run (3245B)
1 #!/command/execlineb -P 2 fdmove -c 2 1 3 4 s6-envdir env 5 multisubstitute { 6 importas -i -u CONTAINER_NAME CONTAINER_NAME 7 importas -i -u CONTAINER_USER CONTAINER_USER 8 importas -i -u CONTAINER_CAPS CONTAINER_CAPS 9 } 10 backtick -in CONTAINER_USER_HOME { homeof $CONTAINER_USER } 11 backtick -D "true" PREPARE_CHROOT { if { test -x data/prepare_chroot } realpath data/prepare_chroot } 12 backtick -D "exec" PID1_EXEC { if { test -x data/pid1_exec } realpath data/pid1_exec } 13 multisubstitute { 14 importas -i -u CONTAINER_USER_HOME CONTAINER_USER_HOME 15 define CONTAINER_TMPFS /run/containers/${CONTAINER_NAME}.${CONTAINER_USER} 16 define -s tmpfs_dirs "home run tmp run/inbox run/shm tmp/.X11-unix" 17 importas -D ns -s -C -u CONTAINER_MNT_DIRS CONTAINER_MNT_DIRS 18 importas -i -u PREPARE_CHROOT PREPARE_CHROOT 19 importas -i -u PID1_EXEC PID1_EXEC 20 importas -D default -u CONTAINER_SECCOMP_PROFILE CONTAINER_SECCOMP_PROFILE 21 } 22 23 getpid NS_PID 24 foreground { 25 importas -i NS_PID NS_PID 26 if { test -d /run/cgroup } 27 if { mkdir -p /run/cgroup/containers/${CONTAINER_USER}/${CONTAINER_NAME} } 28 redirfd -w 1 /run/cgroup/containers/${CONTAINER_USER}/${CONTAINER_NAME}/cgroup.procs 29 printf "%s" ${NS_PID} 30 } 31 unexport NS_PID 32 export HOST ${CONTAINER_NAME} 33 34 if { rm -rf ${CONTAINER_TMPFS} } 35 foreground { printf " '%s'" mkdir -p ${CONTAINER_TMPFS}/${tmpfs_dirs} ${CONTAINER_TMPFS}/mnt/${CONTAINER_MNT_DIRS} } 36 foreground { echo } 37 if { mkdir -p ${CONTAINER_TMPFS}/${tmpfs_dirs} ${CONTAINER_TMPFS}/mnt/${CONTAINER_MNT_DIRS} } 38 if { chmod 1770 ${CONTAINER_TMPFS}/${tmpfs_dirs} } 39 if { chown root:${CONTAINER_USER} ${CONTAINER_TMPFS}/${tmpfs_dirs} } 40 41 # Create default resolv.conf 42 if { redirfd -w 1 ${CONTAINER_TMPFS}/run/resolv.conf printf "nameserver 127.0.0.1\n" } 43 if { chown ${CONTAINER_USER}:${CONTAINER_USER} ${CONTAINER_TMPFS}/run/resolv.conf } 44 45 # Put UID/GID/GIDLIST into environment for use by applyuidgid-caps below 46 s6-envuidgid ${CONTAINER_USER} 47 48 unshare -m -u -i # new mount, UTS and IPC namespaces 49 50 $PID1_EXEC 51 52 # Run user's setup script (optional) 53 if { 54 ifelse { test -x ${CONTAINER_USER_HOME}/container-setup } { 55 env HOME=${CONTAINER_USER_HOME} USER=${CONTAINER_USER} 56 applyuidgid-caps -U "" 57 ${CONTAINER_USER_HOME}/container-setup ${CONTAINER_TMPFS} ${CONTAINER_NAME} 58 } 59 } 60 61 foreground { printf "Seccomp profile to be used:" } 62 foreground { 63 ls -lhA ./mnt/ns/bin/seccomp-${CONTAINER_SECCOMP_PROFILE}.bpf 64 } 65 66 emptyenv -c 67 ns_run_unshared data/root { 68 # pre pivot-root commands 69 if { mount -o bind,ro /etc/passwd ./etc/passwd } 70 if { mount -o bind,ro /etc/group ./etc/group } 71 $PREPARE_CHROOT 72 } 73 74 # This runs with changed / so use absolute paths before dropping privs 75 /mnt/ns/bin/applyuidgid-caps -U $CONTAINER_CAPS 76 /mnt/ns/bin/seccomp-run /mnt/ns/bin/seccomp-${CONTAINER_SECCOMP_PROFILE}.bpf 77 /mnt/ns/bin/busybox env HOME=${CONTAINER_USER_HOME} USER=${CONTAINER_USER} 78 /mnt/ns/bin/foreground { 79 /mnt/ns/bin/busybox cat /proc/1/status 80 } 81 /mnt/ns/bin/foreground { 82 /mnt/ns/bin/busybox cat /proc/self/mountinfo 83 } 84 /mnt/ns/bin/ifelse { /mnt/ns/bin/busybox test -x ${CONTAINER_USER_HOME}/run/init } { 85 ${CONTAINER_USER_HOME}/run/init 86 } 87 /mnt/ns/bin/foreground { 88 /mnt/ns/bin/if -n { 89 /mnt/ns/bin/busybox stat /mnt/init/init 90 } 91 /mnt/ns/bin/busybox ls -lhA /mnt/init /mnt 92 } 93 /mnt/init/init