mrrl-containers

confz_containers_init (64659B)

---

 #  vim: ft=zsh noet ts=4 sts=4 sw=4
 
 
 # find: ‘./event’: Permission denied
 # /	d	o0:0	m755
 # /flag-newpidns	cN		o0:0	m644
 # /data	d	o0:0	m755
 # /data/fstab
 # CN	/mnt/volumes/containers/alpine-xsession	/mnt/volumes/containers/user/ccx/xsession.6/root	none	bind,ro	0 0
 # 	/run/containers/xsession.6.ccx/run	/mnt/volumes/containers/user/ccx/xsession.6/root/run	none	bind	0 0
 # 	/run/containers/xsession.6.ccx/tmp	/mnt/volumes/containers/user/ccx/xsession.6/root/tmp	none	bind	0 0
 # 	/run/containers/xsession.6.ccx/home	/mnt/volumes/containers/user/ccx/xsession.6/root/home	none	bind	0 0
 # 	/run/containers/xsession.6.ccx/inbox	/mnt/volumes/containers/user/ccx/xsession.6/root/run/inbox	none	bind,ro	0 0
 # o0:0	m644
 # /data/root	l	/mnt/volumes/containers/user/ccx/xsession.6/root	o0:0	m777
 # /down	cN		o0:0	m644
 # /env	d	o0:0	m755
 # /env/CONTAINER_NAME	cN	xsession.6	o0:0	m644
 # /env/CONTAINER_USER	cN	ccx	o0:0	m644
 # /event	d	o0:100	m3730
 # /finish	l	/usr/local/bzr/containers/service_scripts/xsession/finish	o0:0	m777
 # /run	l	/usr/local/bzr/containers/service_scripts/xsession/run	o0:0	m777
 # /supervise	d	o0:0	m755
 # /supervise/control	p	o1000:0	m600
 # /supervise/death_tally	cN		o0:0	m644
 # /supervise/lock	cN		o1000:0	m644
 # /supervise/status	B	QAAAAF/8iBYvOSJcQAAAAF/8iBYvOSJcAAAAAAAAAAAAABQ=
 # o0:0	m644
 
 typeset -gA container_uid_cache container_gid_cache
 
 container_get_uid() {
 	if (($+container_uid_cache[$1])); then
 		printf '%s' $container_uid_cache[$1]
 		return 0
 	else
 		local uid
 		uid="${${(s.:.)"$(getent passwd $1)"}[3]}" || return $?
 		[[ -z $uid ]] && return 1
 		container_uid_cache[$1]=$uid
 		printf '%s' $uid
 		return 0
 	fi
 }
 
 container_get_gid() {
 	if (($+container_gid_cache[$1])); then
 		printf '%s' $container_gid_cache[$1]
 		return 0
 	else
 		local gid
 		gid="${${(s.:.)"$(getent group $1)"}[3]}" || return $?
 		[[ -z $gid ]] && return 1
 		container_gid_cache[$1]=$gid
 		printf '%s' $gid
 	fi
 }
 
 confz_container_uidgid_for_name_check() {
 	checkvars name
 	local uid gid
 	uid=$(container_get_uid $vars[name]) ||
 		die "Could not determine uid for user ${(qqq)vars[name]}"
 	gid=$(container_get_gid $vars[name]) ||
 		die "Could not determine gid for group ${(qqq)vars[name]}"
 	unify uid $uid
 	unify gid $gid
 }
 
 confz_container_service_check() {
 	checkvars svc_dir root_link run_link finish_link
 	defvar down true
 	defvar control_user root
 	defvar control_group root
 	defvar fstab_post ''
 
 	require fs_d flags=p filename=$vars[svc_dir]
 	require fs_m filename=$vars[svc_dir] mode=755
 
 	if $vars[down]; then
 		require fs_f filename=$vars[svc_dir]/down
 	else
 		require fs_r filename=$vars[svc_dir]/down
 	fi
 
 	require fs_f filename=$vars[svc_dir]/flag-newpidns
 
 	require fs_d filename=$vars[svc_dir]/data
 	require fs_m filename=$vars[svc_dir]/data mode=755
 
 	require fs_l filename=$vars[svc_dir]/data/root \
 		destination=$vars[root_link]
 
 	if (($+vars[fstab])); then
 		require fs_contentnl filename=$vars[svc_dir]/data/fstab \
 			content=$vars[fstab]
 		require fs_m filename=$vars[svc_dir]/data/fstab mode=644
 	else
 		require fs_r filename=$vars[svc_dir]/data/fstab
 	fi
 
 	if (($+vars[prepare_chroot])); then
 		require fs_contentnl filename=$vars[svc_dir]/data/prepare_chroot \
 			content=$vars[prepare_chroot]
 		require fs_m filename=$vars[svc_dir]/data/prepare_chroot mode=755
 	else
 		require fs_r filename=$vars[svc_dir]/data/prepare_chroot
 	fi
 
 	if (($+vars[pid1_exec])); then
 		require fs_contentnl filename=$vars[svc_dir]/data/pid1_exec \
 			content=$vars[pid1_exec]
 		require fs_m filename=$vars[svc_dir]/data/pid1_exec mode=755
 	else
 		require fs_r filename=$vars[svc_dir]/data/pid1_exec
 	fi
 
 	require fs_d filename=$vars[svc_dir]/env
 	if [[ -n $vars[fstab_post] ]]; then
 		require fs_contentnl filename=$vars[svc_dir]/env/NS_FSTAB \
 			content=$vars[svc_dir]/data/fstab_post
 		require fs_contentnl filename=$vars[svc_dir]/data/fstab_post \
 			content=$vars[fstab_post]
 	else
 		require fs_r filename=$vars[svc_dir]/env/NS_FSTAB
 		require fs_r filename=$vars[svc_dir]/data/fstab_post
 	fi
 
 	if (( $+container_ns_bin_dir )); then
 		require fs_contentnl filename=$vars[svc_dir]/env/NS_BIN \
 			content=$container_ns_bin_dir
 	else
 		require fs_r filename=$vars[svc_dir]/env/NS_BIN
 	fi
 
 	require fs_l filename=$vars[svc_dir]/run \
 		destination=$vars[run_link]
 	require fs_l filename=$vars[svc_dir]/finish \
 		destination=$vars[finish_link]
 
 	require fs_contentnl filename=$vars[svc_dir]/notification-fd \
 		content=3
 
 	require fs_d filename=$vars[svc_dir]/event
 	require fs_o filename=$vars[svc_dir]/event \
 		owner=0:$vars[control_group]
 	require fs_m filename=$vars[svc_dir]/event mode=3730
 
 	require fs_d filename=$vars[svc_dir]/supervise
 	require fs_o filename=$vars[svc_dir]/supervise \
 		owner=0:0
 	require fs_m filename=$vars[svc_dir]/supervise mode=755
 
 	require fs_pipe filename=$vars[svc_dir]/supervise/control
 	require fs_o filename=$vars[svc_dir]/supervise/control \
 		owner=$vars[control_user]:0
 	require fs_m filename=$vars[svc_dir]/supervise/control mode=600
 
 	require fs_f filename=$vars[svc_dir]/supervise/lock
 	require fs_o filename=$vars[svc_dir]/supervise/lock \
 		owner=$vars[control_user]:0
 	require fs_m filename=$vars[svc_dir]/supervise/lock mode=644
 
 	if (($+vars[log_dir])); then
 		require container_service_log :svc_dir :log_dir :log_uid :log_gid \
 			\?log_umask
 	else
 		[[ -e $vars[svc_dir]/log/supervise ]] && \
 			die "Should not have a logger but one might be running: ${(qqq)vars[svc_dir]}"
 		require fs_r flags=r filename=$vars[svc_dir]/log
 	fi
 }
 
 confz_container_service_log_check() {
 	checkvars svc_dir log_dir log_uid log_gid
 	defvar log_umask 027
 
 	local -a runscript=(
 		'#!/command/execlineb -P'
 		"if { mkdir -p ${(qqq)vars[log_dir]} }"
 		"if { chmod $(( [##8] 8#777 ^ 8#$vars[log_umask] )) ${(qqq)vars[log_dir]} }"
 		"umask $vars[log_umask]"
 		"if { chown -R $vars[log_uid]:$vars[log_gid] ${(qqq)vars[log_dir]} }"
 		"s6-setuidgid $vars[log_uid]:$vars[log_gid]"
 		"s6-log -b -- p${vars[svc_dir]:t} t ${(qqq)vars[log_dir]}"
 	)
 
 	require fs_d filename=$vars[svc_dir]/log
 	require fs_m filename=$vars[svc_dir]/log mode=755
 	require fs_contentnl filename=$vars[svc_dir]/log/run \
 		content="${(F)runscript}"
 	require fs_m filename=$vars[svc_dir]/log/run mode=755
 	require fs_o filename=$vars[svc_dir]/log/run owner=0:0
 }
 
 confz_container_service_preset_check() {
 	local preset_dir=$container_service_script_dir
 	checkvars svc_dir preset root_link
 	[[ -x $preset_dir/$vars[preset]/run ]] || die "not an executable file: $preset_dir/$vars[preset]/run"
 	[[ -x $preset_dir/$vars[preset]/finish ]] || die "not an executable file: $preset_dir/$vars[preset]/finish"
 	require container_service \
 		run_link=$preset_dir/$vars[preset]/run \
 		finish_link=$preset_dir/$vars[preset]/finish \
 		:svc_dir :root_link \?fstab \?down \?control_user \?control_group \?fstab_post \
 		\?log_dir \?log_uid \?log_gid \?prepare_chroot \?pid1_exec
 }
 () {
 	(($+container_service_script_dir)) && return
 	local d=$functions_source[confz_container_service_preset_check]:A:h:h/service_scripts
 	if [[ -d $d ]]; then
 		typeset -g container_service_script_dir=$d
 	fi
 }
 
 confz_container_group_check() {
 	checkvars group_name
 	local gid="${${(s.:.)"$(getent group $vars[group_name])"}[3]}"
 	if [[ -z $gid ]]; then
 		fail_reason="getent returns no GID for group ${(qqq)vars[group_name]}"
 		return 1
 	fi
 	unify gid "$gid"
 }
 confz_container_group_do() {
 	addgroup "$vars[group_name]" || return $?
 	local gid="${${(s.:.)"$(getent group $vars[group_name])"}[3]}"
 	if [[ -z $gid ]]; then
 		fail_reason="getent returns no GID for group ${(qqq)vars[group_name]}"
 		return 1
 	fi
 	unify gid "$gid"
 }
 
