43aa9bfb3e
If LXC commands are run with a restrictive umask like 027 or 077, then
the root directory of new containers will lack read `r` and access `x`
permission for non-root users. The first failure to result from this
during `vagrant up` is that the SSH daemon cannot read the crucial file
`/home/vagrant/.ssh/authorized_keys` after it drops privileges to the
level of the `vagrant` user. The result is the familiar:
```
default: Warning: Authentication failure. Retrying...
default: Warning: Authentication failure. Retrying...
Timed out while waiting for the machine to boot. This means that
Vagrant was unable to communicate with the guest machine within
the configured ("config.vm.boot_timeout" value) time period.
```
So we should make sure that we run all LXC commands with a umask that at
least does not prevent group and world `r` and `x` bits from being set
in newly created files and directories.
95 lines
2.9 KiB
Ruby
95 lines
2.9 KiB
Ruby
module Vagrant
|
|
module LXC
|
|
class SudoWrapper
|
|
# Include this so we can use `Subprocess` more easily.
|
|
include Vagrant::Util::Retryable
|
|
|
|
attr_reader :wrapper_path
|
|
|
|
def initialize(wrapper_path = nil)
|
|
@wrapper_path = wrapper_path
|
|
@logger = Log4r::Logger.new("vagrant::lxc::sudo_wrapper")
|
|
end
|
|
|
|
def run(*command)
|
|
options = command.last.is_a?(Hash) ? command.last : {}
|
|
|
|
# Avoid running LXC commands with a restrictive umask.
|
|
# Otherwise disasters occur, like the container root directory
|
|
# having permissions `rwxr-x---` which prevents the `vagrant`
|
|
# user from accessing its own home directory; among other
|
|
# problems, SSH cannot then read `authorized_keys`!
|
|
old_mask = File.umask
|
|
File.umask(old_mask & 022) # allow all `r` and `x` bits
|
|
|
|
begin
|
|
if @wrapper_path && !options[:no_wrapper]
|
|
command.unshift @wrapper_path
|
|
execute *(['sudo'] + command)
|
|
else
|
|
execute *(['sudo', '/usr/bin/env'] + command)
|
|
end
|
|
ensure
|
|
File.umask(old_mask)
|
|
end
|
|
end
|
|
|
|
private
|
|
|
|
# TODO: Review code below this line, it was pretty much a copy and
|
|
# paste from VirtualBox base driver and has no tests
|
|
def execute(*command, &block)
|
|
# Get the options hash if it exists
|
|
opts = {}
|
|
opts = command.pop if command.last.is_a?(Hash)
|
|
|
|
tries = 0
|
|
tries = 3 if opts[:retryable]
|
|
|
|
sleep = opts.fetch(:sleep, 1)
|
|
|
|
# Variable to store our execution result
|
|
r = nil
|
|
|
|
retryable(:on => LXC::Errors::ExecuteError, :tries => tries, :sleep => sleep) do
|
|
# Execute the command
|
|
r = raw(*command, &block)
|
|
|
|
# If the command was a failure, then raise an exception that is
|
|
# nicely handled by Vagrant.
|
|
if r.exit_code != 0
|
|
if @interrupted
|
|
@logger.info("Exit code != 0, but interrupted. Ignoring.")
|
|
else
|
|
raise LXC::Errors::ExecuteError,
|
|
command: command.inspect, stderr: r.stderr, stdout: r.stdout, exitcode: r.exit_code
|
|
end
|
|
end
|
|
end
|
|
|
|
# Return the output, making sure to replace any Windows-style
|
|
# newlines with Unix-style.
|
|
stdout = r.stdout.gsub("\r\n", "\n")
|
|
if opts[:show_stderr]
|
|
{ :stdout => stdout, :stderr => r.stderr.gsub("\r\n", "\n") }
|
|
else
|
|
stdout
|
|
end
|
|
end
|
|
|
|
def raw(*command, &block)
|
|
int_callback = lambda do
|
|
@interrupted = true
|
|
@logger.info("Interrupted.")
|
|
end
|
|
|
|
# Append in the options for subprocess
|
|
command << { :notify => [:stdout, :stderr] }
|
|
|
|
Vagrant::Util::Busy.busy(int_callback) do
|
|
Vagrant::Util::Subprocess.execute(*command, &block)
|
|
end
|
|
end
|
|
end
|
|
end
|
|
end
|