commit d48b3810f8916f61a900453e71a060162d7febe5
parent 9924f097a9146875796d4128dfa4df6096103b32
Author: ccx <ccx@te2000.cz>
Date: Tue, 9 Apr 2024 18:47:00 +0000
Container definition helper functions
Diffstat:
2 files changed, 153 insertions(+), 46 deletions(-)
diff --git a/zsh-functions/confz_containers_init b/zsh-functions/confz_containers_init
@@ -27,6 +27,46 @@
# /supervise/status B QAAAAF/8iBYvOSJcQAAAAF/8iBYvOSJcAAAAAAAAAAAAABQ=
# o0:0 m644
+typeset -gA container_uid_cache container_gid_cache
+
+container_get_uid() {
+ if (($+container_uid_cache[$1])); then
+ printf '%s' $container_uid_cache[$1]
+ return 0
+ else
+ local uid
+ uid="${${(s.:.)"$(getent passwd $1)"}[3]}" || return $?
+ [[ -z $uid ]] && return 1
+ container_uid_cache[$1]=$uid
+ printf '%s' $uid
+ return 0
+ fi
+}
+
+container_get_gid() {
+ if (($+container_gid_cache[$1])); then
+ printf '%s' $container_gid_cache[$1]
+ return 0
+ else
+ local gid
+ gid="${${(s.:.)"$(getent group $1)"}[3]}" || return $?
+ [[ -z $gid ]] && return 1
+ container_gid_cache[$1]=$gid
+ printf '%s' $gid
+ fi
+}
+
+confz_container_uidgid_for_name_check() {
+ checkvars name
+ local uid gid
+ uid=$(container_get_uid $vars[name]) ||
+ die "Could not determine uid for user ${(qqq)vars[name]}"
+ gid=$(container_get_gid $vars[name]) ||
+ die "Could not determine gid for group ${(qqq)vars[name]}"
+ unify uid $uid
+ unify gid $gid
+}
+
confz_container_service_check() {
checkvars svc_dir root_link run_link finish_link
defvar down true
@@ -310,6 +350,64 @@ confz_container_service_sysroot_check() {
content=$container
}
+confz_container_service_ephemeral_check() {
+ local uid gid container_user_dir svc_dir log_dir container
+ local -a fstab mnt_dirs
+ checkvars containers_dir svscan_dir image_name user
+ defvar fstab_extra ''
+ defvar mnt_dirs_extra ''
+ defvar container_name "$vars[image_name]"
+ container=$vars[container_name]
+
+ uid="${${(s.:.)"$(getent passwd $vars[user])"}[3]}" \
+ gid="${${(s.:.)"$(getent group $vars[user])"}[3]}" \
+
+ require fs_d filename=$vars[containers_dir]/user/$vars[user]
+ require fs_m filename=$vars[containers_dir]/user/$vars[user] mode=751
+ require fs_o filename=$vars[containers_dir]/user/$vars[user] owner=0:$gid
+
+ container_user_dir=$vars[containers_dir]/user/$vars[user]/$container
+ require fs_d filename=$container_user_dir
+ require fs_m filename=$container_user_dir mode=751
+ require fs_o filename=$container_user_dir owner=0:$gid
+
+ require fs_d filename=$container_user_dir/root
+
+ require fs_d filename=$vars[containers_dir]/home/$vars[user]
+ require fs_m filename=$vars[containers_dir]/home/$vars[user] mode=751
+ require fs_o filename=$vars[containers_dir]/home/$vars[user] owner=0:$gid
+
+ require fs_l filename=$vars[containers_dir]/home/$vars[user]/$container \
+ destination=../../user/$vars[user]/$container/home/$vars[user]
+
+ mnt_dirs=( ns $=vars[mnt_dirs_extra] )
+
+ fstab=(
+ $vars[containers_dir]/systems/$vars[image_name]$'\t'$container_user_dir/root$'\tnone\tbind,ro,nosuid,nodev\t0 0'
+ $container_user_dir/home$'\t'$container_user_dir/root/home$'\tnone\tbind,nosuid,nodev\t0 0'
+ /run/containers/$container.$vars[user]/run$'\t'$container_user_dir/root/run$'\tnone\tbind,nosuid,nodev\t0 0'
+ /run/containers/$container.$vars[user]/tmp$'\t'$container_user_dir/root/tmp$'\tnone\tbind,nosuid,nodev\t0 0'
+ /run/containers/$container.$vars[user]/mnt$'\t'$container_user_dir/root/mnt$'\tnone\tbind,ro,nosuid,nodev\t0 0'
+ "${(f@)vars[fstab_extra]}"
+ )
+
+ svc_dir=$vars[svscan_dir]/container.$container.$vars[user]
+ require container_service_preset preset=generic \
+ svc_dir=$svc_dir control_user=$uid control_group=$gid \
+ log_dir=/run/container-logs/$container.$vars[user] \
+ log_uid=0 log_gid=$gid \
+ root_link=$container_user_dir/root \
+ fstab=${(F)fstab} \?down \?fstab_post \
+ \?prepare_chroot \?pid1_exec
+ require fs_d filename=$svc_dir/env
+ require fs_contentnl filename=$svc_dir/env/CONTAINER_USER \