 confz_container_user_check() {
 	checkvars user_name gid homedir
 	local -A uids
 	local -a entry
 	local line name
 	</etc/passwd while IFS= read line; do
 		entry=( "${${(s.:.)line}[@]}" )
 		# name:password:UID:GID:GECOS:directory:shell
 		# 1   :2       :3  :4  :5    :6        :7
 		if [[ $entry[1] == $vars[user_name] ]]; then
 			unify uid "$entry[3]"
 			unify gid "$entry[4]"
 			unify homedir "$entry[6]"
 			return 0
 		fi
 		uids[${entry[3]}]=$entry[1]
 	done
 	# name not found
 	if (($+vars[uid])); then
 		if (($+uids[${vars[uid]}])); then
 			die "UID ${vars[uid]} already assigned to user ${(qqq)vars[user_name]}"
 		else
 			return 1
 		fi
 	fi
 	# UID not set, pick unused one
 	local n
 	for n in {1000..2000}; do
 		(($+uids[$n])) && continue
 		unify uid $n
 		return 1
 	done
 	die "Could not find unassigned UID for user ${(qqq)vars[user_name]}"
 }
 confz_container_user_do() {
 	printf >>/etc/passwd "%s:x:%s:%s:container root:%s:/bin/sh\n" \
 		"$vars[user_name]" "$vars[uid]" "$vars[gid]" "$vars[homedir]"
 }
 
 confz_container_sysroot_user_check() {
 	checkvars containers_dir image_name
 	unify sysroot_user container-$vars[image_name]
 	unify sysroot_group container-$vars[image_name]
 	require container_group group_name=$vars[sysroot_group] %gid
 	require container_user user_name=$vars[sysroot_user] %uid :gid \
 		homedir=$vars[containers_dir]/systems/root
 }
 
 confz_container_image_layout_check() {
 	checkvars containers_dir image_name
 
 	unify root $vars[containers_dir]/systems/$vars[image_name]
 
 	require container_sysroot_user :containers_dir :image_name \
 		%uid %gid %sysroot_user %sysroot_group
 }
 confz_container_image_layout_svc_check() {
 	checkvars containers_dir svscan_dir image_name
 	unify sysroot_svc $vars[svscan_dir]/container.$vars[image_name].sysroot
 	require container_image_layout :containers_dir :image_name \
 		%root %uid %gid %sysroot_user %sysroot_group
 }
 
 confz_container_image_owner_check() {
 	checkvars containers_dir image_name uid gid
 	do_command=(
 		chown -R $vars[uid]:$vars[gid] $vars[containers_dir]/systems/$vars[image_name]
 	)
 	local -A stat_info
 	zstat -H stat_info $vars[containers_dir]/systems/$vars[image_name] \
 		|| die "Could not stat container directory."
 	[[ $stat_info[uid] == $vars[uid] && $stat_info[gid] == $vars[gid] ]]
 }
 
 confz_container_image_user_uid_gid_check() {
 	checkvars containers_dir image_name uid gid
 	defvar user root
 	local user_bre=${vars[user]//(#b)([\[\]\\.*^$])/\\$match[1]}
 	do_command=(
 		sed -i "s/^$user_bre:\([^:]*\):[^:]*:[^:]*:/${vars[user]}:\1:${vars[uid]}:${vars[gid]}:/" $vars[containers_dir]/systems/$vars[image_name]/etc/passwd
 	)
 	grep -qe "^$user_bre:[^:]*:${vars[uid]}:${vars[gid]}:" $vars[containers_dir]/systems/$vars[image_name]/etc/passwd
 }
 
 confz_container_image_group_gid_check() {
 	checkvars containers_dir image_name gid
 	defvar group root
 	local -a entry
 	local line
 	<$vars[containers_dir]/systems/$vars[image_name]/etc/group while IFS= read line; do
 		entry=( "${${(s.:.)line}[@]}" )
 		# name:password:GID:user_list
 		# 1   :2       :3  :4
 		if [[ $entry[1] == $vars[group] ]]; then
 			if [[ $vars[gid] == $entry[3] ]]; then
 				return 0
 			fi
 			unify previous_gid $entry[3]
 			return 1
 		fi
 	done
 	# group not found
 	return 1
 }
 confz_container_image_group_gid_do() {
 	local group_bre=${vars[group]//(#b)([\[\]\\.*^$])/\\$match[1]}
 	if (($+vars[previous_gid])); then
 		sed -i 's|^\([^:]*:[^:]*:[^:]*\):'"${vars[previous_gid]}:|\1:${vars[gid]}:|" $vars[containers_dir]/systems/$vars[image_name]/etc/passwd || die
 		sed -i "s|^\\($group_bre:[^:]*\\):[^:]*:|\1:${vars[gid]}:|" $vars[containers_dir]/systems/$vars[image_name]/etc/group || die
 	else
 		printf '%s:x:%s:\n' $vars[group] $vars[gid] >>$vars[containers_dir]/systems/$vars[image_name]/etc/group || die
 	fi
 }
 
 confz_container_service_sysroot_check() {
 	local uid gid svc_dir container container_user_dir
 	local -a fstab
 	checkvars containers_dir svscan_dir image_name
 	defvar fstab_extra ''
 	defvar container_name "$vars[image_name]"
 	container=$vars[container_name]
 
 	require container_image_layout_svc \
 		:containers_dir :svscan_dir :image_name \
 		%uid %gid %sysroot_svc %root %sysroot_user %sysroot_group
 
 	require fs_d filename=$vars[containers_dir]/systems/$vars[image_name]
 	require container_image_owner :uid :gid :containers_dir :image_name
 
 	require fs_d filename=$vars[containers_dir]/user/sysroot
 	require fs_m filename=$vars[containers_dir]/user/sysroot mode=751
 	require fs_o filename=$vars[containers_dir]/user/sysroot owner=0:0
 
 	container_user_dir=$vars[containers_dir]/user/sysroot/$container
 	require fs_d filename=$container_user_dir
 	require fs_m filename=$container_user_dir mode=751
 	require fs_o filename=$container_user_dir owner=0:0
 
 	require fs_d filename=$container_user_dir/root
 
 	# require fs_d filename=$vars[containers_dir]/home/sysroot
 	# require fs_m filename=$vars[containers_dir]/home/sysroot mode=751
 	# require fs_o filename=$vars[containers_dir]/home/sysroot owner=0:$gid
 
 	# require fs_l filename=$vars[containers_dir]/home/sysroot/$container \
 	# 	destination=../../user/sysroot/$container/root/home/sysroot
 
 	fstab=(
 		$vars[containers_dir]/systems/$vars[image_name]$'\t'$container_user_dir/root$'\tnone\tbind,nosuid,nodev\t0 0'
 		# /run/containers/$container.sysroot/home$'\t'$container_user_dir/root/home$'\tnone\tbind,nosuid,nodev\t0 0'
 		/run/containers/$container.sysroot/run$'\t'$container_user_dir/root/run$'\tnone\tbind,nosuid,nodev\t0 0'
 		# /run/containers/$container.sysroot/tmp$'\t'$container_user_dir/root/tmp$'\tnone\tbind,nosuid,nodev\t0 0'
 		"${(f@)vars[fstab_extra]}"
 	)
 
 	require container_service_preset preset=sysroot \
 		svc_dir=$vars[sysroot_svc] control_user=$vars[uid] control_group=$vars[gid] \
 		root_link=$container_user_dir/root \
 		fstab=${(F)fstab} \?down \?fstab_post
 	require fs_d filename=$vars[sysroot_svc]/env
 	require fs_contentnl filename=$vars[sysroot_svc]/env/CONTAINER_USER \
 		content=container-$vars[image_name]
 	require fs_contentnl filename=$vars[sysroot_svc]/env/CONTAINER_NAME \
 		content=$container
 }
 
 confz_container_service_ephemeral_check() {
 	local uid gid container_user_dir svc_dir log_dir container
 	local -a fstab mnt_dirs
 	checkvars containers_dir svscan_dir image_name user
 	defvar seccomp_profile 'default'
 	defvar linux_caps ''
 	defvar fstab_extra ''
 	defvar mnt_dirs_extra ''
 	defvar container_name "$vars[image_name]"
 	container=$vars[container_name]
 
 	uid="${${(s.:.)"$(getent passwd $vars[user])"}[3]}" \
 	gid="${${(s.:.)"$(getent group $vars[user])"}[3]}" \
 
 	require fs_d filename=$vars[containers_dir]/user/$vars[user]
 	require fs_m filename=$vars[containers_dir]/user/$vars[user] mode=751
 	require fs_o filename=$vars[containers_dir]/user/$vars[user] owner=0:$gid
 
 	container_user_dir=$vars[containers_dir]/user/$vars[user]/$container
 	require fs_d filename=$container_user_dir
 	require fs_m filename=$container_user_dir mode=751
 	require fs_o filename=$container_user_dir owner=0:$gid
 
 	require fs_d filename=$container_user_dir/root
 
 	require fs_d filename=$vars[containers_dir]/home/$vars[user]
 	require fs_m filename=$vars[containers_dir]/home/$vars[user] mode=751
 	require fs_o filename=$vars[containers_dir]/home/$vars[user] owner=0:$gid
 
 	require fs_l filename=$vars[containers_dir]/home/$vars[user]/$container \
 		destination=../../user/$vars[user]/$container/home/$vars[user]
 
 	mnt_dirs=( ns $=vars[mnt_dirs_extra] )
 
 	local src dst rw
 	local -a bind_mounts pid1_el_lines
 	bind_mounts=(
 		$vars[containers_dir]/systems/$vars[image_name]
 		$container_user_dir/root
 		ro
 
 		/run/containers/$container.$vars[user]/home
 		$container_user_dir/root/home
 		rw
 
