3 files changed, 127 insertions, 0 deletions
diff --git a/recipes-containers/lxc/files/busybox_template_mount_fstab_when_available.patch b/recipes-containers/lxc/files/busybox_template_mount_fstab_when_available.patch
new file mode 100644
index 00000000..74b4fdfa
--- /dev/null
+++ b/recipes-containers/lxc/files/busybox_template_mount_fstab_when_available.patch
@@ -0,0 +1,32 @@
+From 12c3b43fbeacd9cc471adf565ecea3263e37e353 Mon Sep 17 00:00:00 2001
+From: Bogdan Purcareata <bogdan.purcareata@freescale.com>
+Date: Mon, 20 Oct 2014 15:56:54 -0400
+Subject: [PATCH] busybox template: mount fstab when available
+When running unprivileged, lxc-create will touch a fstab file, with bind-mounts
+for the ttys and other devices. Add this entry in the container config.
+Upstream-Status: Accepted
+[https://github.com/lxc/lxc/commit/12c3b43fbeacd9cc471adf565ecea3263e37e353]
+Signed-off-by: Bogdan Purcareata <bogdan.purcareata@freescale.com>
+Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
+---
+ templates/lxc-busybox.in | 4 ++++
+ 1 file changed, 4 insertions(+)
+diff --git a/templates/lxc-busybox.in b/templates/lxc-busybox.in
+index ca2dd43..ee54a7a 100644
+--- a/templates/lxc-busybox.in
+++ b/templates/lxc-busybox.in
+@@ -301,6 +301,10 @@ EOF
+     done
+     echo "lxc.mount.entry = /sys/kernel/security sys/kernel/security none ro,bind,optional 0 0" >>$path/config
+     echo "lxc.mount.auto = proc:mixed sys" >>$path/config
+
+    if [ -f "$path/fstab" ]; then
+        echo "lxc.mount = $path/fstab" >>$path/config
+    fi
+ }
+ 
+ remap_userns()
diff --git a/recipes-containers/lxc/files/busybox_template_support_for_unprivileged_containers.patch b/recipes-containers/lxc/files/busybox_template_support_for_unprivileged_containers.patch
new file mode 100644
index 00000000..4e9ab74f
--- /dev/null
+++ b/recipes-containers/lxc/files/busybox_template_support_for_unprivileged_containers.patch
@@ -0,0 +1,92 @@
+From a542dd3c1aca8b6674f631d625d888eb13ae3a4d Mon Sep 17 00:00:00 2001
+From: Bogdan Purcareata <bogdan.purcareata@freescale.com>
+Date: Mon, 20 Oct 2014 15:56:53 -0400
+Subject: [PATCH] busybox template: support for unprivileged containers
+Apply the changes found in templates/lxc-download to the busybox template as
+well. Change ownership of the config and fstab files to the unprivileged user,
+and the ownership of the rootfs to root in the new user namespace.
+Eliminate the "unsupported for userns" flag.
