Updated create-base.sh to create an unprivileged container base.

diff --git a/scripts/create-base.sh b/scripts/create-base.sh
index 07999e6da19744efbd5aa6dcbd3dc566cd6817b4..58736fe50124fc5019cc0818be50093f4f039256 100755 (executable)
--- a/scripts/create-base.sh
+++ b/scripts/create-base.sh
@@ -301,69 +301,54 @@ set_variables()
 
 preinstall()
 {
-    if [ -d $CONTAINER_SOURCE_PATH/preinstall ]
-    then
-        cp --archive $CONTAINER_SOURCE_PATH/preinstall $CONTAINER_BUILDROOT
-        chmod 755 $CONTAINER_BUILDROOT/preinstall/*.sh
-        for SCRIPT in $CONTAINER_BUILDROOT/preinstall/*.sh
-        do
-            echo $SCRIPT $ENV_FILE
-            $SCRIPT $ENV_FILE
-        done
-    fi
-
     mkdir $CONTAINER_BUILDROOT/dev
     mkdir $CONTAINER_BUILDROOT/proc
+    mkdir $CONTAINER_BUILDROOT/sys
     mount -o bind /dev $CONTAINER_BUILDROOT/dev
     mount -t proc proc $CONTAINER_BUILDROOT/proc
+    mount -t sysfs sysfs $CONTAINER_BUILDROOT/sys
 }
 
 postinstall()
 {
-    if [ -d $CONTAINER_SOURCE_PATH/postinstall ]
-    then
-        cp --archive $CONTAINER_SOURCE_PATH/postinstall $CONTAINER_BUILDROOT
-        if [ -f $CONTAINER_SOURCE_PATH/postinstall/copy.list ]
-        then
-            grep -v '^#' $CONTAINER_SOURCE_PATH/postinstall/copy.list | while read LINE
-            do
-                SRC_HOST=$(echo "$LINE" | cut -f 1 -d ' ')
-                SRC_PATH=$(echo "$LINE" | cut -f 2 -d ' ')
-                TGT_PATH=$(echo "$LINE" | cut -f 3 -d ' ')
-                scp -pr -i $SSH_KEYS_PATH/scripts \
-                    root@${SRC_HOST}:$SRC_PATH \
-                    $CONTAINER_BUILDROOT/postinstall/install/$TGT_PATH
-            done
-        fi
-    fi
-    if [ -d $CONTAINER_BUILDROOT/postinstall ]
-    then
-        chmod 755 $CONTAINER_BUILDROOT/postinstall/*.sh
-        for SCRIPT in $CONTAINER_BUILDROOT/postinstall/*.sh
-        do
-            POSTINSTALL_SCRIPT=$(echo $SCRIPT | sed "s|^$CONTAINER_BUILDROOT||")
-            echo chroot $CONTAINER_BUILDROOT $POSTINSTALL_SCRIPT
-            chroot $CONTAINER_BUILDROOT $POSTINSTALL_SCRIPT
-        done
-    fi
-
     umount $CONTAINER_BUILDROOT/dev
     umount $CONTAINER_BUILDROOT/proc
+    umount $CONTAINER_BUILDROOT/sys
 }
 
-firstboot()
+unprivilege()
 {
-    if [ -d $CONTAINER_SOURCE_PATH/firstboot ]
+    PRIV_UID=0
+    UNPRIV_UID=$(( $PRIV_UID + 100000 ))
+    PRIV_UID_COUNT=$(find $CONTAINER_BUILDROOT -uid $PRIV_UID | wc -l)
+    if [ $PRIV_UID_COUNT -gt 0 ]
+    then
+        find $CONTAINER_BUILDROOT -uid $PRIV_UID -print0 | xargs -0 chown --no-dereference $UNPRIV_UID
+    fi
+
+    PRIV_GID=0
+    UNPRIV_GID=$(( $PRIV_GID + 100000 ))
+    PRIV_GID_COUNT=$(find $CONTAINER_BUILDROOT -gid $PRIV_GID | wc -l)
+    if [ $PRIV_GID_COUNT -gt 0 ]
     then
-        cp --archive $CONTAINER_SOURCE_PATH/firstboot $CONTAINER_BUILDROOT
-        chmod 755 $CONTAINER_BUILDROOT/firstboot/*.sh
-        for SCRIPT in $CONTAINER_BUILDROOT/firstboot/*.sh
-        do
-            FIRSTBOOT_SCRIPT=$(echo $SCRIPT | sed "s|^$CONTAINER_BUILDROOT||")
-            echo lxc-attach --name=$CONTAINER_NAME -- $FIRSTBOOT_SCRIPT
-            lxc-attach --name=$CONTAINER_NAME -- $FIRSTBOOT_SCRIPT
-        done
+        find $CONTAINER_BUILDROOT -gid $PRIV_GID -print0 | xargs -0 chgrp --no-dereference $UNPRIV_GID
     fi
+
+    find $CONTAINER_BUILDROOT -uid -100000 | while read PRIV_UID_FILE
+    do
+        ls -l $PRIV_UID_FILE
+        PRIV_UID=$(stat --format="%u" $PRIV_UID_FILE)
+        UNPRIV_UID=$(( $PRIV_UID + 100000 ))
+        chown --no-dereference $UNPRIV_UID $PRIV_UID_FILE
+    done
+
+    find $CONTAINER_BUILDROOT -gid -100000 | while read PRIV_GID_FILE
+    do
+        ls -l $PRIV_GID_FILE
+        PRIV_GID=$(stat --format="%g" $PRIV_GID_FILE)
+        UNPRIV_GID=$(( $PRIV_GID + 100000 ))
+        chgrp --no-dereference $UNPRIV_GID $PRIV_GID_FILE
+    done
 }
 
 set_variables $1
@@ -386,6 +371,8 @@ install_packages
 
 postinstall
 
+unprivilege
+
 backup_old_container
 
 ################################################################