 		/run/containers/$container.$vars[user]/run
 		$container_user_dir/root/run
 		rw
 
 		/run/containers/$container.$vars[user]/tmp
 		$container_user_dir/root/tmp
 		rw
 
 		/run/containers/$container.$vars[user]/mnt
 		$container_user_dir/root/mnt
 		rw
 	)
 
 	pid1_el_lines=( "#!$(which execlineb) -S0" )
 	for src dst rw in "$bind_mounts[@]"; do
 		fstab+=( $src$'\t'$dst$'\tnone\tbind,'$rw$',nosuid,nodev,slave\t0 0' )
 		src_el=\"${${src//\\/\\\\}//\"/\\\"}\"
 		dst_el=\"${${dst//\\/\\\\}//\"/\\\"}\"
 		pid1_el_lines+=(
 			"if { s6-mount -o bind,$rw,nodev,nosuid,slave $src_el $dst_el }"
 			"if { s6-mount -o remount,bind,$rw,nodev,nosuid . $dst_el }"
 		)
 	done
 
 	fstab+=( "${(f@)vars[fstab_extra]}" )
 	(($+vars[pid1_el])) && pid1_el_lines+=( $vars[pid1_el] )
 	pid1_el_lines+=( '$@' )
 
 	svc_dir=$vars[svscan_dir]/container.$container.$vars[user]
 	require container_service_preset preset=generic \
 		svc_dir=$svc_dir control_user=$uid control_group=$gid \
 		log_dir=/run/container-logs/$container.$vars[user] \
 		log_uid=0 log_gid=$gid \
 		root_link=$container_user_dir/root \
 		fstab=${(F)fstab} \?down \?fstab_post \
 		\?prepare_chroot pid1_exec=${(F)pid1_el_lines}
 	require fs_d filename=$svc_dir/env
 	require fs_contentnl filename=$svc_dir/env/CONTAINER_USER \
 		content=$vars[user]
 	require fs_contentnl filename=$svc_dir/env/CONTAINER_NAME \
 		content=$container
 	require fs_contentnl filename=$svc_dir/env/CONTAINER_MNT_DIRS \
 		content="$mnt_dirs"
 	require fs_contentnl filename=$svc_dir/env/CONTAINER_CAPS \
 		content=$vars[linux_caps]
 	require fs_contentnl filename=$svc_dir/env/CONTAINER_SECCOMP_PROFILE \
 		content=$vars[seccomp_profile]
 }
 
 confz_container_service_generic_check() {
 	local uid gid container_user_dir svc_dir log_dir container
 	local -a fstab mnt_dirs
 	checkvars containers_dir svscan_dir image_name user
 	defvar seccomp_profile 'default'
 	defvar linux_caps ''
 	defvar fstab_extra ''
 	defvar mnt_dirs_extra ''
 	defvar container_name "$vars[image_name]"
 	container=$vars[container_name]
 
 	uid="${${(s.:.)"$(getent passwd $vars[user])"}[3]}" \
 	gid="${${(s.:.)"$(getent group $vars[user])"}[3]}" \
 
 	require fs_d filename=$vars[containers_dir]/user/$vars[user]
 	require fs_m filename=$vars[containers_dir]/user/$vars[user] mode=751
 	require fs_o filename=$vars[containers_dir]/user/$vars[user] owner=0:$gid
 
 	container_user_dir=$vars[containers_dir]/user/$vars[user]/$container
 	require fs_d filename=$container_user_dir
 	require fs_m filename=$container_user_dir mode=751
 	require fs_o filename=$container_user_dir owner=0:$gid
 
 	require fs_d filename=$container_user_dir/root
 
 	require fs_d filename=$container_user_dir/home
 	require fs_m filename=$container_user_dir/home mode=751
 	require fs_o filename=$container_user_dir/home owner=0:$gid
 
 	require fs_d filename=$container_user_dir/home/$vars[user]
 	require fs_o filename=$container_user_dir/home/$vars[user] owner=$uid:$gid
 
 	require fs_d filename=$vars[containers_dir]/home/$vars[user]
 	require fs_m filename=$vars[containers_dir]/home/$vars[user] mode=751
 	require fs_o filename=$vars[containers_dir]/home/$vars[user] owner=0:$gid
 
 	require fs_l filename=$vars[containers_dir]/home/$vars[user]/$container \
 		destination=../../user/$vars[user]/$container/home/$vars[user]
 
 	mnt_dirs=( ns $=vars[mnt_dirs_extra] )
 
 	local src dst rw
 	local -a bind_mounts pid1_el_lines
 	bind_mounts=(
 		$vars[containers_dir]/systems/$vars[image_name]
 		$container_user_dir/root
 		ro
 
 		$container_user_dir/home
 		$container_user_dir/root/home
 		rw
 
 		/run/containers/$container.$vars[user]/run
 		$container_user_dir/root/run
 		rw
 
 		/run/containers/$container.$vars[user]/tmp
 		$container_user_dir/root/tmp
 		rw
 
 		/run/containers/$container.$vars[user]/mnt
 		$container_user_dir/root/mnt
 		rw
 	)
 
 	pid1_el_lines=( "#!$(which execlineb) -S0" )
 	for src dst rw in "$bind_mounts[@]"; do
 		fstab+=( $src$'\t'$dst$'\tnone\tbind,'$rw$',nosuid,nodev,slave\t0 0' )
 		src_el=\"${${src//\\/\\\\}//\"/\\\"}\"
 		dst_el=\"${${dst//\\/\\\\}//\"/\\\"}\"
 		pid1_el_lines+=(
 			"if { s6-mount -o bind,$rw,nodev,nosuid,slave $src_el $dst_el }"
 			"if { s6-mount -o remount,bind,$rw,nodev,nosuid . $dst_el }"
 		)
 	done
 
 	fstab+=( "${(f@)vars[fstab_extra]}" )
 	(($+vars[pid1_el])) && pid1_el_lines+=( $vars[pid1_el] )
 	pid1_el_lines+=( '$@' )
 
 	svc_dir=$vars[svscan_dir]/container.$container.$vars[user]
 	require container_service_preset preset=generic \
 		svc_dir=$svc_dir control_user=$uid control_group=$gid \
 		log_dir=/run/container-logs/$container.$vars[user] \
 		log_uid=0 log_gid=$gid \
 		root_link=$container_user_dir/root \
 		fstab=${(F)fstab} \?down \?fstab_post \
 		\?prepare_chroot pid1_exec=${(F)pid1_el_lines}
 	require fs_d filename=$svc_dir/env
 	require fs_contentnl filename=$svc_dir/env/CONTAINER_USER \
 		content=$vars[user]
 	require fs_contentnl filename=$svc_dir/env/CONTAINER_NAME \
 		content=$container
 	require fs_contentnl filename=$svc_dir/env/CONTAINER_MNT_DIRS \
 		content="$mnt_dirs"
 	require fs_contentnl filename=$svc_dir/env/CONTAINER_CAPS \
 		content=$vars[linux_caps]
 	require fs_contentnl filename=$svc_dir/env/CONTAINER_SECCOMP_PROFILE \
 		content=$vars[seccomp_profile]
 }
 
 confz_container_service_alsa_check() {
 	local uid gid container_user_dir svc_dir container
 	local -a fstab
 	checkvars containers_dir svscan_dir image_name user
 	defvar fstab_extra ''
 	defvar container_name "$vars[image_name]"
 	container=$vars[container_name]
 
 	uid="${${(s.:.)"$(getent passwd $vars[user])"}[3]}" \
 	gid="${${(s.:.)"$(getent group $vars[user])"}[3]}" \
 
 	require fs_d filename=$vars[containers_dir]/user/$vars[user]
 	require fs_m filename=$vars[containers_dir]/user/$vars[user] mode=751
 	require fs_o filename=$vars[containers_dir]/user/$vars[user] owner=0:$gid
 
 	container_user_dir=$vars[containers_dir]/user/$vars[user]/$container
 	require fs_d filename=$container_user_dir
 	require fs_m filename=$container_user_dir mode=751
 	require fs_o filename=$container_user_dir owner=0:$gid
 
 	require fs_d filename=$container_user_dir/root
 
 	require fs_d filename=$container_user_dir/home
 	require fs_m filename=$container_user_dir/home mode=751
 	require fs_o filename=$container_user_dir/home owner=0:$gid
 
 	require fs_d filename=$container_user_dir/home/$vars[user]
 	require fs_o filename=$container_user_dir/home/$vars[user] owner=$uid:$gid
 
 	require fs_d filename=$vars[containers_dir]/home/$vars[user]
 	require fs_m filename=$vars[containers_dir]/home/$vars[user] mode=751
 	require fs_o filename=$vars[containers_dir]/home/$vars[user] owner=0:$gid
 
 	require fs_l filename=$vars[containers_dir]/home/$vars[user]/$container \
 		destination=../../user/$vars[user]/$container/home/$vars[user]
 
 	fstab=(
 		$vars[containers_dir]/systems/$vars[image_name]$'\t'$container_user_dir/root$'\tnone\tbind,ro,nosuid,nodev\t0 0'
 		$container_user_dir/home$'\t'$container_user_dir/root/home$'\tnone\tbind,nosuid,nodev\t0 0'
 		/run/containers/$container.$vars[user]/run$'\t'$container_user_dir/root/run$'\tnone\tbind,nosuid,nodev\t0 0'
 		/run/containers/$container.$vars[user]/tmp$'\t'$container_user_dir/root/tmp$'\tnone\tbind,nosuid,nodev\t0 0'
 		"${(f@)vars[fstab_extra]}"
 	)
 
 	svc_dir=$vars[svscan_dir]/container.$container.$vars[user]
 	require container_service_preset preset=alsa \
 		svc_dir=$svc_dir control_user=$uid control_group=$gid \
 		log_dir=/run/container-logs/$container.$vars[user] \
 		log_uid=0 log_gid=$gid \
 		root_link=$container_user_dir/root \
 		fstab=${(F)fstab} \?down \?fstab_post
 	require fs_d filename=$svc_dir/env
 	require fs_contentnl filename=$svc_dir/env/CONTAINER_USER \
 		content=$vars[user]
 	require fs_contentnl filename=$svc_dir/env/CONTAINER_NAME \
 		content=$container
 }
 
 confz_container_service_xsession_check() {
 	local uid gid container_user_dir svc_dir container
 	local -a fstab mnt_dirs
 	checkvars containers_dir svscan_dir image_name user display_number
 	defvar fstab_extra ''
 	defvar mnt_dirs_extra ''
 	container=xsession.$vars[display_number]
 
 	uid="${${(s.:.)"$(getent passwd $vars[user])"}[3]}" \
 	gid="${${(s.:.)"$(getent group $vars[user])"}[3]}" \
 
 	require fs_d filename=$vars[containers_dir]/user/$vars[user]
 	require fs_m filename=$vars[containers_dir]/user/$vars[user] mode=751
 	require fs_o filename=$vars[containers_dir]/user/$vars[user] owner=0:$gid
 
 	container_user_dir=$vars[containers_dir]/user/$vars[user]/$container
 	require fs_d filename=$container_user_dir
 	require fs_m filename=$container_user_dir mode=751
 	require fs_o filename=$container_user_dir owner=0:$gid
 
 	require fs_d filename=$container_user_dir/root
 
 	require fs_d filename=$vars[containers_dir]/home/$vars[user]
 	require fs_m filename=$vars[containers_dir]/home/$vars[user] mode=751
 	require fs_o filename=$vars[containers_dir]/home/$vars[user] owner=0:$gid
 
