACKAGE="output/${TODAY}/${CONTAINER}.box"
|
||||
export NOW=$(date -u)
|
||||
|
||||
echo '############################################'
|
||||
echo "# Beginning build at $(date)"
|
||||
|
||||
if [ -f ${PACKAGE} ]; then
|
||||
warn "The box '${PACKAGE}' already exists, skipping..."
|
||||
echo
|
||||
exit
|
||||
fi
|
||||
|
||||
info "Building box to '${PACKAGE}'..."
|
||||
|
||||
./common/download.sh
|
||||
utils.lxc.start
|
||||
|
||||
SECS=15
|
||||
log "Sleeping for $SECS seconds..."
|
||||
sleep $SECS
|
||||
|
||||
utils.lxc.runscript gentoo/install-packages.sh
|
||||
./common/prepare-vagrant-user.sh
|
||||
utils.lxc.runscript gentoo/clean.sh
|
||||
utils.lxc.stop
|
||||
|
||||
./common/package.sh
|
||||
|
||||
info "Finished building '${PACKAGE}'!"
|
||||
log "Run \`lxc-destroy -n ${CONTAINER}\` or \`make clean\` to remove the container that was created along the way"
|
||||
echo
|
||||
Loading…
Reference in a new issue