From: Zoltán Felleg Date: Mon, 29 Apr 2024 11:59:35 +0000 (+0200) Subject: Updated create-base.sh to create an unprivileged container base. X-Git-Url: http://git.useribm.hu/?a=commitdiff_plain;h=92d5e70b7cb61124d922c34e9ef9669aa8a61be9;p=user-lxc.git Updated create-base.sh to create an unprivileged container base. --- diff --git a/scripts/create-base.sh b/scripts/create-base.sh index 07999e6..58736fe 100755 --- a/scripts/create-base.sh +++ b/scripts/create-base.sh @@ -301,69 +301,54 @@ set_variables() preinstall() { - if [ -d $CONTAINER_SOURCE_PATH/preinstall ] - then - cp --archive $CONTAINER_SOURCE_PATH/preinstall $CONTAINER_BUILDROOT - chmod 755 $CONTAINER_BUILDROOT/preinstall/*.sh - for SCRIPT in $CONTAINER_BUILDROOT/preinstall/*.sh - do - echo $SCRIPT $ENV_FILE - $SCRIPT $ENV_FILE - done - fi - mkdir $CONTAINER_BUILDROOT/dev mkdir $CONTAINER_BUILDROOT/proc + mkdir $CONTAINER_BUILDROOT/sys mount -o bind /dev $CONTAINER_BUILDROOT/dev mount -t proc proc $CONTAINER_BUILDROOT/proc + mount -t sysfs sysfs $CONTAINER_BUILDROOT/sys } postinstall() { - if [ -d $CONTAINER_SOURCE_PATH/postinstall ] - then - cp --archive $CONTAINER_SOURCE_PATH/postinstall $CONTAINER_BUILDROOT - if [ -f $CONTAINER_SOURCE_PATH/postinstall/copy.list ] - then - grep -v '^#' $CONTAINER_SOURCE_PATH/postinstall/copy.list | while read LINE - do - SRC_HOST=$(echo "$LINE" | cut -f 1 -d ' ') - SRC_PATH=$(echo "$LINE" | cut -f 2 -d ' ') - TGT_PATH=$(echo "$LINE" | cut -f 3 -d ' ') - scp -pr -i $SSH_KEYS_PATH/scripts \ - root@${SRC_HOST}:$SRC_PATH \ - $CONTAINER_BUILDROOT/postinstall/install/$TGT_PATH - done - fi - fi - if [ -d $CONTAINER_BUILDROOT/postinstall ] - then - chmod 755 $CONTAINER_BUILDROOT/postinstall/*.sh - for SCRIPT in $CONTAINER_BUILDROOT/postinstall/*.sh - do - POSTINSTALL_SCRIPT=$(echo $SCRIPT | sed "s|^$CONTAINER_BUILDROOT||") - echo chroot $CONTAINER_BUILDROOT $POSTINSTALL_SCRIPT - chroot $CONTAINER_BUILDROOT $POSTINSTALL_SCRIPT - done - fi - umount $CONTAINER_BUILDROOT/dev umount $CONTAINER_BUILDROOT/proc + umount $CONTAINER_BUILDROOT/sys } -firstboot() +unprivilege() { - if [ -d $CONTAINER_SOURCE_PATH/firstboot ] + PRIV_UID=0 + UNPRIV_UID=$(( $PRIV_UID + 100000 )) + PRIV_UID_COUNT=$(find $CONTAINER_BUILDROOT -uid $PRIV_UID | wc -l) + if [ $PRIV_UID_COUNT -gt 0 ] + then + find $CONTAINER_BUILDROOT -uid $PRIV_UID -print0 | xargs -0 chown --no-dereference $UNPRIV_UID + fi + + PRIV_GID=0 + UNPRIV_GID=$(( $PRIV_GID + 100000 )) + PRIV_GID_COUNT=$(find $CONTAINER_BUILDROOT -gid $PRIV_GID | wc -l) + if [ $PRIV_GID_COUNT -gt 0 ] then - cp --archive $CONTAINER_SOURCE_PATH/firstboot $CONTAINER_BUILDROOT - chmod 755 $CONTAINER_BUILDROOT/firstboot/*.sh - for SCRIPT in $CONTAINER_BUILDROOT/firstboot/*.sh - do - FIRSTBOOT_SCRIPT=$(echo $SCRIPT | sed "s|^$CONTAINER_BUILDROOT||") - echo lxc-attach --name=$CONTAINER_NAME -- $FIRSTBOOT_SCRIPT - lxc-attach --name=$CONTAINER_NAME -- $FIRSTBOOT_SCRIPT - done + find $CONTAINER_BUILDROOT -gid $PRIV_GID -print0 | xargs -0 chgrp --no-dereference $UNPRIV_GID fi + + find $CONTAINER_BUILDROOT -uid -100000 | while read PRIV_UID_FILE + do + ls -l $PRIV_UID_FILE + PRIV_UID=$(stat --format="%u" $PRIV_UID_FILE) + UNPRIV_UID=$(( $PRIV_UID + 100000 )) + chown --no-dereference $UNPRIV_UID $PRIV_UID_FILE + done + + find $CONTAINER_BUILDROOT -gid -100000 | while read PRIV_GID_FILE + do + ls -l $PRIV_GID_FILE + PRIV_GID=$(stat --format="%g" $PRIV_GID_FILE) + UNPRIV_GID=$(( $PRIV_GID + 100000 )) + chgrp --no-dereference $UNPRIV_GID $PRIV_GID_FILE + done } set_variables $1 @@ -386,6 +371,8 @@ install_packages postinstall +unprivilege + backup_old_container ################################################################