 	require fs_l filename=$vars[containers_dir]/home/$vars[user]/$container \
 		destination=../../user/$vars[user]/$container/root/home/$vars[user]
 
 	mnt_dirs=( ns container-logs $=vars[mnt_dirs_extra] )
 
 	fstab=(
 		$vars[containers_dir]/systems/$vars[image_name]$'\t'$container_user_dir/root$'\tnone\tbind,ro,nosuid,nodev\t0 0'
 		/run/containers/$container.$vars[user]/home$'\t'$container_user_dir/root/home$'\tnone\tbind,nosuid,nodev\t0 0'
 		/run/containers/$container.$vars[user]/run$'\t'$container_user_dir/root/run$'\tnone\tbind,nosuid,nodev\t0 0'
 		/run/containers/$container.$vars[user]/tmp$'\t'$container_user_dir/root/tmp$'\tnone\tbind,nosuid,nodev\t0 0'
 		/run/containers/$container.$vars[user]/mnt$'\t'$container_user_dir/root/mnt$'\tnone\tbind,ro,nosuid,nodev\t0 0'
 		/run/container-logs$'\t'$container_user_dir/root/mnt/container-logs$'\tnone\tbind,ro,nosuid,nodev\t0 0'
 		"${(f@)vars[fstab_extra]}"
 	)
 
 	svc_dir=$vars[svscan_dir]/container.xsession.$vars[display_number].$vars[user]
 	require container_service_preset preset=xsession \
 		svc_dir=$svc_dir control_user=$uid control_group=$gid \
 		log_dir=/run/container-logs/$container.$vars[user] \
 		log_uid=0 log_gid=$gid \
 		root_link=$container_user_dir/root \
 		fstab=${(F)fstab} \?down \?fstab_post
 	require fs_d filename=$svc_dir/env
 	require fs_contentnl filename=$svc_dir/env/CONTAINER_USER \
 		content=$vars[user]
 	require fs_contentnl filename=$svc_dir/env/CONTAINER_NAME \
 		content=$container
 	require fs_contentnl filename=$svc_dir/env/DISPLAY \
 		content=:$vars[display_number]
 	require fs_contentnl filename=$svc_dir/env/vtN \
 		content=$vars[display_number]
 	require fs_contentnl filename=$svc_dir/env/CONTAINER_MNT_DIRS \
 		content="$mnt_dirs"
 }
 
 confz_container_service_xorg_check() {
 	local uid gid container_user_dir svc_dir container
 	local -a fstab_post
 	checkvars containers_dir svscan_dir image_name vtN
 	defvar user xorg
 	defvar fstab_extra ''
 	defvar container_name "X$vars[vtN]"
 	container=$vars[container_name]
 
 	uid="${${(s.:.)"$(getent passwd $vars[user])"}[3]}" \
 	gid="${${(s.:.)"$(getent group $vars[user])"}[3]}" \
 
 	require fs_d filename=$vars[containers_dir]/user/$vars[user]
 	require fs_m filename=$vars[containers_dir]/user/$vars[user] mode=751
 	require fs_o filename=$vars[containers_dir]/user/$vars[user] owner=0:$gid
 
 	container_user_dir=$vars[containers_dir]/user/$vars[user]/$container
 	require fs_d filename=$container_user_dir
 	require fs_m filename=$container_user_dir mode=751
 	require fs_o filename=$container_user_dir owner=0:$gid
 
 	require fs_d filename=$container_user_dir/root
 
 	fstab_post=(
 		/run/containers/$container.$vars[user]/run$'\t/mnt/chroot/run\tnone\tbind,nosuid,nodev\t0 0'
 		/run/containers/$container.$vars[user]/tmp$'\t/mnt/chroot/tmp\tnone\tbind,nosuid,nodev\t0 0'
 	)
 
 	svc_dir=$vars[svscan_dir]/container.$container
 	require container_service_preset preset=xorg \
 		svc_dir=$svc_dir control_user=0 control_group=0 \
 		log_dir=/run/container-logs/$container \
 		log_uid=0 log_gid=0 \
 		root_link=$vars[containers_dir]/systems/$vars[image_name] \
 		fstab_post=${(F)fstab_post} \?down \?fstab=fstab_extra
 	require fs_d filename=$svc_dir/env
 	require fs_contentnl filename=$svc_dir/env/CONTAINER_USER \
 		content=$vars[user]
 	require fs_contentnl filename=$svc_dir/env/CONTAINER_NAME \
 		content=$container
 	require fs_contentnl filename=$svc_dir/env/vtN \
 		content=$vars[vtN]
 }
 
 # --- new image constructor
 
 () {
 	(($+container_template_dir)) && return
 	local f d
 	for f in $^fpath/confz_containers_init*(N); do
 		d=$f:A:h:h/container_template
 		if [[ -d $d ]]; then
 			typeset -g container_template_dir=$d
 			break
 		fi
 	done
 }
 
 confz_container_template_file_check() {
 	checkvars template name root
 	defvar uid 0
 	defvar gid 0
 	defvar mode 0644
 	defvar target $vars[name]
 
 	[[ -f $container_template_dir/$vars[template]/$vars[name] ]] \
 		|| die "Template file not found: $container_template_dir/$vars[template]/$vars[name]"
 
 	[[ -f $vars[root]/$vars[target] ]] || return 1
 
 	require fs_m :mode filename=$vars[root]/$vars[target]
 	require fs_o owner=$vars[uid]:$vars[gid] filename=$vars[root]/$vars[target]
 }
 confz_container_template_file_do() {
 	cp -va $container_template_dir/$vars[template]/$vars[name] \
 		$vars[root]/$vars[target] || die
 	chown $vars[uid]:$vars[gid] $vars[root]/$vars[target] || die
 	chmod $vars[mode] $vars[root]/$vars[target] || die
 }
 
 confz_container_download_and_verify_check() {
 	checkvars containers_dir url checksum checksum_algo
 	defvar filename ${vars[url]:t}
 
 	local download_dir=$vars[containers_dir]/download-cache
 	require fs_d filename=$download_dir
 
 	(cd $download_dir &&
 		$vars[checksum_algo]sum -s -c <<<"$vars[checksum]  $vars[filename]")
 }
 confz_container_download_and_verify_do() {
 	wget -O - -- $vars[url] \
 		>$vars[containers_dir]/download-cache/$vars[filename]
 }
 
 confz_container_generic_layout_check() {
 	checkvars root
 	defvar uid 0
 	defvar gid 0
 
 	require fs_d filename="$vars[root]"
 	require fs_m filename="$vars[root]" mode=0755
 	require fs_o filename="$vars[root]" owner=$vars[uid]:$vars[gid]
 
 	require fs_d filename="$vars[root]/etc"
 	require fs_m filename="$vars[root]/etc" mode=0755
 	require fs_o filename="$vars[root]/etc" owner=$vars[uid]:$vars[gid]
 
 	require fs_l filename="$vars[root]/etc/resolv.conf" \
 		flags=\! destination="../run/resolv.conf"
 
 	require fs_d filename="$vars[root]/dev"
 	require fs_m filename="$vars[root]/dev" mode=0755
 	require fs_o filename="$vars[root]/dev" owner=$vars[uid]:$vars[gid]
 
 	require fs_d filename="$vars[root]/dev/pts"
 	require fs_m filename="$vars[root]/dev/pts" mode=0755
 	require fs_o filename="$vars[root]/dev/pts" owner=$vars[uid]:$vars[gid]
 
 	require fs_d filename="$vars[root]/dev/shm"
 	require fs_m filename="$vars[root]/dev/shm" mode=0755
 	require fs_o filename="$vars[root]/dev/shm" owner=$vars[uid]:$vars[gid]
 
 	require fs_d filename="$vars[root]/home"
 	require fs_m filename="$vars[root]/home" mode=0755
 	require fs_o filename="$vars[root]/home" owner=$vars[uid]:$vars[gid]
 
 	require fs_d filename="$vars[root]/mnt"
 	require fs_m filename="$vars[root]/mnt" mode=0755
 	require fs_o filename="$vars[root]/mnt" owner=$vars[uid]:$vars[gid]
 
 	# This is not required for regular run, /mnt is on tmpfs there
 	# but sysroot currently doesn't do that.
 	require fs_d filename="$vars[root]/mnt/ns"
 	require fs_m filename="$vars[root]/mnt/ns" mode=0755
 	require fs_o filename="$vars[root]/mnt/ns" owner=$vars[uid]:$vars[gid]
 
 	require fs_d filename="$vars[root]/run"
 	require fs_m filename="$vars[root]/run" mode=0755
 	require fs_o filename="$vars[root]/run" owner=$vars[uid]:$vars[gid]
 
 	require fs_d filename="$vars[root]/tmp"
 	# require fs_m filename="$vars[root]/tmp" mode=0755
 	require fs_o filename="$vars[root]/tmp" owner=$vars[uid]:$vars[gid]
 }
 
 # --- mrrl via bind-mount ---
 confz_container_mrrl_base_layout_check() {
 	checkvars root
 	defvar uid 0
 	defvar gid 0
 
 	require container_generic_layout :root :uid :gid
 
 	require fs_l filename="$vars[root]/versions" destination="mnt/versions"
 	require fs_l filename="$vars[root]/sbin" destination="bin"
 	require fs_l filename="$vars[root]/usr" destination="."
 