+Upstream-Status: Accepted
+[https://github.com/lxc/lxc/commit/a542dd3c1aca8b6674f631d625d888eb13ae3a4d]
+Signed-off-by: Bogdan Purcareata <bogdan.purcareata@freescale.com>
+Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
+---
+ templates/lxc-busybox.in | 36 ++++++++++++++++++++++++++----------
+ 1 file changed, 26 insertions(+), 10 deletions(-)
+diff --git a/templates/lxc-busybox.in b/templates/lxc-busybox.in
+index 246e743..ca2dd43 100644
+--- a/templates/lxc-busybox.in
+++ b/templates/lxc-busybox.in
+@@ -20,15 +20,8 @@
+ # License along with this library; if not, write to the Free Software
+ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
+ 
+-# Detect use under userns (unsupported)
+-for arg in "$@"; do
+-    [ "$arg" = "--" ] && break
+-    if [ "$arg" = "--mapped-uid" -o "$arg" = "--mapped-gid" ]; then
+-        echo "This template can't be used for unprivileged containers." 1>&2
+-        echo "You may want to try the \"download\" template instead." 1>&2
+-        exit 1
+-    fi
+-done
+LXC_MAPPED_UID=
+LXC_MAPPED_GID=
+ 
+ # Make sure the usual locations are in PATH
+ export PATH=$PATH:/usr/sbin:/usr/bin:/sbin:/bin
+@@ -310,6 +303,21 @@ EOF
+     echo "lxc.mount.auto = proc:mixed sys" >>$path/config
+ }
+ 
+remap_userns()
+{
+    path=$1
+
+    if [ -n "$LXC_MAPPED_UID" ] && [ "$LXC_MAPPED_UID" != "-1" ]; then
+        chown $LXC_MAPPED_UID $path/config $path/fstab >/dev/null 2>&1
+        chown -R root $path/rootfs >/dev/null 2>&1
+    fi
+
+    if [ -n "$LXC_MAPPED_GID" ] && [ "$LXC_MAPPED_GID" != "-1" ]; then
+        chgrp $LXC_MAPPED_GID $path/config $path/fstab >/dev/null 2>&1
+        chgrp -R root $path/rootfs >/dev/null 2>&1
+    fi
+}
+
+ usage()
+ {
+     cat <<EOF
+@@ -318,7 +326,7 @@ EOF
+     return 0
+ }
+ 
+-options=$(getopt -o hp:n: -l help,rootfs:,path:,name: -- "$@")
+options=$(getopt -o hp:n: -l help,rootfs:,path:,name:,mapped-uid:,mapped-gid: -- "$@")
+ if [ $? -ne 0 ]; then
+     usage $(basename $0)
+     exit 1
+@@ -332,6 +340,8 @@ do
+         -p|--path)      path=$2; shift 2;;
+         --rootfs)       rootfs=$2; shift 2;;
+         -n|--name)      name=$2; shift 2;;
+        --mapped-uid)   LXC_MAPPED_UID=$2; shift 2;;
+        --mapped-gid)   LXC_MAPPED_GID=$2; shift 2;;
+         --)             shift 1; break ;;
+         *)              break ;;
+     esac
+@@ -374,3 +384,9 @@ if [ $? -ne 0 ]; then
+     echo "failed to write configuration file"
+     exit 1
+ fi
+
+remap_userns $path
+if [ $? -ne 0 ]; then
+    echo "failed to remap files to user"
+    exit 1
+fi
diff --git a/recipes-containers/lxc/lxc_1.0.6.bb b/recipes-containers/lxc/lxc_1.0.6.bb
index 2d384dd6..08055732 100644
--- a/recipes-containers/lxc/lxc_1.0.6.bb
+++ b/recipes-containers/lxc/lxc_1.0.6.bb
@@ -26,7 +26,10 @@ SRC_URI = "http://linuxcontainers.org/downloads/${BPN}-${PV}.tar.gz \
        file://runtest.patch \
        file://run-ptest \
        file://automake-ensure-VPATH-builds-correctly.patch \
+        file://busybox_template_mount_fstab_when_available.patch \
+        file://busybox_template_support_for_unprivileged_containers.patch \
        "
 SRC_URI[md5sum] = "4aad3aee84b42faa194e44091d723a3b"
 SRC_URI[sha256sum] = "fc6bffa750f00daaa92aa33d719c1cc235146aa779ebd2a64a0c24423977cf14"

diff --git a/recipes-containers/lxc/files/busybox_template_mount_fstab_when_available.patch b/recipes-containers/lxc/files/busybox_template_mount_fstab_when_available.patch new file mode 100644 index 00000000..74b4fdfa --- /dev/null +++ b/recipes-containers/lxc/files/busybox_template_mount_fstab_when_available.patch
@@ -0,0 +1,32 @@
		1	From 12c3b43fbeacd9cc471adf565ecea3263e37e353 Mon Sep 17 00:00:00 2001
		2	From: Bogdan Purcareata <bogdan.purcareata@freescale.com>
		3	Date: Mon, 20 Oct 2014 15:56:54 -0400
		4	Subject: [PATCH] busybox template: mount fstab when available
		5
		6	When running unprivileged, lxc-create will touch a fstab file, with bind-mounts
		7	for the ttys and other devices. Add this entry in the container config.
