From 6bfbe0e8d7601a027a7b30c2158529d1e48c8785 Mon Sep 17 00:00:00 2001
From: Michael Adam <obnox@samba.org>
Date: Mon, 22 Dec 2014 18:16:45 +0100
Subject: [PATCH] Add support to set up fedora boxes.

Currently only f20 and f19 are provided by the lxc-download template,
not f21.
---
 Makefile                       | 13 +++++--
 common/download.sh             | 13 +++++++
 common/prepare-vagrant-user.sh |  2 +-
 conf/fedora                    | 66 ++++++++++++++++++++++++++++++++++
 fedora/clean.sh                | 16 +++++++++
 fedora/install-extras.sh       | 21 +++++++++++
 mk-fedora.sh                   | 46 ++++++++++++++++++++++++
 7 files changed, 174 insertions(+), 3 deletions(-)
 create mode 100644 conf/fedora
 create mode 100755 fedora/clean.sh
 create mode 100755 fedora/install-extras.sh
 create mode 100755 mk-fedora.sh

diff --git a/Makefile b/Makefile
index f8a46d7..e49c864 100644
--- a/Makefile
+++ b/Makefile
@@ -1,6 +1,7 @@
 UBUNTU_BOXES= precise quantal raring saucy trusty utopic
 DEBIAN_BOXES= squeeze wheezy sid jessie
 CENTOS_BOXES= 6
+FEDORA_BOXES= 20 19
 TODAY=$(shell date -u +"%Y-%m-%d")
 
 # Replace i686 with i386 and x86_64 with amd64
@@ -8,11 +9,12 @@ ARCH=$(shell uname -m | sed -e "s/68/38/" | sed -e "s/x86_64/amd64/")
 
 default:
 
-all: ubuntu debian
+all: ubuntu debian fedora
 
 ubuntu: $(UBUNTU_BOXES)
 debian: $(DEBIAN_BOXES)
 centos: $(CENTOS_BOXES)
+fedora: $(FEDORA_BOXES)
 
 # REFACTOR: Figure out how can we reduce duplicated code
 $(UBUNTU_BOXES): CONTAINER = "vagrant-base-${@}-$(ARCH)"
@@ -36,6 +38,13 @@ $(CENTOS_BOXES):
 	@sudo -E ./mk-centos.sh $(@) $(ARCH) $(CONTAINER) $(PACKAGE)
 	@sudo chmod +rw $(PACKAGE)
 	@sudo chown ${USER}: $(PACKAGE)
+$(FEDORA_BOXES): CONTAINER = "vagrant-base-fedora-${@}-$(ARCH)"
+$(FEDORA_BOXES): PACKAGE = "output/${TODAY}/vagrant-lxc-fedora-${@}-$(ARCH).box"
+$(FEDORA_BOXES):
+	@mkdir -p $$(dirname $(PACKAGE))
+	@sudo -E ./mk-fedora.sh $(@) $(ARCH) $(CONTAINER) $(PACKAGE)
+	@sudo chmod +rw $(PACKAGE)
+	@sudo chown ${USER}: $(PACKAGE)
 
 acceptance: CONTAINER = "vagrant-base-acceptance-$(ARCH)"
 acceptance: PACKAGE = "output/${TODAY}/vagrant-lxc-acceptance-$(ARCH).box"
@@ -51,7 +60,7 @@ release:
 	git tag $(version)
 	git push && git push --tags
 