 	require fs_d filename="$vars[root]/bin"
 	require fs_m filename="$vars[root]/bin" mode=0755
 	require fs_o filename="$vars[root]/bin" owner=$vars[uid]:$vars[gid]
 
 	require fs_l filename="$vars[root]/bin/awk" destination="argv0exec"
 	require fs_l filename="$vars[root]/bin/bash" destination="argv0exec"
 	require fs_l filename="$vars[root]/bin/env" destination="argv0exec"
 	require fs_l filename="$vars[root]/bin/execlineb" destination="argv0exec"
 	require fs_l filename="$vars[root]/bin/sh" destination="argv0exec"
 	require fs_l filename="$vars[root]/bin/zsh" destination="argv0exec"
 
 	require fs_d filename="$vars[root]/etc"
 	require fs_m filename="$vars[root]/etc" mode=0755
 	require fs_o filename="$vars[root]/etc" owner=$vars[uid]:$vars[gid]
 
 	require fs_l filename="$vars[root]/etc/mtab" destination="/proc/mounts"
 	# require fs_o filename="$vars[root]/etc/mtab" owner=$vars[uid]:$vars[gid]
 
 	require fs_f filename="$vars[root]/etc/group"
 	require fs_m filename="$vars[root]/etc/group" mode=0644
 	require fs_o filename="$vars[root]/etc/group" owner=$vars[uid]:$vars[gid]
 
 	require fs_f filename="$vars[root]/etc/passwd"
 	require fs_m filename="$vars[root]/etc/passwd" mode=0644
 	require fs_o filename="$vars[root]/etc/passwd" owner=$vars[uid]:$vars[gid]
 
 	require fs_d filename="$vars[root]/proc"
 	require fs_m filename="$vars[root]/proc" mode=0755
 	require fs_o filename="$vars[root]/proc" owner=$vars[uid]:$vars[gid]
 
 	require fs_d filename="$vars[root]/root"
 	require fs_m filename="$vars[root]/root" mode=0700
 	require fs_o filename="$vars[root]/root" owner=$vars[uid]:$vars[gid]
 
 	require fs_d filename="$vars[root]/sys"
 	require fs_m filename="$vars[root]/sys" mode=0755
 	require fs_o filename="$vars[root]/sys" owner=$vars[uid]:$vars[gid]
 
 	require fs_d filename="$vars[root]/var"
 	require fs_m filename="$vars[root]/var" mode=0755
 	require fs_o filename="$vars[root]/var" owner=$vars[uid]:$vars[gid]
 
 	require fs_d filename="$vars[root]/var/empty"
 	require fs_m filename="$vars[root]/var/empty" mode=0555
 	require fs_o filename="$vars[root]/var/empty" owner=$vars[uid]:$vars[gid]
 
 	require fs_l filename="$vars[root]/var/run" destination="../run"
 	# require fs_o filename="$vars[root]/var/run" owner=$vars[uid]:$vars[gid]
 }
 
 confz_container_mrrl_image_check() {
 	checkvars containers_dir image_name
 
 	require container_image_layout :containers_dir :image_name \
 		 %uid %gid %root %sysroot_user
 	require container_mrrl_base_layout :uid :gid :root
 }
 
 # --- Alpine ---
 
 confz_container_alpine_base_layout_check() {
 	checkvars root
 	defvar uid 0
 	defvar gid 0
 
 	require container_generic_layout :root :uid :gid
 
 	require fs_d filename="$vars[root]/etc"
 	require fs_m filename="$vars[root]/etc" mode=0755
 	require fs_o filename="$vars[root]/etc" owner=$vars[uid]:$vars[gid]
 
 	require fs_d filename="$vars[root]/etc/apk"
 	require fs_m filename="$vars[root]/etc/apk" mode=0755
 	require fs_o filename="$vars[root]/etc/apk" owner=$vars[uid]:$vars[gid]
 
 	require fs_l filename="$vars[root]/etc/mtab" destination="/proc/mounts"
 	# require fs_o filename="$vars[root]/etc/mtab" owner=$vars[uid]:$vars[gid]
 
 	require fs_d filename="$vars[root]/etc/profile.d"
 	require fs_m filename="$vars[root]/etc/profile.d" mode=0755
 	require fs_o filename="$vars[root]/etc/profile.d" owner=$vars[uid]:$vars[gid]
 
 	require fs_d filename="$vars[root]/lib"
 	require fs_m filename="$vars[root]/lib" mode=0755
 	require fs_o filename="$vars[root]/lib" owner=$vars[uid]:$vars[gid]
 
 	require fs_d filename="$vars[root]/lib/firmware"
 	require fs_m filename="$vars[root]/lib/firmware" mode=0755
 	require fs_o filename="$vars[root]/lib/firmware" owner=$vars[uid]:$vars[gid]
 
 	require fs_d filename="$vars[root]/lib/mdev"
 	require fs_m filename="$vars[root]/lib/mdev" mode=0755
 	require fs_o filename="$vars[root]/lib/mdev" owner=$vars[uid]:$vars[gid]
 
 	require fs_d filename="$vars[root]/opt"
 	require fs_m filename="$vars[root]/opt" mode=0755
 	require fs_o filename="$vars[root]/opt" owner=$vars[uid]:$vars[gid]
 
 	require fs_d filename="$vars[root]/proc"
 	require fs_m filename="$vars[root]/proc" mode=0755
 	require fs_o filename="$vars[root]/proc" owner=$vars[uid]:$vars[gid]
 
 	require fs_d filename="$vars[root]/root"
 	require fs_m filename="$vars[root]/root" mode=0700
 	require fs_o filename="$vars[root]/root" owner=$vars[uid]:$vars[gid]
 
 	require fs_d filename="$vars[root]/run"
 	require fs_m filename="$vars[root]/run" mode=0755
 	require fs_o filename="$vars[root]/run" owner=$vars[uid]:$vars[gid]
 
 	require fs_d filename="$vars[root]/sbin"
 	require fs_m filename="$vars[root]/sbin" mode=0755
 	require fs_o filename="$vars[root]/sbin" owner=$vars[uid]:$vars[gid]
 
 	require fs_d filename="$vars[root]/srv"
 	require fs_m filename="$vars[root]/srv" mode=0755
 	require fs_o filename="$vars[root]/srv" owner=$vars[uid]:$vars[gid]
 
 	require fs_d filename="$vars[root]/sys"
 	require fs_m filename="$vars[root]/sys" mode=0755
 	require fs_o filename="$vars[root]/sys" owner=$vars[uid]:$vars[gid]
 
 	require fs_d filename="$vars[root]/tmp"
 	require fs_m filename="$vars[root]/tmp" mode=1777
 	require fs_o filename="$vars[root]/tmp" owner=$vars[uid]:$vars[gid]
 
 	require fs_d filename="$vars[root]/usr"
 	require fs_m filename="$vars[root]/usr" mode=0755
 	require fs_o filename="$vars[root]/usr" owner=$vars[uid]:$vars[gid]
 
 	require fs_d filename="$vars[root]/usr/lib"
 	require fs_m filename="$vars[root]/usr/lib" mode=0755
 	require fs_o filename="$vars[root]/usr/lib" owner=$vars[uid]:$vars[gid]
 
 	require fs_d filename="$vars[root]/usr/local"
 	require fs_m filename="$vars[root]/usr/local" mode=0755
 	require fs_o filename="$vars[root]/usr/local" owner=$vars[uid]:$vars[gid]
 
 	require fs_d filename="$vars[root]/usr/local/bin"
 	require fs_m filename="$vars[root]/usr/local/bin" mode=0755
 	require fs_o filename="$vars[root]/usr/local/bin" owner=$vars[uid]:$vars[gid]
 
 	require fs_d filename="$vars[root]/usr/local/lib"
 	require fs_m filename="$vars[root]/usr/local/lib" mode=0755
 	require fs_o filename="$vars[root]/usr/local/lib" owner=$vars[uid]:$vars[gid]
 
 	require fs_d filename="$vars[root]/usr/local/share"
 	require fs_m filename="$vars[root]/usr/local/share" mode=0755
 	require fs_o filename="$vars[root]/usr/local/share" owner=$vars[uid]:$vars[gid]
 
 	require fs_d filename="$vars[root]/usr/sbin"
 	require fs_m filename="$vars[root]/usr/sbin" mode=0755
 	require fs_o filename="$vars[root]/usr/sbin" owner=$vars[uid]:$vars[gid]
 
 	require fs_d filename="$vars[root]/usr/share"
 	require fs_m filename="$vars[root]/usr/share" mode=0755
 	require fs_o filename="$vars[root]/usr/share" owner=$vars[uid]:$vars[gid]
 
 	require fs_d filename="$vars[root]/usr/share/man"
 	require fs_m filename="$vars[root]/usr/share/man" mode=0755
 	require fs_o filename="$vars[root]/usr/share/man" owner=$vars[uid]:$vars[gid]
 
 	require fs_d filename="$vars[root]/usr/share/misc"
 	require fs_m filename="$vars[root]/usr/share/misc" mode=0755
 	require fs_o filename="$vars[root]/usr/share/misc" owner=$vars[uid]:$vars[gid]
 
 	require fs_d filename="$vars[root]/var"
 	require fs_m filename="$vars[root]/var" mode=0755
 	require fs_o filename="$vars[root]/var" owner=$vars[uid]:$vars[gid]
 
 	require fs_d filename="$vars[root]/var/cache"
 	require fs_m filename="$vars[root]/var/cache" mode=0755
 	require fs_o filename="$vars[root]/var/cache" owner=$vars[uid]:$vars[gid]
 
 	require fs_d filename="$vars[root]/var/cache/misc"
 	require fs_m filename="$vars[root]/var/cache/misc" mode=0755
 	require fs_o filename="$vars[root]/var/cache/misc" owner=$vars[uid]:$vars[gid]
 
 	require fs_d filename="$vars[root]/var/empty"
 	require fs_m filename="$vars[root]/var/empty" mode=0555
 	require fs_o filename="$vars[root]/var/empty" owner=$vars[uid]:$vars[gid]
 
 	require fs_d filename="$vars[root]/var/lib"
 	require fs_m filename="$vars[root]/var/lib" mode=0755
 	require fs_o filename="$vars[root]/var/lib" owner=$vars[uid]:$vars[gid]
 
 	require fs_d filename="$vars[root]/var/lib/misc"
 	require fs_m filename="$vars[root]/var/lib/misc" mode=0755
 	require fs_o filename="$vars[root]/var/lib/misc" owner=$vars[uid]:$vars[gid]
 
 	require fs_d filename="$vars[root]/var/local"
 	require fs_m filename="$vars[root]/var/local" mode=0755
 	require fs_o filename="$vars[root]/var/local" owner=$vars[uid]:$vars[gid]
 
 	require fs_d filename="$vars[root]/var/lock"
 	require fs_m filename="$vars[root]/var/lock" mode=0755
 	require fs_o filename="$vars[root]/var/lock" owner=$vars[uid]:$vars[gid]
 
 	require fs_d filename="$vars[root]/var/lock/subsys"
 	require fs_m filename="$vars[root]/var/lock/subsys" mode=0755
 	require fs_o filename="$vars[root]/var/lock/subsys" owner=$vars[uid]:$vars[gid]
 
 	require fs_d filename="$vars[root]/var/log"
 	require fs_m filename="$vars[root]/var/log" mode=0755
 	require fs_o filename="$vars[root]/var/log" owner=$vars[uid]:$vars[gid]
 
 	require fs_d filename="$vars[root]/var/mail"
 	require fs_m filename="$vars[root]/var/mail" mode=0755
 	require fs_o filename="$vars[root]/var/mail" owner=$vars[uid]:$vars[gid]
 
 	require fs_d filename="$vars[root]/var/opt"
 	require fs_m filename="$vars[root]/var/opt" mode=0755
 	require fs_o filename="$vars[root]/var/opt" owner=$vars[uid]:$vars[gid]
 
 	require fs_l filename="$vars[root]/var/run" destination="../run"
 	# require fs_o filename="$vars[root]/var/run" owner=$vars[uid]:$vars[gid]
 
 	require fs_d filename="$vars[root]/var/spool"
 	require fs_m filename="$vars[root]/var/spool" mode=0755
 	require fs_o filename="$vars[root]/var/spool" owner=$vars[uid]:$vars[gid]
 
 	require fs_d filename="$vars[root]/var/tmp"
 	require fs_m filename="$vars[root]/var/tmp" mode=1777
 	require fs_o filename="$vars[root]/var/tmp" owner=$vars[uid]:$vars[gid]
 