		8
		9	Upstream-Status: Accepted
		10	[https://github.com/lxc/lxc/commit/12c3b43fbeacd9cc471adf565ecea3263e37e353]
		11
		12	Signed-off-by: Bogdan Purcareata <bogdan.purcareata@freescale.com>
		13	Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
		14	---
		15	templates/lxc-busybox.in \| 4 ++++
		16	1 file changed, 4 insertions(+)
		17
		18	diff --git a/templates/lxc-busybox.in b/templates/lxc-busybox.in
		19	index ca2dd43..ee54a7a 100644
		20	--- a/templates/lxc-busybox.in
		21	+++ b/templates/lxc-busybox.in
		22	@@ -301,6 +301,10 @@ EOF
		23	done
		24	echo "lxc.mount.entry = /sys/kernel/security sys/kernel/security none ro,bind,optional 0 0" >>$path/config
		25	echo "lxc.mount.auto = proc:mixed sys" >>$path/config
		26	+
		27	+ if [ -f "$path/fstab" ]; then
		28	+ echo "lxc.mount = $path/fstab" >>$path/config
		29	+ fi
		30	}
		31
		32	remap_userns()


diff --git a/recipes-containers/lxc/files/busybox_template_support_for_unprivileged_containers.patch b/recipes-containers/lxc/files/busybox_template_support_for_unprivileged_containers.patch new file mode 100644 index 00000000..4e9ab74f --- /dev/null +++ b/recipes-containers/lxc/files/busybox_template_support_for_unprivileged_containers.patch
@@ -0,0 +1,92 @@
		1	From a542dd3c1aca8b6674f631d625d888eb13ae3a4d Mon Sep 17 00:00:00 2001
		2	From: Bogdan Purcareata <bogdan.purcareata@freescale.com>
		3	Date: Mon, 20 Oct 2014 15:56:53 -0400
		4	Subject: [PATCH] busybox template: support for unprivileged containers
		5
		6	Apply the changes found in templates/lxc-download to the busybox template as
		7	well. Change ownership of the config and fstab files to the unprivileged user,
		8	and the ownership of the rootfs to root in the new user namespace.
		9
		10	Eliminate the "unsupported for userns" flag.
		11
		12	Upstream-Status: Accepted
		13	[https://github.com/lxc/lxc/commit/a542dd3c1aca8b6674f631d625d888eb13ae3a4d]
		14
		15	Signed-off-by: Bogdan Purcareata <bogdan.purcareata@freescale.com>
		16	Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
		17	---
		18	templates/lxc-busybox.in \| 36 ++++++++++++++++++++++++++----------
		19	1 file changed, 26 insertions(+), 10 deletions(-)
		20
		21	diff --git a/templates/lxc-busybox.in b/templates/lxc-busybox.in
		22	index 246e743..ca2dd43 100644
		23	--- a/templates/lxc-busybox.in
		24	+++ b/templates/lxc-busybox.in
		25	@@ -20,15 +20,8 @@
		26	# License along with this library; if not, write to the Free Software
		27	# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
		28
		29	-# Detect use under userns (unsupported)
		30	-for arg in "$@"; do
		31	- [ "$arg" = "--" ] && break
		32	- if [ "$arg" = "--mapped-uid" -o "$arg" = "--mapped-gid" ]; then
