mrrl-logincaps

MRRL version of logincaps
git clone https://ccx.te2000.cz/git/mrrl-logincaps
Log | Files | Refs
commit 3d31d626b915ae68d250b3cdd50f7c72b3725894
parent 496e5dc377b4c7a93e9350d0831870b69446a29e
Author: Jan Pobrislo <ccx@webprojekty.cz>
Date:   Mon, 17 Jun 2019 13:44:12 +0200

ad-hoc containers
Diffstat:

Asbin/service.capcont.finish | 2++


Asbin/service.capcont.run | 41+++++++++++++++++++++++++++++++++++++++++


Azsh-functions/confz_adhoc_container_init | 72++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


3 files changed, 115 insertions(+), 0 deletions(-)

diff --git a/sbin/service.capcont.finish b/sbin/service.capcont.finish
@@ -0,0 +1,2 @@
+#!/command/execlineb
+rm -rf ./data
diff --git a/sbin/service.capcont.run b/sbin/service.capcont.run
@@ -0,0 +1,41 @@
+#!/command/execlineb
+s6-envdir -i env
+getcwd PWD
+multisubstitute {
+	importas -i -u PWD PWD
+	importas -i -u image CONTAINER_IMAGE  # Absolute path to what will be the root of the container (bind-mounted read-only)
+	importas -i -u host CONTAINER_HOST  # Hostname set inside the container
+	importas -i -u home OWNER_HOME  # Home directory of the user outside of the container
+	importas -i UID UID  # UID of the user to run the container as
+	importas -i GID GID  # GID of group containing just the owning user
+	importas -i GIDLIST GIDLIST  # GIDs of supplemental groups of the user
+}
+if {
+	if -nt { test -e ./mnt }
+	# TODO: umount and remove
+}
+if { mount -t tmpfs mnt_tmpfs ./mnt }
+if { chmod 755 ./mnt }
+if { rm -rf ./data }
+umask 077
+if { mkdir ./data }
+if { chmod 770 ./data }
+if { chown root:${GID} ./data }
+if { mkdir -p ./data/home ./data/run ./data/tmp }
+if { chmod 1770 ./data/home ./data/run ./data/tmp }
+if { chown root:${GID} ./data/home ./data/run ./data/tmp }
+if { env HOME=${home} s6-applyuidgid -Z -U cd ${PWD}/data ${home}/adhoc-setup ${PWD}/data }
+env
+  HOST=carbon
+  CONTAINER_DATA=${PWD}
+  NS_EXTRA="if {
+   importas -i data CONTAINER_DATA
+   if { mount -o rbind ${PWD}/mnt ./mnt }
+   if { mount -o bind ${data}/tmp ./tmp }
+   if { mount -o bind ${data}/run ./run }
+   if { mount -o bind ${data}/home ./home }
+   if { mount -o bind,ro /etc/passwd ./etc/passwd }
+   if { mount -o bind,ro /etc/group ./etc/group }
+   } unexport CONTAINER_DATA"
+unshare -n
+/root/ns_run ${CONTAINER_IMAGE} /mnt/ns/bin/s6-applyuidgid -Z -U /run/init
diff --git a/zsh-functions/confz_adhoc_container_init b/zsh-functions/confz_adhoc_container_init
@@ -0,0 +1,72 @@
+# vim: ft=zsh noet ts=4 sts=4 sw=4
+
+confz_plain_file_content_check() {
+	checkvars filename flags content
+	require fs_f :filename :flags
+	printf '%s' "$vars[content]" | cmp -s - $vars[filename]
+}
+confz_plain_file_content_do() {
+	printf '%s' "$vars[content]" > $vars[filename]
+}
+
+confz_adhoc_container_check {
+	checkvars service_dir uid gid gidlist image_dir owner_home hostname
+
+	local run_script finish_script
+	run_script=${commands[service.capcont.run]}
+	finish_script=${commands[service.capcont.finish]}
+
+	require fs_d flags= filename:service_dir
+	require fs_f flags= filename=$vars[service_dir]/clone-newpid
+	require fs_f flags= filename=$vars[service_dir]/down
+	require fs_d flags= filename=$vars[service_dir]/env
+	require plain_file_content filename=$vars[service_dir]/env/
+
+	# Absolute path to what will be the root of the container (bind-mounted read-only)
+	require plain_file_content filename=$vars[service_dir]/env/CONTAINER_IMAGE \
+		content:image_dir
+
+	# Hostname set inside the container
+	require plain_file_content filename=$vars[service_dir]/env/CONTAINER_HOST \
+		content:hostname
+
+	# Home directory of the user outside of the container
+	require plain_file_content filename=$vars[service_dir]/env/OWNER_HOME \
+		content:owner_home
+
+	# UID of the user to run the container as
+	require plain_file_content filename=$vars[service_dir]/env/UID content:uid
+
+	# GID of group containing just the owning user
+	require plain_file_content filename=$vars[service_dir]/env/GID content:gid
+
+	# GIDs of supplemental groups of the user
+	require plain_file_content filename=$vars[service_dir]/env/GIDLIST \
+		content:gidlist
+
+	require fs_d flags= filename=$vars[service_dir]/event
+	require fs_o owner=0:$vars[gid] filename=$vars[service_dir]/event
+	require fs_m mode=3730 filename=$vars[service_dir]/event
+
+	require fs_d flags= filename=$vars[service_dir]/supervise
+	require fs_o owner=0:$vars[gid] filename=$vars[service_dir]/supervise
+	require fs_m mode=750 filename=$vars[service_dir]/supervise
+
+	require fs_p filename=$vars[service_dir]/supervise/control
+	require fs_o owner=$vars[uid]:0 filename=$vars[service_dir]/supervise/control
+	require fs_m mode=640 filename=$vars[service_dir]/supervise/control
+
+	require fs_p filename=$vars[service_dir]/supervise/lock
+	require fs_o owner=$vars[uid]:0 filename=$vars[service_dir]/supervise/lock
+	require fs_m mode=640 filename=$vars[service_dir]/supervise/lock
+
+	require fs_l filename=$vars[service_dir]/finish destination=$finish_script
+	require fs_l filename=$vars[service_dir]/run destination=$run_script
+
+	die TODO
+	# /finish
+	# C	#!/command/execlineb
+	# 	rm -rf ./data
+	# o0:0	m755
+	# /run
+}