 }
 
 confz_container_alpine_base_files_check() {
 	checkvars root mirror release repositories hostname locale
 	defvar uid 0
 	defvar gid 0
 
 	local -a repositories=( $vars[mirror]/$vars[release]/${^=vars[repositories]} )
 	require fs_contentnl filename="$vars[root]/etc/apk/repositories" \
 		content="${(F)repositories}"
 	require fs_m filename="$vars[root]/etc/apk/repositories" mode=0644
 	require fs_o filename="$vars[root]/etc/apk/repositories" owner=$vars[uid]:$vars[gid]
 
 	require fs_contentnl filename="$vars[root]/etc/hostname" \
 		content="$vars[hostname]"
 	require fs_m filename="$vars[root]/etc/hostname" mode=0644
 	require fs_o filename="$vars[root]/etc/hostname" owner=$vars[uid]:$vars[gid]
 
 	require container_template_file :root :uid :gid \
 		template=alpine name=etc/hosts
 
 	# require fs_contentnl filename="$vars[root]/etc/hosts" \
 	# 	content=$'127.0.0.1\tlocalhost localhost.localdomain\n::1\tlocalhost localhost.localdomain'
 	# require fs_m filename="$vars[root]/etc/hosts" mode=0644
 	# require fs_o filename="$vars[root]/etc/hosts" owner=$vars[uid]:$vars[gid]
 
 	require fs_contentnl filename="$vars[root]/etc/motd" \
 		content="Welcome to container image at ${(qqq)vars[root]}"
 	require fs_m filename="$vars[root]/etc/motd" mode=0644
 	require fs_o filename="$vars[root]/etc/motd" owner=$vars[uid]:$vars[gid]
 
 	require container_template_file :root :uid :gid \
 		template=alpine name=etc/profile
 
 	local -a locale_lines=(
 		"export CHARSET=${(q)vars[locale]}"
 		"export LANG=${(q)vars[locale]}"
 		"export LC_COLLATE=C"
 	)
 	require fs_contentnl filename="$vars[root]/etc/profile.d/locale.sh" \
 		content="${(F)locale_lines}"
 	require fs_m filename="$vars[root]/etc/profile.d/locale.sh" mode=0644
 	require fs_o filename="$vars[root]/etc/profile.d/locale.sh" owner=$vars[uid]:$vars[gid]
 
 	require container_template_file :root :uid :gid \
 		template=alpine name=etc/protocols
 
 	require container_template_file :root :uid :gid \
 		template=alpine name=etc/services
 
 	require container_template_file :root :uid :gid \
 		template=alpine name=etc/shells
 
 	# require fs_contentnl filename="$vars[root]/etc/shells" \
 	# 	content=$'# valid login shells\n/bin/sh\n/bin/ash\n/bin/zsh\n/bin/bash\n/bin/mksh'
 	# require fs_m filename="$vars[root]/etc/shells" mode=0644
 	# require fs_o filename="$vars[root]/etc/shells" owner=$vars[uid]:$vars[gid]
 
 	require fs_f filename="$vars[root]/etc/group"
 	# require fs_c filename="$vars[root]/etc/group" \
 	# 	content=""
 	require fs_m filename="$vars[root]/etc/group" mode=0644
 	require fs_o filename="$vars[root]/etc/group" owner=$vars[uid]:$vars[gid]
 
 	require fs_f filename="$vars[root]/etc/passwd"
 	# require fs_c filename="$vars[root]/etc/passwd" \
 	# 	content=""
 	require fs_m filename="$vars[root]/etc/passwd" mode=0644
 	require fs_o filename="$vars[root]/etc/passwd" owner=$vars[uid]:$vars[gid]
 
 	# require fs_c filename="$vars[root]/etc/shadow" \
 	# 	content=""
 	# require fs_m filename="$vars[root]/etc/shadow" mode=0640
 	# require fs_o filename="$vars[root]/etc/shadow" owner=$vars[uid]:$vars[gid]
 
 }
 
 confz_container_alpine_apk_check() {
 	checkvars sysroot_user root arch
 	defvar keys_dir ${container_alpine_keys_dir:-/etc/apk/keys}
 	defvar apk_executable ${container_apk_executable:-apk}
 	do_command=(
 		s6-setuidgid $vars[sysroot_user]
 		$vars[apk_executable]
 		--update-cache
 		--initdb
 		--arch $vars[arch]
 		--root $vars[root]
 		--keys-dir $vars[keys_dir]
 		--no-scripts
 		--no-chown
 		add alpine-keys apk-tools busybox
 	)
 	[[ -f $vars[root]/sbin/apk ]]
 }
 
 confz_container_alpine_image_check() {
 	checkvars containers_dir image_name arch
 	defvar mirror http://mirror.fel.cvut.cz/alpine
 	defvar release edge
 	defvar repositories main
 	defvar hostname $vars[image_name]
 	defvar locale C.UTF-8
 
 	require container_image_layout :containers_dir :image_name \
 		 %uid %gid %root %sysroot_user
 	require container_alpine_base_layout :uid :gid :root
 	require container_alpine_base_files :uid :gid :root \
 		:mirror :release :repositories :hostname :locale
 	require container_alpine_apk :arch :root :sysroot_user
 }
 
 container_run() {
 	local svcdir=$1
 	shift
 	$commands[cd] $vars[sysroot_svc] container_sysroot_run "$@"
 }
 
 confz_container_alpine_packages_installed_check() {
 	checkvars containers_dir image_name packages svscan_dir
 
 	require container_service_sysroot \
 		:containers_dir :svscan_dir :image_name \
 		%sysroot_svc
 
 	local root=$vars[containers_dir]/systems/$vars[image_name]
 	local -a world=( "${(@f)$(<$root/etc/apk/world)}" )
 	local -a installed=( "${(@f)$(
 		container_run $vars[sysroot_svc] /sbin/apk info -a </dev/null
 	)}" )
 	local -a missing
 	local pkg
 
 	for pkg in $=vars[packages]; do
 		(( $installed[(I)${pkg}] )) || missing+=( $pkg )
 	done
 	(( $#missing == 0 )) && return 0
 
 	typeset -ga container_alpine_packages_missing
 	container_alpine_packages_missing=( $missing )
 
 	fail_reason="Following packages are not installed: $missing (req:${#$=vars[packages]} ins:$#installed)"
 	return 1
 }
 confz_container_alpine_packages_installed_do() {
 	$commands[cd] $vars[sysroot_svc] container_sysroot_run \
 		/sbin/apk add --no-chown $container_alpine_packages_missing ||
 		$commands[cd] $vars[sysroot_svc] container_sysroot_run \
 		/sbin/apk add --no-chown $container_alpine_packages_missing
 }
 
 # --- Void ---
 
 confz_container_void_base_files_check() {
 	checkvars root
 	# checkvars hostname locale
 	defvar uid 0
 	defvar gid 0
 
 	local d
 	for d in $vars[root]{,/var{,/db{,/xbps{,/keys}}}}; do
 		require fs_d filename="$d"
 		require fs_m filename="$d" mode=0755
 		require fs_o filename="$d" owner=$vars[uid]:$vars[gid]
 	done
 
 	local f
 	for f in $container_template_dir/void/**/*(.); do
 		require container_template_file :root :uid :gid \
 			template=void name=${f#${container_template_dir}/void/}
 	done
 
 	# Alpine XBPS compatibility
 	require fs_l filename="$vars[root]/var/lib/xbps/db" \
 		flags=\!p destination="../../db"
 }
 
 confz_container_void_xbps_check() {
 	checkvars sysroot_user root arch mirror repository
 	defvar xbps_install_executable ${container_xbps_install_executable:-xbps-install}
 	do_command=(
 		env XBPS_ARCH=$vars[arch]
 		s6-setuidgid $vars[sysroot_user]
 		$vars[xbps_install_executable]
 		--sync
 		--rootdir $vars[root]
 		--repository ${vars[mirror]#/}/$vars[repository]
 		--yes
 		base-files xbps dash coreutils
 	)
 	[[ -f $vars[root]/usr/bin/xbps-install && -f $vars[root]/usr/bin/sh ]]
 }
 
 confz_container_void_image_check() {
 	checkvars containers_dir image_name arch
 	defvar mirror https://repo-default.voidlinux.org/
 	defvar repository current
 	#defvar hostname $vars[image_name]
 	#defvar locale C.UTF-8
 
 	require container_image_layout :containers_dir :image_name \
 		%uid %gid %root %sysroot_user
 	require container_generic_layout :uid :gid :root
 	require container_void_base_files :uid :gid :root
 	require container_void_xbps :arch :mirror :repository \
 		:root :sysroot_user \?xbps_install_executable
 }
 
 confz_container_void_packages_installed_check() {
 	checkvars packages containers_dir image_name svscan_dir
 
 	require container_service_sysroot \
 		:containers_dir :svscan_dir :image_name \
 		%root %sysroot_svc
 
 	local -a missing
 	local pkg
 
 	for pkg in $=vars[packages]; do
 		[[ -f $vars[root]/var/db/xbps/.${pkg}-files.plist ]] \
 			|| missing+=( $pkg )
 	done
 
 	do_command=(
 		$commands[cd] $vars[sysroot_svc] container_sysroot_run
 		/usr/sbin/xbps-install --yes --sync -- $missing
 	)
 