-clean: ALL_BOXES = ${DEBIAN_BOXES} ${UBUNTU_BOXES} ${CENTOS_BOXES} acceptance
+clean: ALL_BOXES = ${DEBIAN_BOXES} ${UBUNTU_BOXES} ${CENTOS_BOXES} ${FEDORA_BOXES} acceptance
 clean:
 	@for r in $(ALL_BOXES); do \
 		sudo -E ./clean.sh $${r}\
diff --git a/common/download.sh b/common/download.sh
index d0e59d3..304b168 100755
--- a/common/download.sh
+++ b/common/download.sh
@@ -40,4 +40,17 @@ else
                    --release ${RELEASE} \
                    --arch ${ARCH}
 fi
+
+if [ ${DISTRIBUTION} = 'fedora' ]; then
+  # Improve systemd support:
+  # - The fedora template does it but the fedora images from the download
+  #   template apparently don't.
+  utils.lxc.stop
+  echo  >> /var/lib/lxc/${CONTAINER}/config
+  echo "# settings for systemd with PID 1:" >> /var/lib/lxc/${CONTAINER}/config
+  echo "lxc.kmsg = 0" >> /var/lib/lxc/${CONTAINER}/config
+  echo "lxc.autodev = 1" >> /var/lib/lxc/${CONTAINER}/config
+  utils.lxc.start
+fi
+
 log "Container created!"
diff --git a/common/prepare-vagrant-user.sh b/common/prepare-vagrant-user.sh
index 9f0fadf..ae516e9 100755
--- a/common/prepare-vagrant-user.sh
+++ b/common/prepare-vagrant-user.sh
@@ -17,7 +17,7 @@ elif $(grep -q 'ubuntu' ${ROOTFS}/etc/shadow); then
   chroot ${ROOTFS} groupmod -n vagrant ubuntu &>> ${LOG}
   echo -n 'vagrant:vagrant' | chroot ${ROOTFS} chpasswd
   log 'Renamed ubuntu user to vagrant and changed password.'
-elif [ ${DISTRIBUTION} = 'centos' ]; then
+elif [ ${DISTRIBUTION} = 'centos' -o ${DISTRIBUTION} = 'fedora' ]; then
   debug 'Creating vagrant user...'
   chroot ${ROOTFS} useradd --create-home -s /bin/bash -u 1000 vagrant &>> ${LOG}
   echo -n 'vagrant:vagrant' | chroot ${ROOTFS} chpasswd
diff --git a/conf/fedora b/conf/fedora
new file mode 100644
index 0000000..7027b6b
--- /dev/null
+++ b/conf/fedora
@@ -0,0 +1,66 @@
+# work better with systemd:
+lxc.autodev = 1
+lxc.kmsg = 0
+
+# Taken from the oracle.common.conf.in
+# Console settings
+
+lxc.devttydir = lxc
+lxc.tty = 4
+lxc.pts = 1024
+
+# Mount entries
+lxc.mount.auto = proc:mixed sys:ro
+
+# Ensure hostname is changed on clone
+lxc.hook.clone = /usr/share/lxc/hooks/clonehostname
+
+# Capabilities
+# Uncomment these if you don't run anything that needs the capability, and
+# would like the container to run with less privilege.
+#
+# Dropping sys_admin disables container root from doing a lot of things
+# that could be bad like re-mounting lxc fstab entries rw for example,
+# but also disables some useful things like being able to nfs mount, and
+# things that are already namespaced with ns_capable() kernel checks, like
+# hostname(1).
+# lxc.cap.drop = sys_admin
+# lxc.cap.drop = net_raw          # breaks dhcp/ping
+# lxc.cap.drop = setgid           # breaks login (initgroups/setgroups)
+# lxc.cap.drop = dac_read_search  # breaks login (pam unix_chkpwd)
+# lxc.cap.drop = setuid           # breaks sshd,nfs statd
+# lxc.cap.drop = audit_control    # breaks sshd (set_loginuid failed)
+# lxc.cap.drop = audit_write
+# big big login delays in Fedora 20 systemd:
+#lxc.cap.drop = setpcap
+#
+lxc.cap.drop = mac_admin mac_override
+lxc.cap.drop = setfcap
+lxc.cap.drop = sys_module sys_nice sys_pacct
+lxc.cap.drop = sys_rawio sys_time
+