+ content=$vars[user]
+ require fs_contentnl filename=$svc_dir/env/CONTAINER_NAME \
+ content=$container
+ require fs_contentnl filename=$svc_dir/env/CONTAINER_MNT_DIRS \
+ content="$mnt_dirs"
+}
+
confz_container_service_generic_check() {
local uid gid container_user_dir svc_dir log_dir container
local -a fstab mnt_dirs
diff --git a/zsh-functions/confz_site_containers_init b/zsh-functions/confz_site_containers_init
@@ -70,14 +70,37 @@ confz_site_containers_xorg_check() {
done
}
+# User Container
+UC() {
+ local container image
+ container=$1
+ image=${2:-$1}
+ shift 2
+ require site_containers_usersvc_simple \
+ :containers_dir :svscan_dir :user :uid :gid \
+ container_name=$container image_name=$image "$@"
+}
+
+UCa() {
+ local container=$1
+ shift
+ UC $1 alpine-$1
+}
+
+UCv() {
+ local container=$1
+ shift
+ UC $1 void-$1
+}
confz_site_containers_user_check() {
checkvars containers_dir svscan_dir user
local display container param bind bind_dir bindroot chome uid gid
local -a fstab
+ require container_uidgid_for_name name=$vars[user] %uid %gid
bind=$'\tnone\tbind,nosuid,nodev\t0 0'
- uid="${${(s.:.)"$(getent passwd $vars[user])"}[3]}" \
- gid="${${(s.:.)"$(getent group $vars[user])"}[3]}" \
+ #uid="${${(s.:.)"$(getent passwd $vars[user])"}[3]}" \
+ #gid="${${(s.:.)"$(getent group $vars[user])"}[3]}" \
for display in 5 6 7 8; do
require container_service_xsession \
@@ -85,7 +108,7 @@ confz_site_containers_user_check() {
:containers_dir :svscan_dir :user
done
- local -a netns=(
+ local -a el_netns=(
"#!$(which execlineb) -S0"
'unshare -n # make new network namespace'
'if { ip addr add 127.0.0.1/8 dev lo }'
@@ -93,54 +116,40 @@ confz_site_containers_user_check() {
'if { ip link set lo up }'
'$@'
)
+ local in_netns=pid1_exec=${(F)netns}
- local -a mount_usb_devices=(
+ local -a el_mount_usb_devices=(
"#!$(which execlineb) -P"
'if { mount -o bind,ro /dev/bus/usb dev/bus/usb }'
'mount -t sysfs sysfs sys'
)
-
- local -A container_img=(
- {,}alpine-browsers
- {,}pentoo
- {,alpine-}weechat
- {,alpine-}senpai
- {,alpine-}profanity
- {,alpine-}gomuks
- {,alpine-}mail
- {,alpine-}testssl
- {,alpine-}tor
- {,alpine-}ssh
- {,alpine-}socials
- gpg $'alpine-gpg\0prepare_chroot='${(F)mount_usb_devices}$'\0pid1_exec='${(F)netns}
- {,void-}signal
- {,void-}telegram
- recombee-browser void-browsers
- te2000-browser void-browsers
- twitch void-browsers
- neonmodem alpine-go
- simplex alpine-haskell
- bzr $'alpine-breezy\0mount_rw=ccx-bzr\0pid1_exec='${(F)netns}
- spark $'alpine-dev-spark\0mount_rw=ccx-bzr ccx-git'
- sndiod $'alpine-sndio\0container_type=alsa'
- mpd $'void-mpd\0mount_ro=init audio'
- alpine-recombee $'alpine-recombee\0mount_rw=ccx-git-recombee'
- xpra $'gentoo-xorg\0pid1_exec='${(F)netns}
- )
- for container param in ${(kv)container_img}; do
- require site_containers_usersvc_simple \
- :containers_dir :svscan_dir :user uid=$uid gid=$gid \
- container_name=$container image_name=${(0)param}
- done
-
- # local -a generic=(
- # alpine-{browsers,ssh,socials} # ,office}
- # void-signal
- # void-telegram
- # # void-games
- # # nix-signal
- # pentoo
- # )
+ local with_usb=prepare_chroot=${(F)mount_usb_devices}
+
+ UC alpine-browsers
+ UC pentoo
+ UCa weechat
+ UCa senpai
+ UCa profanity
+ UCa gomuks
+ UCa mail
+ UCa testssl
+ UCa tor
+ UCa ssh
+ UCa socials
+ UCa gpg $with_usb $in_netns
+ UCv signal
+ UCv telegram
+ UC recombee-browser void-browsers
+ UC te2000-browser void-browsers
+ UC twitch void-browsers
+ UC neonmodem alpine-go
+ UC simplex alpine-haskell
+ UC xpra gentoo-xorg container_type=ephemeral $in_netns
+ UC bzr alpine-breezy mount_rw=ccx-bzr $in_netns
+ UC spark alpine-dev-spark mount_rw="ccx-bzr ccx-git"
+ UC sndiod alpine-sndio container_type=alsa
+ UC mpd void-mpd mount_ro="init audio"
+ UC {,}alpine-recombee mount_rw=ccx-git-recombee
# container=alpine-dev
# bindroot=$vars[containers_dir]/user/$vars[user]/$container/root