 	(( $#missing == 0 ))
 }
 
 # --- Nix / NixOS ---
 
 confz_container_nix_base_files_check() {
 	checkvars root hostname locale
 	defvar uid 0
 	defvar gid 0
 
 	require fs_contentnl filename="$vars[root]/etc/hostname" \
 		content="$vars[hostname]"
 	require fs_m filename="$vars[root]/etc/hostname" mode=0644
 	require fs_o filename="$vars[root]/etc/hostname" owner=$vars[uid]:$vars[gid]
 
 	require container_template_file :root :uid :gid \
 		template=alpine name=etc/hosts
 
 	require fs_contentnl filename="$vars[root]/etc/motd" \
 		content="Welcome to container image at ${(qqq)vars[root]}"
 	require fs_m filename="$vars[root]/etc/motd" mode=0644
 	require fs_o filename="$vars[root]/etc/motd" owner=$vars[uid]:$vars[gid]
 
 	require container_template_file :root :uid :gid \
 		template=alpine name=etc/profile
 
 	local -a locale_lines=(
 		"export CHARSET=${(q)vars[locale]}"
 		"export LANG=${(q)vars[locale]}"
 		"export LC_COLLATE=C"
 	)
 	require fs_d filename="$vars[root]/etc/profile.d"
 	require fs_m filename="$vars[root]/etc/profile.d" mode=0755
 	require fs_o filename="$vars[root]/etc/profile.d" owner=$vars[uid]:$vars[gid]
 
 	require fs_contentnl filename="$vars[root]/etc/profile.d/locale.sh" \
 		content="${(F)locale_lines}"
 	require fs_m filename="$vars[root]/etc/profile.d/locale.sh" mode=0644
 	require fs_o filename="$vars[root]/etc/profile.d/locale.sh" owner=$vars[uid]:$vars[gid]
 
 	require fs_l filename="$vars[root]/etc/profile.d/nix.sh" \
 		destination="/nix/var/nix/profiles/default/etc/profile.d/nix.sh"
 
 	# TODO: source Nix stuff from profile
 
 	require container_template_file :root :uid :gid \
 		template=alpine name=etc/protocols
 
 	require container_template_file :root :uid :gid \
 		template=alpine name=etc/services
 
 	require container_template_file :root :uid :gid \
 		template=alpine name=etc/shells
 
 	require fs_f filename="$vars[root]/etc/group"
 	# require fs_c filename="$vars[root]/etc/group" \
 	# 	content=""
 	require fs_m filename="$vars[root]/etc/group" mode=0644
 	require fs_o filename="$vars[root]/etc/group" owner=$vars[uid]:$vars[gid]
 
 	require fs_f filename="$vars[root]/etc/passwd"
 	# require fs_c filename="$vars[root]/etc/passwd" \
 	# 	content=""
 	require fs_m filename="$vars[root]/etc/passwd" mode=0644
 	require fs_o filename="$vars[root]/etc/passwd" owner=$vars[uid]:$vars[gid]
 
 	# symlink relevant executables for shebangs
 	require fs_d filename="$vars[root]/bin"
 	require fs_m filename="$vars[root]/bin" mode=0755
 	require fs_o filename="$vars[root]/bin" owner=$vars[uid]:$vars[gid]
 
 	# require fs_l filename="$vars[root]/bin/execlineb" \
 	# 	destination="/root/.nix-profile/bin/execlineb"
 
 	# require fs_l filename="$vars[root]/bin/zsh" \
 	# 	destination="/root/.nix-profile/bin/zsh"
 }
 
 confz_container_nix_image_from_release_check() {
 	checkvars containers_dir svscan_dir image_name system
 	defvar release 2.9.1
 	defvar checksum_algo sha256
 	defvar mirror https://releases.nixos.org/nix
 
 	case $vars[release] in
 		(2.9.1) case $vars[system] in
 			(x86_64-linux)
 				defvar checksum ea7b94637b251cdaadf932cef41c681aa3d2a15928877d8319ae6f35a440977d
 				;;
 
 			(i686-linux)
 				defvar checksum 41e38706a26736aa42acd3dbd57db7e354e722e4bd5f6d9c8069d1c98b6081be
 				;;
 
 			(aarch64-linux)
 				defvar checksum d706c6b710548b9c3ed4a409df3a7293da14f726dcc59849abd709e574cabeed
 				;;
 
 			(armv6l-linux)
 				defvar checksum d8483f0747dce74685fcffa628908a96e6d0f7b1166a97f0eef231f5faa86c22
 				;;
 
 			(armv7l-linux)
 				defvar checksum 6f7f285d5de8b8d7686b6925869e25c2ff40f16492190c0b773ebd357bd4c956
 				;;
 		esac
 		;;
 	esac
 
 	defvar alpine_arch ${vars[system]%-*}
 	unify url $vars[mirror]/nix-$vars[release]/nix-$vars[release]-$vars[system].tar.xz
 
 	(($+vars[checksum])) || die "No stored checksum for $url"
 
 	require container_nix_image :containers_dir :svscan_dir :image_name :url \
 		:checksum :checksum_algo :alpine_arch \?hostname \?locale
 }
 
 confz_container_nix_bootstrap_packages_check() {
 	checkvars sysroot_user root arch uid gid
 	defvar keys_dir ${container_alpine_keys_dir:-/etc/apk/keys}
 	defvar apk_executable ${container_apk_executable:-apk}
 	defvar mirror http://mirror.fel.cvut.cz/alpine
 	defvar release edge
 	defvar repositories main
 
 	local -a repositories=( $vars[mirror]/$vars[release]/${^=vars[repositories]} )
 
 	require fs_d filename="$vars[root]/etc/apk"
 	require fs_m filename="$vars[root]/etc/apk" mode=0755
 	require fs_o filename="$vars[root]/etc/apk" owner=$vars[uid]:$vars[gid]
 
 	require fs_contentnl filename="$vars[root]/etc/apk/repositories" \
 		content="${(F)repositories}"
 	require fs_m filename="$vars[root]/etc/apk/repositories" mode=0644
 	require fs_o filename="$vars[root]/etc/apk/repositories" owner=$vars[uid]:$vars[gid]
 
 	do_command=(
 		s6-setuidgid $vars[sysroot_user]
 		$vars[apk_executable]
 		--update-cache
 		--initdb
 		--arch $vars[arch]
 		--root $vars[root]
 		--keys-dir $vars[keys_dir]
 		--no-scripts
 		add alpine-keys busybox ca-certificates{,-bundle}
 	)
 	[[ -f $vars[root]/bin/busybox ]]
 }
 
 confz_container_nix_bootstrap_check() {
 	checkvars root sysroot_svc sysroot_user uid gid arch
 
 	require container_nix_bootstrap_packages \
 		:root :arch :uid :gid :sysroot_user \
 		\?keys_dir \?apk_executable \?mirror \?release \?repositories
 
 	do_command=(
 		$commands[cd] $vars[sysroot_svc] container_sysroot_run
 		/bin/busybox --install -s /bin
 	)
 
 	[[ -f $vars[root]/bin/test ]]
 }
 
 confz_container_nix_image_installed_check() {
 	checkvars root filename uid gid
 
 	require fs_r flags=r filename=$vars[root]/${vars[filename]%.tar.*}
 
 	require fs_d filename="$vars[root]/nix"
 	require fs_m filename="$vars[root]/nix" mode=0755
 	require fs_o filename="$vars[root]/nix" owner=$vars[uid]:$vars[gid]
 
 	[[ -d $vars[root]/nix/store ]]
 }
 
 confz_container_nix_image_installed_do() {
 	local download_dir=$vars[containers_dir]/download-cache
 	s6-setuidgid $vars[sysroot_user] \
 		tar -xpC "$vars[root]" -f "$download_dir/$vars[filename]" \
 		|| die "Unpacking ${(qqq)vars[filename]} failed"
 
 	$commands[cd] $vars[svscan_dir]/container.$vars[image_name].sysroot \
 		container_sysroot_run \
 		/${vars[filename]%.tar.*}/install \
 		|| die "Nix installation script failed"
 
 	rm -rf $vars[root]/${vars[filename]%.tar.*} \
 		|| die "Removing tarball directory failed"
 }
 
 confz_container_nix_image_check() {
 	checkvars containers_dir image_name url checksum svscan_dir alpine_arch
 	defvar checksum_algo sha256
 
 	defvar hostname $vars[image_name]
 	defvar locale C.UTF-8
 	# TODO: test if these actually do something
 
 	require container_service_sysroot \
 		:containers_dir :svscan_dir :image_name \
 		%root %uid %gid %sysroot_user %sysroot_svc
 
 	require container_download_and_verify :containers_dir \
 		:checksum :checksum_algo %filename :url
 
 	require container_generic_layout :uid :gid :root
 	require container_nix_base_files :uid :gid :root :hostname :locale
 
 	require container_nix_bootstrap :sysroot_svc :root :uid :gid :sysroot_user
 		\?arch=alpine_arch \
 		\?keys_dir=alpine_keys_dir \
 		\?mirror=alpine_mirrors \
 		\?release=alpine_release \
 		\?repositories=alpine_repositories \
 		\?apk_executable
 
 	require container_nix_image_installed :filename :root :uid :gid
 
 	require fs_l filename="$vars[root]/nix/var/nix/profiles/default" \
 		destination="per-user/root/profile"
 	require fs_o filename="$vars[root]/nix/var/nix/profiles/default" \
 		owner=$vars[uid]:$vars[gid]
 }
 
 confz_container_nix_bin_linked_check() {
 	checkvars containers_dir image_name
 
 	require container_image_layout :containers_dir :image_name %root
 
 	local profile_dir=$vars[root]/root/.nix-profile
 	local -A stat_info
 	zstat -L -H stat_info $profile_dir
 	# while it's a symlink
 	while (( $stat_info[mode] >> 12 == 10 )); do
 		if [[ $stat_info[link] == /* ]]; then
 			profile_dir=$vars[root]$stat_info[link]
 		else
 			profile_dir=${profile_dir:h}/$stat_info[link]
 		fi
 		zstat -L -H stat_info $profile_dir
 	done
 	[[ -d $profile_dir ]] || \
 		die "Could not find profile directory: ${(qqq)profile_dir}"
 
 	local b
 	for b in $profile_dir/bin/*; do
 		[[ -e $vars[root]/bin/$b:t ]] || \
 			require fs_l filename="$vars[root]/bin/${b:t}" \
 				destination=../root/.nix-profile/bin/$b:t
 	done
 }
 
 confz_container_nix_packages_installed_check() {
 	checkvars packages containers_dir image_name svscan_dir
 
 	require container_service_sysroot \
 		:containers_dir :svscan_dir :image_name \
 		%root %svscan_dir
 