+# Control Group devices: all denied except those whitelisted
+lxc.cgroup.devices.deny = a
+# Allow any mknod (but not reading/writing the node)
+lxc.cgroup.devices.allow = c *:* m
+lxc.cgroup.devices.allow = b *:* m
+## /dev/null
+lxc.cgroup.devices.allow = c 1:3 rwm
+## /dev/zero
+lxc.cgroup.devices.allow = c 1:5 rwm
+## /dev/full
+lxc.cgroup.devices.allow = c 1:7 rwm
+## /dev/tty
+lxc.cgroup.devices.allow = c 5:0 rwm
+## /dev/random
+lxc.cgroup.devices.allow = c 1:8 rwm
+## /dev/urandom
+lxc.cgroup.devices.allow = c 1:9 rwm
+## /dev/tty[1-4] ptys and lxc console
+lxc.cgroup.devices.allow = c 136:* rwm
+## /dev/ptmx pty master
+lxc.cgroup.devices.allow = c 5:2 rwm
+
+# Blacklist some syscalls which are not safe in privileged
+# containers
+lxc.seccomp = /usr/share/lxc/config/common.seccomp
diff --git a/fedora/clean.sh b/fedora/clean.sh
new file mode 100755
index 0000000..9a56013
--- /dev/null
+++ b/fedora/clean.sh
@@ -0,0 +1,16 @@
+#!/bin/bash
+set -e
+
+source common/ui.sh
+source common/utils.sh
+
+debug 'Bringing container up'
+utils.lxc.start
+
+info "Cleaning up '${CONTAINER}'..."
+
+log 'Removing temporary files...'
+rm -rf ${ROOTFS}/tmp/*
+
+log 'cleaning up dhcp leases'
+rm -f ${ROOTFS}/var/lib/dhcp/*
diff --git a/fedora/install-extras.sh b/fedora/install-extras.sh
new file mode 100755
index 0000000..c7c7671
--- /dev/null
+++ b/fedora/install-extras.sh
@@ -0,0 +1,21 @@
+#!/bin/bash
+set -e
+
+source common/ui.sh
+source common/utils.sh
+
+info 'Installing extra packages and upgrading'
+
+debug 'Bringing container up'
+utils.lxc.start
+
+# Sleep for a bit so that the container can get an IP
+SECS=20
+log "Sleeping for $SECS seconds..."
+sleep $SECS
+
+# TODO: Support for appending to this list from outside
+PACKAGES=(vim curl wget man-db bash-completion ca-certificates sudo openssh-server)
+
+utils.lxc.attach yum update -y
+utils.lxc.attach yum install ${PACKAGES[*]} -y
diff --git a/mk-fedora.sh b/mk-fedora.sh
new file mode 100755
index 0000000..c6c3514
--- /dev/null
+++ b/mk-fedora.sh
@@ -0,0 +1,46 @@
+#!/bin/bash
+set -e
+
+source common/ui.sh
+
+if [ "$(id -u)" != "0" ]; then
+  echo "You should run this script as root (sudo)."
+  exit 1
+fi
+
+export DISTRIBUTION='fedora'
+export RELEASE=$1
+export ARCH=$2
+export CONTAINER=$3
+export PACKAGE=$4
+export ROOTFS="/var/lib/lxc/${CONTAINER}/rootfs"
+export WORKING_DIR="/tmp/${CONTAINER}"
+export NOW=$(date -u)
+export LOG=$(readlink -f .)/log/${CONTAINER}.log
+
+mkdir -p $(dirname $LOG)
+echo '############################################' > ${LOG}
+echo "# Beginning build at $(date)" >> ${LOG}
+touch ${LOG}
+chmod +rw ${LOG}
+
+if [ -f ${PACKAGE} ]; then
+  warn "The box '${PACKAGE}' already exists, skipping..."
+  echo
+  exit
+fi
+
+debug "Creating ${WORKING_DIR}"
+mkdir -p ${WORKING_DIR}
+
+info "Building box to '${PACKAGE}'..."
+
+./common/download.sh ${DISTRIBUTION} ${RELEASE} ${ARCH} ${CONTAINER}
+./fedora/install-extras.sh ${CONTAINER}
+./common/prepare-vagrant-user.sh ${DISTRIBUTION} ${CONTAINER}
+./fedora/clean.sh ${CONTAINER}
+./common/package.sh ${CONTAINER} ${PACKAGE}
+
+info "Finished building '${PACKAGE}'!"
+log "Run \`sudo lxc-destroy -n ${CONTAINER}\` or \`make clean\` to remove the container that was created along the way"
+echo