		33	- echo "This template can't be used for unprivileged containers." 1>&2
		34	- echo "You may want to try the \"download\" template instead." 1>&2
		35	- exit 1
		36	- fi
		37	-done
		38	+LXC_MAPPED_UID=
		39	+LXC_MAPPED_GID=
		40
		41	# Make sure the usual locations are in PATH
		42	export PATH=$PATH:/usr/sbin:/usr/bin:/sbin:/bin
		43	@@ -310,6 +303,21 @@ EOF
		44	echo "lxc.mount.auto = proc:mixed sys" >>$path/config
		45	}
		46
		47	+remap_userns()
		48	+{
		49	+ path=$1
		50	+
		51	+ if [ -n "$LXC_MAPPED_UID" ] && [ "$LXC_MAPPED_UID" != "-1" ]; then
		52	+ chown $LXC_MAPPED_UID $path/config $path/fstab >/dev/null 2>&1
		53	+ chown -R root $path/rootfs >/dev/null 2>&1
		54	+ fi
		55	+
		56	+ if [ -n "$LXC_MAPPED_GID" ] && [ "$LXC_MAPPED_GID" != "-1" ]; then
		57	+ chgrp $LXC_MAPPED_GID $path/config $path/fstab >/dev/null 2>&1
		58	+ chgrp -R root $path/rootfs >/dev/null 2>&1
		59	+ fi
		60	+}
		61	+
		62	usage()
		63	{
		64	cat <<EOF
		65	@@ -318,7 +326,7 @@ EOF
		66	return 0
		67	}
		68
		69	-options=$(getopt -o hp:n: -l help,rootfs:,path:,name: -- "$@")
		70	+options=$(getopt -o hp:n: -l help,rootfs:,path:,name:,mapped-uid:,mapped-gid: -- "$@")
		71	if [ $? -ne 0 ]; then
		72	usage $(basename $0)
		73	exit 1
		74	@@ -332,6 +340,8 @@ do
		75	-p\|--path) path=$2; shift 2;;
		76	--rootfs) rootfs=$2; shift 2;;
		77	-n\|--name) name=$2; shift 2;;
		78	+ --mapped-uid) LXC_MAPPED_UID=$2; shift 2;;
		79	+ --mapped-gid) LXC_MAPPED_GID=$2; shift 2;;
		80	--) shift 1; break ;;
		81	*) break ;;
		82	esac
		83	@@ -374,3 +384,9 @@ if [ $? -ne 0 ]; then
		84	echo "failed to write configuration file"
		85	exit 1
		86	fi
		87	+
		88	+remap_userns $path
		89	+if [ $? -ne 0 ]; then
		90	+ echo "failed to remap files to user"
		91	+ exit 1
		92	+fi


diff --git a/recipes-containers/lxc/lxc_1.0.6.bb b/recipes-containers/lxc/lxc_1.0.6.bb index 2d384dd6..08055732 100644 --- a/recipes-containers/lxc/lxc_1.0.6.bb +++ b/recipes-containers/lxc/lxc_1.0.6.bb
@@ -26,7 +26,10 @@ SRC_URI = "http://linuxcontainers.org/downloads/${BPN}-${PV}.tar.gz \
26	file://runtest.patch \	26	file://runtest.patch \
27	file://run-ptest \	27	file://run-ptest \
28	file://automake-ensure-VPATH-builds-correctly.patch \	28	file://automake-ensure-VPATH-builds-correctly.patch \
		29	file://busybox_template_mount_fstab_when_available.patch \
		30	file://busybox_template_support_for_unprivileged_containers.patch \
29	"	31	"
		32
30	SRC_URI[md5sum] = "4aad3aee84b42faa194e44091d723a3b"	33	SRC_URI[md5sum] = "4aad3aee84b42faa194e44091d723a3b"
31	SRC_URI[sha256sum] = "fc6bffa750f00daaa92aa33d719c1cc235146aa779ebd2a64a0c24423977cf14"	34	SRC_URI[sha256sum] = "fc6bffa750f00daaa92aa33d719c1cc235146aa779ebd2a64a0c24423977cf14"
32		35