 	local -A stat_info
 
 	# local profile_dir=$vars[root]/nix/var/nix/profiles/per-user/root/profile
 	local profile_dir=$vars[root]/root/.nix-profile
 	zstat -L -H stat_info $profile_dir
 	# while it's a symlink
 	while (( $stat_info[mode] >> 12 == 10 )); do
 		if [[ $stat_info[link] == /* ]]; then
 			profile_dir=$vars[root]$stat_info[link]
 		else
 			profile_dir=${profile_dir:h}/$stat_info[link]
 		fi
 		zstat -L -H stat_info $profile_dir
 	done
 	[[ -d $profile_dir ]] || \
 		die "Could not find profile directory: ${(qqq)profile_dir}"
 
 	local manifest_file=$profile_dir/manifest.nix
 	zstat -L -H stat_info $manifest_file
 	# while it's a symlink
 	while (( $stat_info[mode] >> 12 == 10 )); do
 		if [[ $stat_info[link] == /* ]]; then
 			manifest_file=$vars[root]$stat_info[link]
 		else
 			manifest_file=${manifest_file:h}/$stat_info[link]
 		fi
 		zstat -L -H stat_info $manifest_file
 	done
 	[[ -f $manifest_file ]] || \
 		die "Could not find manifest.nix file: ${(qqq)manifest_file}"
 
 	local -a world world_noversion missing
 	world=( "${(@f)$(
 		grep -o 'outPath = "[^"]*"' $manifest_file \
 		| uniq | sed 's|^outPath = "/nix/store/[^-]*-||;s|"$||'
 	)}" )
 	world_noversion=( "${world[@]%-bin}" )
 	world_noversion=( "${world_noversion[@]/%-[-0-9.]#/}" )
 
 	local pkg
 	for pkg in $=vars[packages]; do
 		(( $world[(I)${pkg}] )) || \
 			(( $world_noversion[(I)${pkg}] )) || \
 			missing+=( $pkg )
 	done
 
 	do_command=(
 		$commands[cd] $vars[sysroot_svc] container_sysroot_run
 		/root/.nix-profile/bin/nix-env --install $missing
 		# /var/lib/nix/profiles/default/bin/nix-env --install $missing
 	)
 
 	fail_reason="Following packages are not installed: $missing"
 	(( $#missing == 0 ))
 }
 #typeset -f -t confz_container_nix_packages_installed_check
 
 # --- Gentoo ---
 confz_container_gentoo_from_snapshot_check() {
 	checkvars containers_dir svscan_dir image_name system
 	defvar checksum_algo sha256
 	#defvar mirror https://mirrors.gentoo.org/gentoo
 	defvar mirror http://ftp.fi.muni.cz/pub/linux/gentoo/
 
 	case $vars[system] in
 		(amd64-musl-hardened) defvar build 20241006T144834Z; case $vars[build] in
 			(20241006T144834Z)
 				defvar checksum 8d53c2d6df66f5e0559541b31c1f6587339cc26640a74372449afeaac4ecc2fc
 				;;
 			(20240312T171909Z)
 				defvar checksum 2f3b224aeb231fec83652d9d9a5b9b80a28b46521bca7a0347a5ba212ae00e04
 				;;
 			(20240128T165521Z)
 				defvar checksum ab0bcfe9001dc0fc612e92fb2ccbbf1e2c03fd5630712515b28a1362268e15f1
 				;;
 		esac
 		;;
 		(amd64-nomultilib-openrc) defvar build 20241110T170333Z; case $vars[build] in
 			(20241110T170333Z)
 				defvar checksum 3248000a2cc0f4df9fbc0bc4e4f2a2c1db7265b5c8c7cc116dcdc0fda5705f59
 				;;
 		esac
 		;;
 	esac
 
 	defvar alpine_arch ${vars[system]%-*}
 	unify url $vars[mirror]/releases/${vars[system]%%-*}/autobuilds/$vars[build]/stage3-${vars[system]}-${vars[build]}.tar.xz
 
 	(($+vars[checksum])) || die "No stored checksum for $url"
 
 	require container_gentoo_image :containers_dir :svscan_dir :image_name :url \
 		:checksum :checksum_algo :alpine_arch \?hostname \?locale
 }
 
 confz_container_gentoo_image_check() {
 	checkvars containers_dir image_name url checksum checksum_algo svscan_dir alpine_arch
 
 	defvar hostname $vars[image_name]
 	defvar locale C.UTF-8
 	# TODO:apply them to configuration files?
 
 	require container_service_sysroot \
 		:containers_dir :svscan_dir :image_name \
 		%root %uid %gid %sysroot_user %sysroot_svc
 
 	require container_download_and_verify :containers_dir \
 		:checksum :checksum_algo %filename :url
 
 	require container_gentoo_stage3_installed \
 		:sysroot_user :containers_dir :root :filename
 
 	require container_generic_layout :uid :gid :root
 
 	require container_image_user_uid_gid \
 		:containers_dir :image_name :uid :gid user=root
 	require container_image_group_gid \
 		:containers_dir :image_name :gid group=root
 
 	require container_image_user_uid_gid \
 		:containers_dir :image_name :uid :gid user=portage
 	require container_image_group_gid \
 		:containers_dir :image_name :gid group=portage
 }
 
 confz_container_gentoo_stage3_installed_check() {
 	[[ -f $vars[root]/.confz.containers.installed_from ]]
 }
 confz_container_gentoo_stage3_installed_do() {
 	local download_dir=$vars[containers_dir]/download-cache
 	s6-setuidgid $vars[sysroot_user] \
 		tar -xpC "$vars[root]" --exclude ./dev/\* -f "$download_dir/$vars[filename]" \
 		|| die "Unpacking ${(qqq)vars[filename]} failed"
 
 	s6-setuidgid $vars[sysroot_user] \
 		rm -f "$vars[root]"/dev/**/*~*/(null|zero|full|ptmx|random|urandom)(DN%) \
 		|| die "Failed to clean $vars[root]/dev"
 
 	printf '%s\n' $vars[filename] >$vars[root]/.confz.containers.installed_from || die
 }
 
 # --- Debian ---
 
 confz_container_debian_image_check() {
 	checkvars containers_dir image_name arch suite
 	defvar mirror http://ftp.cvut.cz/debian/
 
 	require container_image_layout :containers_dir :image_name \
 		%uid %gid %root %sysroot_user
 	require container_debootstrap :root :arch :mirror :suite \
 		:uid :gid
 	require container_generic_layout :uid :gid :root
 	#require container_debian_base_files :uid :gid :root
 }
 
 confz_container_debootstrap_check() {
 	checkvars root arch mirror suite uid gid
 	defvar variant minbase
 	defvar debootstrap_executable debootstrap
 	[[ -f $vars[root]/usr/bin/apt-get && -f $vars[root]/usr/bin/sh ]]
 }
 confz_container_debootstrap_do() {
 	local tmp_root=${vars[root]:h}/.debootstrap.${vars[root]:t}
 	if [[ -e $tmp_root ]]; then
 		rm -rf $tmp_root || return $?
 	fi
 	$vars[debootstrap_executable] --variant=$vars[variant] \
 		--include=fakeroot \
 		$vars[suite] $tmp_root $vars[mirror] || return $?
 
 	chown -R $vars[uid]:$vars[gid] $tmp_root || return $?
 	s6-rename $tmp_root $vars[root] || return $?
 }
 typeset -f -t confz_container_debootstrap_do
 
 confz_container_debian_packages_installed_check() {
 	checkvars containers_dir image_name packages svscan_dir
 
 	require container_service_sysroot \
 		:containers_dir :svscan_dir :image_name \
 		%uid %gid %root %sysroot_user %sysroot_svc
 
 	local root=$vars[containers_dir]/systems/$vars[image_name]
 	local -a missing installed
 	local pkg
 
 	installed=( ${(f)"$(
 		awk '/^Package: /{p=$2} /^Status:.* installed/{print p}' $vars[root]/var/lib/dpkg/status
 	)"} )
 
 	for pkg in $=vars[packages]; do
 		(( $installed[(I)${pkg}] )) || missing+=( $pkg )
 	done
 
 	do_command=(
 		$commands[cd] $vars[sysroot_svc] container_sysroot_run
 		# /usr/bin/apt-get install --trivial-only -- $missing
 		/usr/bin/apt-get install --yes -- $missing
 	)
 
 	fail_reason="Following packages are not installed: $missing"
 	(( $#missing == 0 ))
 }
 
 confz_container_debian_packages_installed_with_fakeroot_check() {
 	checkvars containers_dir image_name packages svscan_dir
 
 	require container_service_sysroot \
 		:containers_dir :svscan_dir :image_name \
 		%uid %gid %root %sysroot_user %sysroot_svc
 
 	local root=$vars[containers_dir]/systems/$vars[image_name]
 	local -a missing installed
 	local pkg
 
 	installed=( ${(f)"$(
 		awk '/^Package: /{p=$2} /^Status:.* installed/{print p}' $vars[root]/var/lib/dpkg/status
 	)"} )
 
 	for pkg in $=vars[packages]; do
 		(( $installed[(I)${pkg}] )) || missing+=( $pkg )
 	done
 
 	do_command=(
 		$commands[cd] $vars[sysroot_svc] container_sysroot_run
 		/usr/bin/fakeroot-sysv /usr/bin/apt-get install --yes -- $missing
 	)
 
 	fail_reason="Following packages are not installed: $missing"
 	(( $#missing == 0 ))
 }
 
 confz_container_puppet_apt_repo_check() {
 	checkvars containers_dir svscan_dir image_name arch suite
 	defvar puppet_version 7
 
 	require container_service_sysroot \
 		:containers_dir :svscan_dir :image_name \
 		%uid %gid %root %sysroot_user %sysroot_svc
 
 	[[ -f $vars[root]/etc/apt/trusted.gpg.d/puppet$vars[puppet_version]-keyring.gpg \
 		&& -f $vars[root]/etc/apt/sources.list.d/puppet$vars[puppet_version].list \
 		&& -f $vars[root]/var/lib/apt/lists/apt.puppetlabs.com_dists_$vars[suite]_InRelease ]]
 }
 confz_container_puppet_apt_repo_do() {
 	local deb_file=puppet7-release-$vars[suite].deb
 
 	s6-setuidgid $vars[sysroot_user] \
 		wget -O - >$vars[root]/root/$deb_file \
 		https://apt.puppetlabs.com/$deb_file \
 		|| return $?
 	$commands[cd] $vars[sysroot_svc] container_sysroot_run \
 		/usr/bin/dpkg --force-not-root -i /root/$deb_file \
 		|| return $?
 	$commands[cd] $vars[sysroot_svc] container_sysroot_run \
 		/usr/bin/apt-get update \
 		|| return $?
 }